(a) Information on file; sources; report recipients
(A) if the consumer to whom the file relates requests that the first 5 digits of the social security number (or similar identification number) of the consumer not be included in the disclosure and the consumer reporting agency has received appropriate proof of the identity of the requester, the consumer reporting agency shall so truncate such number in such disclosure; and
(B) nothing in this paragraph shall be construed to require a consumer reporting agency to disclose to a consumer any information concerning credit scores or any other risk scores or predictors relating to the consumer.
(2) The sources of the information; except that the sources of information acquired solely for use in preparing an investigative consumer report and actually used for no other purpose need not be disclosed: Provided, That in the event an action is brought under this subchapter, such sources shall be available to the plaintiff under appropriate discovery procedures in the court in which the action is brought.
(i) for employment purposes, during the 2-year period preceding the date on which the request is made; or
(ii) for any other purpose, during the 1-year period preceding the date on which the request is made.
(B) An identification of a person under subparagraph (A) shall include—
(C) Subparagraph (A) does not apply if—
(i) the end user is an agency or department of the United States Government that procures the report from the person for purposes of determining the eligibility of the consumer to whom the report relates to receive access or continued access to classified information (as defined in section 1681b(b)(4)(E)(i)  of this title); and
(5) A record of all inquiries received by the agency during the 1-year period preceding the request that identified the consumer in connection with a credit or insurance transaction that was not initiated by the consumer.
(b) Exempt information
The requirements of subsection (a) respecting the disclosure of sources of information and the recipients of consumer reports do not apply to information received or consumer reports furnished prior to the effective date of this subchapter except to the extent that the matter involved is contained in the files of the consumer reporting agency on that date.
(A) In general
(B) Content of summary
The summary of rights prepared under subparagraph (A) shall include a description of—
(v) the method by which a consumer can contact, and obtain a consumer report from, a consumer reporting agency without charge, as provided in the regulations of the Bureau prescribed under section 211(c) 1 of the Fair and Accurate Credit Transactions Act of 2003; and
(vi) the method by which a consumer can contact, and obtain a consumer report from, a consumer reporting agency described in section 1681a(w) 1 of this title, as provided in the regulations of the Bureau prescribed under section 1681j(a)(1)(C) of this title.
(C) Availability of summary of rights
The Commission 2 shall—
(i) actively publicize the availability of the summary of rights prepared under this paragraph;
(ii) conspicuously post on its Internet website the availability of such summary of rights; and
(iii) promptly make such summary of rights available to consumers, on request.
(2) Summary of rights required to be included with agency disclosures
(A) the summary of rights prepared by the Bureau under paragraph (1);
(B) in the case of a consumer reporting agency described in section 1681a(p) of this title, a toll-free telephone number established by the agency, at which personnel are accessible to consumers during normal business hours;
(C) a list of all Federal agencies responsible for enforcing any provision of this subchapter, and the address and any appropriate phone number of each such agency, in a form that will assist the consumer in selecting the appropriate agency;
(D) a statement that the consumer may have additional rights under State law, and that the consumer may wish to contact a State or local consumer protection agency or a State attorney general (or the equivalent thereof) to learn of those rights; and
(E) a statement that a consumer reporting agency is not required to remove accurate derogatory information from the file of a consumer, unless the information is outdated under section 1681c of this title or cannot be verified.
(d) Summary of rights of identity theft victims
(1) In general
The Commission,2 in consultation with the Federal banking agencies and the National Credit Union Administration, shall prepare a model summary of the rights of consumers under this subchapter with respect to the procedures for remedying the effects of fraud or identity theft involving credit, an electronic fund transfer, or an account or transaction at or with a financial institution or other creditor.
(2) Summary of rights and contact information
Beginning 60 days after the date on which the model summary of rights is prescribed in final form by the Bureau pursuant to paragraph (1), if any consumer contacts a consumer reporting agency and expresses a belief that the consumer is a victim of fraud or identity theft involving credit, an electronic fund transfer, or an account or transaction at or with a financial institution or other creditor, the consumer reporting agency shall, in addition to any other action that the agency may take, provide the consumer with a summary of rights that contains all of the information required by the Bureau under paragraph (1), and information on how to contact the Bureau to obtain more detailed information.
