Docstoc

SUMMARY OF NEW CONTRACT PROVISIONS REQUIRED

Document Sample
SUMMARY OF NEW CONTRACT PROVISIONS REQUIRED Powered By Docstoc
					                 SUMMARY OF NEW CONTRACT PROVISIONS
                      REQUIRED BY REPOSITORIES


       Following is a summary of each new repository reseller requirement which
necessitate changes in reseller User agreements, together with model contract
provisions relating to each such requirement. The terms “User” and “CRA” are, of
course, for convenience only; your current contract may use different terms, such as
“User” and “Your Name”. Any term used is fine, so long as your contract is
consistent throughout. Other Experian, Equifax and TU requirements, not addressed
here, will require changes in application policies and in investigation of potential
Users. You will need to consult each of the repository guidelines to determine what
requirements may be new to your company’s operations. The contract provisions are
only examples of how a subject may be addressed; you should consult your own legal
counsel.



1.      Section I (5) (page 3 of the Experian policy statement), the Overview (page 4 of
the Equifax policy) and page 16 of the TU policy require that resellers comply with
Experian and Equifax policies and procedures currently in effect and as they may be
changed in the future. As a result, the service agreement with the end user should contain
a provision similar to the following:

               User hereby agrees to comply with all policies and procedures
       instituted by CRA and required by CRA’s consumer reporting vendor.
       CRA will give User as much notice as possible prior to the effective date
       of any such new policies required in the future, but does not guarantee
       that reasonable notice will be possible. User may terminate this
       agreement at any time after notification of a change in policy in the event
       User deems such compliance as not within its best interest.

2.      Section II (5) and (6) (page 3 of the Experian policy statement) and the
Compliance Audits (page 17 of the Equifax policy) require that Experian and Equifax
shall have the right to audit both the reseller and the reseller’s end users and the right to
request and obtain information related to any investigation regarding Experian and
Equifax information. Equifax and TU require that resellers monitor subscribers on an
ongoing basis. Experian has the right to contact the end user directly if reseller has not
responded within a certain time period. Experian may require the reseller to suspend or
terminate an end user that does not cooperate with an Experian investigation. As a result,
the reseller agreement with its user should contain a provision similar to the following:

               User agrees that CRA’s consumer reporting vendor shall have the
       right to audit records of User that are relevant to the provision of services
       set forth in this Agreement. CRA will monitor User’s permissible uses of
       the information. User further agrees that it will respond within the
       requested time frame indicated for information requested by CRA’s
       consumer reporting vendor regarding information provided by such
       vendor. User understands that such vendor may suspend or terminate
       access to the vendor’s information in the event User does not cooperate
       with any such an investigation.

3.       Section III (4) (page 4 of the Experian policy) requires that reseller not be allowed
to resell Experian information for any permissible purpose except that listed on the
reseller’s membership application, unless otherwise approved by Experian. As a result,
the reseller’s language on its contracts allowing the user to obtain consumer reports for
any permissible purpose under the Fair Credit Reporting Act is no longer valid. As a
result, the reseller agreement with its user with respect to permissible purposes should
contain a provision similar to the following:

               User understands and agrees that, notwithstanding the fact that
       under federal law User may have several permissible purposes to obtain
       consumer reports, User shall only obtain such reports in connection with
       a credit transaction involving the consumer on whom the information is to
       be furnished and involving the extension of credit to, or review or
       collection of an account of, the consumer. The federal Fair Credit
       Reporting Act provides that “Any person who knowingly and willfully
       obtains information on a consumer from a consumer reporting agency
       under false pretenses shall be fined under title 18, United States Code,
       imprisoned for not more than 2 years, or both.”

        Neither the Equifax nor the TU policy contains this limitation, but do contain a
rather long list of businesses that may not be served. See Businesses that CRA’s May
Serve on page 7 of the Equifax policy and page 11 of the TU policy.

