The Consumer Financial Protection Bureau (CFPB) recently took its first step in making possible changes to the Fair Credit Reporting Act (FCRA), having just released its Outline of Proposals and Alternatives Under Consideration (Sept. 15).
Although only a preliminary step in the rulemaking process, the Outline nevertheless signals how the CFPB may be thinking about the credit reporting market today and should put data brokers, data users, and data furnishers – including marketing platforms – on notice of things to possibly come.
To help readers appreciate the potential impact of forthcoming proposed rules, this article briefly touches on some of the questions and concerns that came to our minds when we reviewed the Outline.
What Is the Purpose of the Outline?
Because its proposals would likely have significant economic impact on a substantial number of small entities, the CFPB is required by the Small Business Regulatory Enforcement Fairness Act (SBREFA) to consult with small businesses to assess economic impact prior to releasing any proposed rules.
The resulting Outline is thus just a high-level peek into some of the CFPB's concerns and may not cover everything that we may see in actual proposed rules.
Based on what we've heard, proposed rules may arrive in Q1 or Q2 of 2024.
What Does the Outline Cover?
The Outline summarizes some of the CFPB's concerns about the following aspects of the FCRA, each affecting different participants in the credit reporting ecosystem:
- "Data brokers" as consumer reporting agencies
- The meaning of "assembling or evaluating" from the definition of consumer reporting agency
- Credit header information, traditionally viewed as non-consumer report information
- Targeted marketing, including aggregated and anonymized data
- The scope of the "written instruction" and "legitimate business need" permissible purposes
- Data security for consumer reporting agencies
- Disputes, including investigation of "systemic issues"
- Medical debt collection information
The Outline contemplates treating "data brokers" as consumer reporting agencies ("CRAs"). The question will be how the CFPB defines "data broker" – the Outline suggests various ways for a data broker to be subject to FCRA, based on how data is collected, shared and/or used by others.
Two things stood out to us:
- The first is the proposal to treat a data broker as a CRA based on how the recipient uses the information, regardless of the data broker's knowledge or intent.
This proposal could potentially hold a data broker strictly liable as a CRA, regardless of the controls that the data broker has put in place to prevent users from using information for a FCRA-permissible purpose. Data brokers often implement these controls in order to avoid treatment as a CRA, the argument being that if the recipient does not use the information for FCRA eligibility purposes, it cannot, by definition, be a consumer report. In turn, the provider of such information cannot, by definition, be a consumer reporting agency. The proposal could diminish this argument if the data broker will be deemed a CRA based on a recipient's actual use, notwithstanding the data broker's attempts to prevent such use. Alternatively, data brokers may need to significantly enhance their controls not only to demonstrate intent not to permit but to actually prevent any FCRA uses of their information.
- The second is that the CFPB would treat a data broker as a CRA based on the type of data shared (for example, a consumer's payment history, income, and criminal records) regardless of use.
The feasibility of this proposal is unclear as the statutory definition of a "consumer report" requires that the information be used for a permissible purpose.
Additionally, there may be use cases where such data is sold or shared for legitimate reasons outside of a FCRA-permissible purpose. By making data brokers CRAs regardless of use, the proposal could cause some data brokers to exit the market as the burden of becoming a CRA may outweigh the benefits of this business model.
Assembling or Evaluating
The CFPB is considering creating a "more bright-line definition" to clarify when someone is engaged in "assembling" or "evaluating" information as a CRA. For example, the Outline distinguished data brokers acting as CRAs from, for example, entities acting only as an intermediary in transmitting public records data to users of such data.
It's not immediately clear whether this proposal is necessary. A person is only a CRA if they make consumer reports to others. The definition of consumer report requires that the information be used for eligibility under a permissible purpose. That definitional scheme necessarily limits the scope of "assembling or evaluating" to making consumer reports to others. An intermediary does not "assemble" or "evaluate" data – it is just a conduit and thus should not be deemed a CRA under today's interpretation of FCRA.
Credit Header Information
Traditionally, information contained in the "header" of a credit report – like name, address, SSN and phone number – was not treated as consumer report information. Thus, the sharing of such information would not make someone a CRA. The Outline indicates that the CFPB might "reduce, perhaps significantly," CRAs' ability to disseminate header information without a permissible purpose.
This proposal has the potential for being overbroad as it would capture a host of data brokers that deal in such information for transactions that might not warrant the burdens of being a CRA.
Moreover, such information generally does not bear on eligibility under a permissible purpose anyway – or, to be more precise, it should not. For example, if one were to use a consumer's name to determine eligibility, that could raise concerns under fair lending laws (like the Equal Credit Opportunity Act) and other laws focused on discriminatory practices.
