The Code of Federal Regulations (CFR) annual edition is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government produced by the Office of the Federal Register (OFR) and the Government Publishing Office.
Download the Code of Federal Regulations in XML.
Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF
Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.
Purchase individual CFR titles from the U.S. Government Online Bookstore.
Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.
Electronic Code of Federal Regulations
For purposes of this part, unless explicitly stated otherwise:
(a) Act means the FCRA (15 U.S.C. 1681 et seq.).
(b) Affiliate means any company that is related by common ownership or common corporate control with another company. For example, an affiliate of a Federal credit union is a credit union service corporation, as provided in 12 CFR part 712, that is controlled by the Federal credit union.
(d) Common ownership or common corporate control means a relationship between two companies under which:
(1) One company has, with respect to the other company:
(i) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of a company, directly or indirectly, or acting through one or more other persons;
(ii) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of a company; or
(iii) The power to exercise, directly or indirectly, a controlling influence over the management or policies of a company, as determined by the applicable prudential regulator (as defined in 12 U.S.C. 5481(24)) (a credit union is presumed to have a controlling influence over the management or policies of a credit union service corporation if the credit union service corporation is 67% owned by credit unions) or, where there is no prudential regulator, by the Bureau; or
(2) Any other person has, with respect to both companies, a relationship described in paragraphs (d)(1)(i) through (d)(1)(ii).
(e) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.
(f) Consumer means an individual.
(g) Identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any:
(1) Name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
(h) Identity theft means a fraud committed or attempted using the identifying information of another person without authority.
(i)(1) Identity theft report means a report:
(i) That alleges identity theft with as much specificity as the consumer can provide;
(ii) That is a copy of an official, valid report filed by the consumer with a Federal, state, or local law enforcement agency, including the United States Postal Inspection Service, the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information, if, in fact, the information in the report is false; and
(iii) That may include additional information or documentation that an information furnisher or consumer reporting agency reasonably requests for the purpose of determining the validity of the alleged identity theft, provided that the information furnisher or consumer reporting agency:
(A) Makes such request not later than fifteen days after the date of receipt of the copy of the report form identified in Paragraph (i)(1)(ii) of this section or the request by the consumer for the particular service, whichever shall be the later;
(B) Makes any supplemental requests for information or documentation and final determination on the acceptance of the identity theft report within another fifteen days after its initial request for information or documentation; and
(C) Shall have five days to make a final determination on the acceptance of the identity theft report, in the event that the consumer reporting agency or information furnisher receives any such additional information or documentation on the eleventh day or later within the fifteen day period set forth in Paragraph (i)(1)(iii)(B) of this section.
(2) Examples of the specificity referenced in Paragraph (i)(1)(i) of this section are provided for illustrative purposes only, as follows:
(i) Specific dates relating to the identity theft such as when the loss or theft of personal information occurred or when the fraud(s) using the personal information occurred, and how the consumer discovered or otherwise learned of the theft.
(ii) Identification information or any other information about the perpetrator, if known.
(iii) Name(s) of information furnisher(s), account numbers, or other relevant account information related to the identity theft.
(iv) Any other information known to the consumer about the identity theft.
(3) Examples of when it would or would not be reasonable to request additional information or documentation referenced in Paragraph (i)(1)(iii) of this section are provided for illustrative purposes only, as follows:
(i) A law enforcement report containing detailed information about the identity theft and the signature, badge number or other identification information of the individual law enforcement official taking the report should be sufficient on its face to support a victim's request. In this case, without an identifiable concern, such as an indication that the report was fraudulent, it would not be reasonable for an information furnisher or consumer reporting agency to request additional information or documentation.
(ii) A consumer might provide a law enforcement report similar to the report in Paragraph (i)(1) of this section but certain important information such as the consumer's date of birth or Social Security number may be missing because the consumer chose not to provide it. The information furnisher or consumer reporting agency could accept this report, but it would be reasonable to require that the consumer provide the missing information. The Bureau's Identity Theft Affidavit is available on the Bureau's Web site (consumerfinance.gov/learnmore). The version of this form developed by the Federal Trade Commission, available on the FTC's Web site (ftc.gov/idtheft), remains valid and sufficient for this purpose.
(iii) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for a tradeline block or cessation of information furnishing. In such a case, it would be reasonable for an information furnisher or consumer reporting agency to ask that the consumer fill out and have notarized the Bureau's Identity Theft Affidavit or a similar form and provide some form of identification documentation.
(iv) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for an extended fraud alert. In this case, it would not be reasonable for a consumer reporting agency to require additional documentation or information, such as a notarized affidavit.
(k) Medical information means:
(1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to:
(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) The payment for the provision of health care to an individual.
(2) The term does not include:
(i) The age or gender of a consumer;
(ii) Demographic information about the consumer, including a consumer's residence address or email address;
(iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy; or
(iv) Information that does not identify a specific consumer.
(l) Person means any individual, partnership, corporation, trust, estate cooperative, association, government or governmental subdivision or agency, or other entity.