4.      Section V (1) (page 5 of the Experian policy) and Required CRA Security and
Compliance Procedures, page 14 of the Equifax policy, Connectivity Service Providers,
page 16 of the Equifax policy and Security Safeguards, page 16 of the TU policy, require
that the reseller be solely responsible for assuring that the storage and transmission of
data to end users is performed in a manner that is secured and in compliance with
Experian policy and to ensure that end users are knowledgeable and trained in proper
access security procedures “consistent with industry standards”. The Equifax policy is in
greater detail and requires that both the reseller and the user institute written and detailed
security procedures. As a result, the reseller agreement with its user should contain a
provision similar to the following:

       a.       During the term of this Agreement, User agrees to comply with all
       federal, state and local statutes, regulations and rules applicable to it, including,
       without limitation the FCRA, with any changes enacted to FCRA during the term
       of this Agreement, the Gramm Leach Bliley Act and its implementing regulations,
       any state or local laws governing the disclosure of consumer credit information,
       and any regulations or limitations promulgated by CRA’s consumer reporting
       vendor. Without limiting the foregoing, CRA may from time to time notify User of
       additional, updated or new requirements relating to such laws, compliance with
       which will be a condition of CRA’s continued provision of the credit information
       to User, and User shall utilize training materials to train and educate its
       employees in proper security procedures consistent with industry standards. In
       addition, such new requirements might require price increases. User agrees
       to comply with any such new requirements no later than thirty (30) days after it
       actually receives notice from CRA and such requirements shall be
       incorporated into this Agreement by this reference. User understands and agrees
       that CRA may require evidence, including a certification that User understands
       and will comply with applicable laws.


               b.       User will implement strict security procedures designed to
       ensure that User’s employees and Users use the services and the credit
       information in accordance with this Agreement and for no purposes other than
       as permitted by this Agreement. User will treat and hold the services and the
       credit information in strict confidence and will restrict access to the services
       and the credit information to User’s employees and Users who agree to act in
       accordance with the terms of this Agreement and applicable law. User will not
       forward or share information from CRA’s consumer reporting vendors with any
       third party. User will inform User’s employees and Users to whom any credit
       information is disclosed of the provisions of this Agreement. User agrees to
       indemnify CRA and its consumer reporting vendors for any claims or losses
       incurred by CRA as a result of the misuse of the services or the credit
       information by User or User’s affiliates, employees, agents, subcontractors or
       Users in violation of this Agreement.



5.      Section V (3) (page 5) of the Experian policy, page 19 of the Equifax policy and
paragraph 1 I of the TU reseller agreement require that if a data breach occurs, the
reseller shall notify the repository within 24 hours of the discovery and will cooperate
with any investigation regarding same. Reseller and end user must respond to
information requests made by the repository. Reseller or user must notify affected
consumers that their information has been or may have been compromised, but the
repositories reserve the right to control the nature and timing of such notification. In
addition, Experian is requiring that the reseller or the end user to provide to each affected
or potentially affected consumer credit history monitoring services for one year in which
the consumer’s credit history is monitored and the consumer receives daily notification of
changes that may indicate fraud or identification theft. If the cause of the data breach is
determined by Experian to be under the control of the reseller (fraud, misconduct,
improper security, etc.), Experian reserves the right to assess an expense recovery fee
against the reseller. As a result, the reseller agreement with its user should contain a
provision similar to the following:

       a.     User shall notify CRA of any breach of the security of consumer
       reporting data if the personal information of consumers was, or is
reasonably believed to have been, acquired by an unauthorized person
within 24 hours following discovery thereof.

b.      In the event of such a breach, User agrees to cooperate with CRA
and with CRA’s consumer reporting vendor in any investigation relating
thereto. The nature and timing of any notifications required herein shall
be under the control of CRA’s consumer reporting vendor, unless
otherwise required by law.

c.      For purposes of this Agreement, “breach of the security of the
system” means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith acquisition
of personal information by an employee or agent of the person or business
for the purposes of the person or business is not a breach of the security of
the system, provided that the personal information is not used or subject to
further unauthorized disclosure.

d.       For purposes of this Agreement, “personal information” means an
Individual’s first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or
the data elements are not encrypted:
   (1) Social security number.
   (2) Driver's license number.
   (3) Account number, credit or debit card number, in combination with
any required security code, access code, or password that would permit
access to an individual's financial account.

e.     For purposes of this Agreement, “personal information” does not
include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.

f.      For purposes of this Agreement, “notice” may be provided by one
of the following methods:
   (1) Written notice.
   (2) Electronic notice, if the notice provided is consistent with the
provisions regarding electronic records and signatures set forth in Section
7001 of Title 15 of the United States Code.
   (3) E-mail notice when the User has an e-mail address for the subject
persons.
   (4) Conspicuous posting of the notice on the web site of the User.

g.     The disclosure shall be made in the most expedient time possible
and without unreasonable delay, consistent with the legitimate needs of
law enforcement or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
       h.      The notification may be delayed if a law enforcement agency
       determines that the notification will impede a criminal investigation. The
       notification required by this section shall be made after the law
       enforcement agency determines that it will not compromise the
       investigation.