(e) Information available to victims
(1) In general
For the purpose of documenting fraudulent transactions resulting from identity theft, not later than 30 days after the date of receipt of a request from a victim in accordance with paragraph (3), and subject to verification of the identity of the victim and the claim of identity theft in accordance with paragraph (2), a business entity that has provided credit to, provided for consideration products, goods, or services to, accepted payment from, or otherwise entered into a commercial transaction for consideration with, a person who has allegedly made unauthorized use of the means of identification of the victim, shall provide a copy of application and business transaction records in the control of the business entity, whether maintained by the business entity or by another person on behalf of the business entity, evidencing any transaction alleged to be a result of identity theft to—
(A) the victim;
(2) Verification of identity and claim
Before a business entity provides any information under paragraph (1), unless the business entity, at its discretion, otherwise has a high degree of confidence that it knows the identity of the victim making a request under paragraph (1), the victim shall provide to the business entity—
(A) as proof of positive identification of the victim, at the election of the business entity—
(i) the presentation of a government-issued identification card;
(ii) personally identifying information of the same type as was provided to the business entity by the unauthorized person; or
(iii) personally identifying information that the business entity typically requests from new applicants or for new transactions, at the time of the victim’s request for information, including any documentation described in clauses (i) and (ii); and
(B) as proof of a claim of identity theft, at the election of the business entity—
(ii) a properly completed—
(II) an  affidavit of fact that is acceptable to the business entity for that purpose.
The request of a victim under paragraph (1) shall—
(A) be in writing;
(B) be mailed to an address specified by the business entity, if any; and
(C) if asked by the business entity, include relevant information about any transaction alleged to be a result of identity theft to facilitate compliance with this section including—
(4) No charge to victim
Information required to be provided under paragraph (1) shall be so provided without charge.
(5) Authority to decline to provide information
A business entity may decline to provide information under paragraph (1) if, in the exercise of good faith, the business entity determines that—
(A) this subsection does not require disclosure of the information;
(B) after reviewing the information provided pursuant to paragraph (2), the business entity does not have a high degree of confidence in knowing the true identity of the individual requesting the information;
(C) the request for the information is based on a misrepresentation of fact by the individual requesting the information relevant to the request for information; or
(D) the information requested is Internet navigational data or similar information about a person’s visit to a website or online service.
(6) Limitation on liability
Except as provided in section 1681s of this title, sections 1681n and 1681o of this title do not apply to any violation of this subsection.
(7) Limitation on civil liability
No business entity may be held civilly liable under any provision of Federal, State, or other law for disclosure, made in good faith pursuant to this subsection.
(8) No new recordkeeping obligation
Nothing in this subsection creates an obligation on the part of a business entity to obtain, retain, or maintain information or records that are not otherwise required to be obtained, retained, or maintained in the ordinary course of its business or under other applicable law.
(9) Rule of construction
(A) In general
No provision of subtitle A of title V of Public Law 106–102 [15 U.S.C. 6801 et seq.], prohibiting the disclosure of financial information by a business entity to third parties shall be used to deny disclosure of information to the victim under this subsection.
Except as provided in subparagraph (A), nothing in this subsection permits a business entity to disclose information, including information to law enforcement under subparagraphs (B) and (C) of paragraph (1), that the business entity is otherwise prohibited from disclosing under any other applicable provision of Federal or State law.
(10) Affirmative defense
In any civil action brought to enforce this subsection, it is an affirmative defense (which the defendant must establish by a preponderance of the evidence) for a business entity to file an affidavit or answer stating that—
(A) the business entity has made a reasonably diligent search of its available business records; and
(B) the records requested under this subsection do not exist or are not reasonably available.
(11) Definition of victim
For purposes of this subsection, the term “victim” means a consumer whose means of identification or financial information has been used or transferred (or has been alleged to have been used or transferred) without the authority of that consumer, with the intent to commit, or to aid or abet, an identity theft or a similar crime.
(12) Effective date
This subsection shall become effective 180 days after December 4, 2003.
(13) Effectiveness study
Not later than 18 months after December 4, 2003, the Comptroller General of the United States shall submit a report to Congress assessing the effectiveness of this provision.
(f) Disclosure of credit scores
(1) In general
Upon the request of a consumer for a credit score, a consumer reporting agency shall supply to the consumer a statement indicating that the information and credit scoring model may be different than the credit score that may be used by the lender, and a notice which shall include—
(A) the current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the credit reporting agency for a purpose related to the extension of credit;
(B) the range of possible credit scores under the model used;
(D) the date on which the credit score was created; and
For purposes of this subsection, the following definitions shall apply:
(A) Credit score
The term “credit score”—
(i) means a numerical value or a categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may also be referred to as a “risk predictor” or “risk score”); and
(ii) does not include—
(I) any mortgage score or rating of an automated underwriting system that considers one or more factors in addition to credit information, including the loan to value ratio, the amount of down payment, or the financial assets of a consumer; or
(II) any other elements of the underwriting process or underwriting decision.