This aspect of the Outline is particularly impactful as it would target (no pun intended) ad networks and their use of consumer report data. It would codify the position that information being used "on behalf of third parties" in certain marketing models should be deemed a consumer report, even where the third party never comes into possession of that information – essentially treating the third party to be in constructive receipt of the information.
The proposal would be impactful to almost everyone involved in the ad campaign – once the use (and constructive sharing) of the information is deemed a consumer report, participants in the campaign could be pulled into the FCRA whether as a user, furnisher and perhaps even a CRA itself.
Even more impactful is the second aspect of this proposal – that the sharing of aggregated or anonymized information may be deemed a consumer report. It's unclear how the CFPB will effect such an interpretation, as the statutory definition of a "consumer report" requires that the information bear on a "consumer." If adopted, this proposal would greatly affect how data users in all industries leverage aggregated or anonymized data, not just for marketing, but for other analytic purposes.
Permissible Purpose – Written Instructions
The "written instruction" permissible purpose is widely used to obtain consumer reports outside of one of the enumerated permissible purposes, in particular marketing. The FCRA and FTC precedent provide little guidance on what constitutes an acceptable form of "written instruction" other than that such instruction must be in the affirmative (e.g., "I instruct ….") and not passive (e.g., "I understand that .…").
The Outline signals that the CFPB may codify past precedent and make this permissible purpose more prescriptive. In particular, the Outline suggests that the CFPB may introduce a consumer's right to revoke a prior written instruction. While this would not affect one-time transactions (for example, requesting a prequalified or preapproved offer), it would certainly affect a user's ability to obtain consumer reports for ongoing marketing campaigns. Operationally, it might require users to create system logic to identify customers who have revoked their written instruction to effectively opt out from future marketing campaigns that had relied on such written instruction.
Permissible Purpose – Legitimate Business Need
The Outline also focuses on the "legitimate business need" permissible purpose. This "catch-all" permissible purpose is intentionally broad in order to be used in contexts outside of the enumerated permissible purposes (other than marketing). However, what is "legitimate" or a "business need" can be subjective.
The Outline reveals that the CFPB may seek to clarify that "legitimate" means "for eligibility." This makes some sense as the FCRA – being ultimately a privacy law – was not intended to allow the use of consumer report information for any purpose.
However, the other proposal that would require an account review as a condition to rely on 604(a)(3)(F)(ii) of the FCRA is really just a clarification of that statutory provision, which provides a permissible purpose "to review an account to determine whether the consumer continues to meeting the terms of the account." Concerns around a user's reliance on this permissible purpose seem more an issue of enforcement than rulemaking.
As the data broker industry continues to grow, the CFPB appears to be concerned about greater instances of data breaches and unauthorized access to sensitive information at the CRA level.
Accordingly, it seems that the CFPB may look for ways to impose data safeguard requirements on CRAs based on existing statutory requirements, in particular 604 and 607(a) of FCRA. It will be interesting to see if (1) the CFPB has the authority to impose such requirements, and (2) if so, what those requirements will look like – perhaps something like GLBA safeguards applicable to financial institutions?
Not surprisingly, based on related consumer complaint and enforcement action volume, the Outline spends several pages on disputes, specifically in two areas: (1) legal vs. factual disputes, and (2) systemic issues.
Focusing on systemic issues, it is true that one system issue – for example, a coding error or incorrect system setting – can result in the proliferation of reporting errors affecting multiple consumers.
To address this, the CPFB may propose to empower consumers to identify system issues as a "dispute" that triggers a furnisher's investigation.
While furnishers should certainly adopt policies, procedures and controls to mitigate against systemic issues, the CFPB's proposal could prove overly burdensome. Instead of encouraging furnishers to invest more resources into fixing and preventing systemic issues, the proposal could result in resources being diverted to address the inevitable deluge of notices from consumers about perceived systemic issues – issues that the consumer may only suspect without actual knowledge or evidence. Absent a sufficiently high standard of proof that a consumer must meet to invoke such a dispute, it's unclear how effective this proposal would actually be in practice.
Medical Debt Collection Information
Last, but certainly not least, the Outline shows that the CFPB plans to curtail the use of medical debt collection information in consumer reports by revising its rules around the use of medical debt collection information or prohibiting its use in credit determinations. To the extent it has relied on medical debt collection information, it seems that a user will need to adjust its underwriting criteria to conform to what is likely to be more restrictive use of medical debt collection information.