       In the event the breach is determined by CRA’s consumer reporting
       vendor to be within the control of User, (1) User shall provide to each
       affected or potentially affected consumer, credit history monitoring
       services for a minimum of one year in which the consumer’s credit history
       is monitored and the consumer receives daily notification of changes that
       may indicate fraud or ID theft from at least one of the national consumer
       credit reporting bureaus, and (2) CRA’s consumer reporting vendor and
       CRA may assess User an expense recovery fee.

      The Equifax policy does not contain a similar provision, but does require
immediate notification.

6.      Section VI (3) and (4) (page 6 of the Experian policy) and Uses of Equifax
Consumer Information (page 6 of the Equifax policy), Businesses that CRA’s May Serve
(page 7 of the Equifax policy), Reissue Policy (page 17 of the Equifax policy) and page
12 of the TU policy require the reseller to disclose to the repositories the identity of the
ultimate end user at the time of the request of the information. Delivery to a person other
than the originally disclosed end user is prohibited unless approved by Experian. If so
approved, reseller will provide the name of the additional end user to the repository in a
format prescribed by the repository. The repositories reserve the right to charge a fee for
the secondary report. Equifax requires that the reseller obtain Equifax’s prior consent
before implementing a reissue policy, that the entity receiving the reissued report be
“joint user” of the report, the consumer must have given his permission for the sharing of
the report, and the “joint user” must be a qualified subscriber of the reseller. Equifax
requires a fee for each reissue. As a result, the reseller agreement with its user should
contain a provision similar to the following:

       If approved by CRA and CRA’s consumer reporting vendor and
       authorized by the consumer, User may deliver the consumer credit
       information to a third party, secondary, or joint user with which User has
       an ongoing business relationship for the permissible use of such
       information. CRA’s consumer reporting vendor may charge a fee for the
       subsequent delivery to secondary users.



7.     Section VII (2) (page 6 of the Experian policy) and Overview (page 5 of the
Equifax policy) and Reissue Policy (page 19 of the Equifax policy) states that Experian
and Equifax reserve the right, on reasonable notice, to revise the terms, conditions or
pricing in order to meet any requirement imposed by federal, state or local law, rule or
regulation or to address matters concerning privacy and confidentiality, or for any other
reason. Revision of the terms and conditions is covered by the new language under
numbers 1 and 3 and thus no additional provision is necessary.


8.      Section VIII (2) (page 7of the Experian policy) and Compliance Audits (page 14
of the Equifax policy) require the reseller to verify that each end user that is provided
information is in fact an end user which does not intend to resell or otherwise provide or
transfer the information in whole or in part to any other person or entity. As a result, the
reseller agreement with its user should contain a provision similar to the following:

       User agrees that CRA or its consumer reporting vendors may verify,
       through audit or otherwise, that User is in fact the end user of the credit
       information with no intention to resell or otherwise provide or transfer
       the credit information in whole or in part to any other person or entity.


9.      Section VIII (4) (page 7 of the Experian policy) and New Account Requirements
(page 9 of the Equifax policy) require the reseller to contract with an Experian or Equifax
approved third party vendor to perform a physical inspection of all potential end user
Users. Page 7 of the TU policy requires CRAs to conduct on-site inspections. As a
result, the reseller agreement with its user should contain a provision similar to the
following:

               User agrees that CRA may verify, through audit or otherwise, that
       User is in fact the end user of the credit information with no intention to
       resell or otherwise provide or transfer the credit information in whole or
       in part to any other person or entity. CRA may utilize a third party vendor
       to perform an on-site inspection of User’s business.