(B) Key factors
The term “key factors” means all relevant elements or reasons adversely affecting the credit score for the particular individual, listed in the order of their importance based on their effect on the credit score.
(3) Timeframe and manner of disclosure
The information required by this subsection shall be provided in the same timeframe and manner as the information described in subsection (a).
(4) Applicability to certain uses
(A) distribute scores that are used in connection with residential real property loans; or
(5) Applicability to credit scores developed by another person
(A) In general
This subsection shall not be construed to require a consumer reporting agency that distributes credit scores developed by another person or entity to provide a further explanation of them, or to process a dispute arising pursuant to section 1681i of this title, except that the consumer reporting agency shall provide the consumer with the name and address and website for contacting the person or entity who developed the score or developed the methodology of the score.
(6) Maintenance of credit scores not required
(7) Compliance in certain cases
(A) supply the consumer with a credit score that is derived from a credit scoring model that is widely distributed to users by that consumer reporting agency in connection with residential real property loans or with a credit score that assists the consumer in understanding the credit scoring assessment of the credit behavior of the consumer and predictions about the future credit behavior of the consumer; and
(B) a statement indicating that the information and credit scoring model may be different than that used by the lender.
(8) Fair and reasonable fee
(9) Use of enquiries as a key factor
If a key factor that adversely affects the credit score of a consumer consists of the number of enquiries made with respect to a consumer report, that factor shall be included in the disclosure pursuant to paragraph (1)(C) without regard to the numerical limitation in such paragraph.
(g) Disclosure of credit scores by certain mortgage lenders
(1) In general
Any person who makes or arranges loans and who uses a consumer credit score, as defined in subsection (f), in connection with an application initiated or sought by a consumer for a closed end loan or the establishment of an open end loan for a consumer purpose that is secured by 1 to 4 units of residential real property (hereafter in this subsection referred to as the “lender”) shall provide the following to the consumer as soon as reasonably practicable:
(A) Information required under subsection (f)
(i) In general
(ii) Notice under subparagraph (D)
In addition to the information provided to it by a third party that provided the credit score or scores, a lender is only required to provide the notice contained in subparagraph (D).
(B) Disclosures in case of automated underwriting system
(i) In general
If a person that is subject to this subsection uses an automated underwriting system to underwrite a loan, that person may satisfy the obligation to provide a credit score by disclosing a credit score and associated key factors supplied by a consumer reporting agency.
(ii) Numerical credit score
However, if a numerical credit score is generated by an automated underwriting system used by an enterprise, and that score is disclosed to the person, the score shall be disclosed to the consumer consistent with subparagraph (C).
(iii) Enterprise defined
A person that is subject to the provisions of this subsection and that uses a credit score, other than a credit score provided by a consumer reporting agency, may satisfy the obligation to provide a credit score by disclosing a credit score and associated key factors supplied by a consumer reporting agency.
(D) Notice to home loan applicants
“notice to the home loan applicant
“In connection with your application for a home loan, the lender must disclose to you the score that a consumer reporting agency distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit scores.
“The credit score is a computer generated summary calculated at the time of the request and based on information that a consumer reporting agency or lender has on file. The scores are based on data about your credit history and payment patterns. Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan. They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can change over time, depending on your conduct, how your credit history and payment patterns change, and how credit scoring technologies change.
“Because the score is based on information in your credit history, it is very important that you review the credit-related information that is being furnished to make sure it is accurate. Credit records may vary from one company to another.
“If you have questions about your credit score or the credit information that is furnished to you, contact the consumer reporting agency at the address and telephone number provided with this notice, or contact the lender, if the lender developed or generated the credit score. The consumer reporting agency plays no part in the decision to take any action on the loan application and is unable to provide you with specific reasons for the decision on a loan application.
“If you have questions concerning the terms of the loan, contact the lender.”.
(E) Actions not required under this subsection
This subsection shall not require any person to—
(i) explain the information provided pursuant to subsection (f);
(iii) disclose any credit score or related information obtained by the user after a loan has closed;
(iv) provide more than 1 disclosure per loan transaction; or
(F) No obligation for content
(i) In general
(ii) Limit on liability
(G) Person defined as excluding enterprise
(2) Prohibition on disclosure clauses null and void
(A) In general
(B) No liability for disclosure under this subsection
A lender shall not have liability under any contractual provision for disclosure of a credit score pursuant to this subsection.