Rights

Who can legally pull your credit report?

Only someone with a permissible purpose under FCRA Section 1681b: a lender you applied to, an existing creditor reviewing your account, a collector collecting a debt, an insurer underwriting you, an employer with written consent, a landlord processing your application, or anyone you instruct in writing. A pull without permissible purpose violates the FCRA.

3 min read·Last reviewed 1 day ago

The permissible purpose list

Your credit report is not public information. FCRA Section 1681b defines the complete list of reasons someone may access it, and anything outside the list is off limits. The common ones:

  • You applied for credit, and the lender is evaluating the application.
  • An existing creditor is reviewing your account (a periodic soft pull).
  • A debt collector is collecting on an account.
  • An insurance company is underwriting a policy you sought.
  • An employer is screening you, with your written consent.
  • A landlord is processing your rental application.
  • You gave written instructions, which is how services like CreditRefresh access your reports.
  • A court order or certain government functions require it.

Hard vs. soft access

Permissible purpose governs whether someone may see your file at all. Separately, the type of pull determines score impact: applications create hard inquiries, while account reviews, prescreened offers, employment checks, and your own access (including every pull CreditRefresh runs) are soft and never affect your score.

When a pull crosses the line

Pulling a report without a permissible purpose, like an ex-partner's snooping, a business checking someone with no application in play, or a collector pulling after a debt was resolved, violates the FCRA and can support a lawsuit. The visible symptom is usually a hard inquiry you cannot explain.

What to do about an unexplained inquiry

First rule out the benign explanations: lenders sometimes pull under a parent company's name, and a single auto or mortgage application can generate several inquiries. If it is genuinely unauthorized, it is disputable, and if it is accompanied by accounts you never opened, treat it as identity theft and act on that immediately.

Was this helpful?
Keep reading

Related articles

Still need help?

A founder will answer.

Pre-launch, every message reaches one of three founders. We answer within the hour during US business days.

Who Can Pull Your Credit Report? Permissible Purpose