10.     Section VIII (5) (page 7 of the Experian policy) and page 18 of the TU policy
requires the reseller to know about any change of ownership or control of the end user
and to re-credential the user, including the making of a new physical inspection. As a
result, the reseller agreement with its user should contain a provision similar to the
following:

               User agrees to notify CRA of any change of ownership or control
       fifteen days prior to any such change. CRA may require the new
       ownership to re-apply for the services provided for herein and may
       require a new physical inspection in the event the office location is
       changed.
11.     Section VIII (6) (page 7 of the Experian policy) and Compliance Audits (page 14
of the Equifax policy) require the reseller to provide to Experian at Experian’s request,
and to Equifax at Equifax’s request, all materials and information relating to its
investigations of its end user Users. Since this might require the authorization of the end
user the reseller agreement with its user should contain a provision similar to the
following:

       User hereby authorizes CRA to provide copies of any information
       regarding User to CRA’s consumer reporting vendor.


12.     Section VIII (7) (page 7 of the Experian policy) and Compliance Audits (page 14
of the Equifax policy), Required CRA Security and Compliance Procedures (page 15 of
the Equifax policy) and pages 16 and 17 of the TU policy require resellers to monitor end
users on an ongoing basis and to discontinue service to any end user not in compliance
with the law or the agreement with reseller. As a result, the reseller agreement with its
user should contain a provision similar to the following:

               User agrees that CRA may monitor User on an ongoing basis to
       determine User’s compliance with applicable law and the provisions of
       this Agreement. In the event CRA determines that User is not in
       compliance with applicable law or this Agreement, User may immediately
       discontinue services under this Agreement. User shall remain responsible
       for the payment for any services provided to User by CRA prior to any
       such discontinuance.


13.      Section VIII (8) (page 7of the Experian policy) and page 21 of the TU policy
require reseller to develop and provide training and training materials to users to assure
compliance with the FCRA and Experian policy. As a result, the reseller agreement with
its user should contain a provision similar to the following:

              CRA will provide, and User will utilize, training and training
       materials to User in order for User to comply with the federal Fair Credit
       Reporting Act and with the policies and procedures required by CRA’s
       consumer reporting vendors.

14.    Additional Equifax Requirements. The section styled Requirements Associated
with CRA Subscriber Agreement (page 12 of the Equifax policy) requires several other
provisions not covered above:

       User acknowledges additional responsibilities and guidelines with respect
       to reports from Equifax Information Services, attached to this Agreement
       as Appendix A. If, in addition to the ACROFILE ® product of Equifax,
       User obtains other products from CRA, the terms of the attached Appendix
       B shall apply.
                         et seq. also requires certain other responsibilities of
       Subscribers of consumer reports from consumer reporting agencies.
       Those responsibilities are attached (and made a part hereof) as Exhibit A
       to this Agreement.

       User hereby acknowledges that it is not one of the businesses listed in
       Exhibit B. (See those listed in Businesses that Cannot Be Provided
       Equifax Information (page 8 of the Equifax policy.)

       User agrees to provide to every consumer applicant for employment or for
       the purposes of explaining their rights with regard to identity theft, the
       attached summaries of rights of the consumer as set forth in Exhibit C.


       User agrees that it will properly dispose of all consumer information.
       “Consumer Information”, as used herein, shall mean any record (or
       compilation thereof) about an individual, whether in paper, electronic, or
       other form, that is a consumer report or is derived from a consumer
       report. (See Proper Disposal of Consumer Information on page 25 of the
       Equifax policy.) Subscriber shall comply with all applicable state laws
       regarding consumer credit or consumer identity protection.

       User shall comply with all applicable state laws regarding consumer
       credit or consumer identity protection.


15.     Additional TU Requirements. Additional TU requirements can be found on pages
6, 12 and 13 of its policy and in its Reseller Service Agreement.

       User certifies that User shall use the consumer reports: (a) solely for the
       Subscriber’s certified use(s) and (b) solely for User’s exclusive one-time
       use. User shall not request, obtain or use consumer reports for any other
       purpose including, but not limited to, for the purpose of selling, leasing,
       renting or otherwise providing information obtained under this Agreement
       to any other party, whether alone, in conjunction with User’s own data, or
       otherwise in any service which is derived from the consumer reports. The
       consumer reports shall be requested by, and disclosed by User only to
       User’s designated and authorized employees having a need to know and
       only to the extent necessary to enable User to use the Consumer Reports in
       accordance with this Agreement. User shall ensure that such designated
       and authorized employees shall not attempt to obtain any Consumer
       Reports on themselves, associates, or any other person except in the
       exercise of their official duties.
User will maintain copies of all written authorizations for a minimum of
five (5) years from the date of inquiry.

User shall use each Consumer Report only for a one-time use and shall
hold the report in strict confidence, and not disclose it to any third parties;
provided, however, that User may, but is not required to, disclose the
report to the subject of the report only in connection with an adverse
action based on the report. Moreover, unless otherwise explicitly
authorized in an agreement between Reseller and its User for scores
obtained from TransUnion, or as explicitly otherwise authorized in
advance and in writing by TransUnion through Reseller, User shall not
disclose to consumers or any third party, any or all such scores provided
under such agreement, unless clearly required by law.

With just cause, such as violation of the terms of the User’s contract or a
legal requirement, or a material change in existing legal requirements that
adversely affects the User’s agreement, Reseller may, upon its election,
discontinue serving the User and cancel the agreement immediately.

User will request Scores only for User’s exclusive use. User may store
Scores solely for User's own use in furtherance of User's original purpose
for obtaining the Scores. User shall not use the Scores for model
development or model calibration and shall not reverse engineer the
Score. All Scores provided hereunder will be held in strict confidence and
may never be sold, licensed, copied, reused, disclosed, reproduced,
revealed or made accessible, in whole or in part, to any Person except (i)
to those employees of User with a need to know and in the course of their
employment; (ii) to those third party processing agents of User who have
executed an agreement that limits the use of the Scores by the third party
to the use permitted to User and contains the prohibitions set forth herein
regarding model development, model calibration and reverse engineering;
(iii) when accompanied by the corresponding reason codes, to the
consumer who is the subject of the Score; or (iv) as required by law.


User certifies that it is not a reseller of the information, a private detective,
bail bondsman, attorney, credit counseling firm, financial counseling firm,
credit repair clinic, pawn shop (except companies that do only Title pawn),
check cashing company, genealogical or heir research firm, dating service,
massage or tattoo service, business that operates out of an apartment, an
individual seeking information for his private use, an adult entertainment
service of any kind, a company that locates missing children, a company that
handles third party repossession, a company seeking information in
connection with time shares or subscriptions, a company or individual
involved in spiritual counseling or a person or entity that is not an end-user
or decision-maker, unless approved in writing by Trans Union.

User agrees that Trans Union shall have the right to audit records of User
that are relevant to the provision of services set forth in this agreement.
User authorizes CRA to provide to Trans Union, upon Trans Union’s
request, all materials and information relating to its investigations of User
and agrees that it will respond within the requested time frame indicated
for information requested by Trans Union regarding Trans Union
information. User understands that Trans Union may require CRA to
suspend or terminate access to Trans Union’s information in the event
User does not cooperate with any such an investigation. User shall
remain responsible for the payment for any services provided to User
prior to any such discontinuance.

User agrees that Trans Union information will not be forwarded or shared
with any third party unless required by law or approved by Trans Union.
If approved by Trans Union and authorized by the consumer, User may
deliver the consumer credit information to a third party, secondary, or
joint user with which User has an ongoing business relationship for the
permissible use of such information. User understands that Trans Union
may charge a fee for the subsequent delivery to secondary users.

Trans Union shall use reasonable commercial efforts to obtain, assemble
and maintain credit information on individuals as furnished by its
subscribers or obtained from other available sources. THE WARRANTY
SET FORTH IN THE PREVIOUS SENTENCE IS THE SOLE WARRANTY
MADE BY TRANS UNION CONCERNING THE CONSUMER REPORTS,
INCLUDING, BUT NOT LIMITED TO THE TU SCORES. TRANS
UNION MAKES NO OTHER REPRESENTATIONS OR WARRANTIES
INCLUDING, BUT NOT LIMITED TO, ANY REPRESENTATIONS OR
WARRANTIES REGARDING THE ACCURACY, COMPLETENESS, OR
BOTH, OF ANY AND ALL OF THE AFOREMENTIONED PRODUCTS
AND SERVICES THAT MAY BE PROVIDED TO CRA. THE WARRANTY
SET FORTH IN THE FIRST SENTENCE OF THIS PARAGRAPH IS IN
LIEU OF ALL OTHER WARRANTIES, WHETHER WRITTEN OR ORAL,
EXPRESS OR IMPLIED (INCLUDING, BUT NOT LIMITED TO,
WARRANTIES THAT MIGHT BE IMPLIED FROM A COURSE OF
PERFORMANCE OR DEALING OR TRADE USAGE). THERE ARE NO
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:19
posted:8/12/2011
language:English
pages:10