The Consumer Financial Protection Bureau (CFPB) has started the process of issuing rules on several topics affecting the entire ecosystem that collects, sells, and uses data about consumers, according to an Outline of the CFPB’s plans for rulemaking under the Fair Credit Reporting Act (FCRA) released on September 21. A copy of the Outline can be found here.
The Outline sets out an ambitious agenda for the proposed rulemaking that will have major impacts on:
- “Data brokers” and “data aggregators,” which are not defined under the FCRA, and which have not historically been considered consumer reporting agencies;
- Consumer reporting agencies (CRAs);
- Furnishers of data to CRAs;
- Persons who are sources of data for “data brokers” and “data aggregators”; and
- End users of data obtained from CRAs and/or “data brokers”/“data aggregators.”
While the Outline has wide-ranging implications for the entire ecosystem, in prepared remarks for a press call hosted by Vice President Kamala Harris, CFPB Director Rohit Chopra discussed only one aspect of the proposal: a rule barring reporting medical debt collections through the credit reporting system. He said the CFPB’s rulemaking would “block medical debt collectors from weaponizing the credit reporting system to coerce patients into paying bills they may not even owe. We are also kicking off a rulemaking process to prohibit lenders from using certain medical billing information in their underwriting decisions.”
At a very high level, one of the most important impacts of the contemplated rule is that many businesses and use cases that do not meet the FCRA’s definition of “consumer reporting agency” could be dragged into FCRA regulation. From the Outline, it is not obvious that the CFPB has considered the significant negative consequences of ignoring the plain language of the FCRA. For example, data that has been used for decades to prevent fraud and identity theft will no longer be permitted for those use cases outside the limited set of enumerated FCRA “permissible purposes” or under the CFPB’s new proposed strict rules for obtaining consumer consent. However, that is only one of many probable monumental shifts in how the industry and courts have understood the FCRA. Compliance requirements and risks for the potentially new and existing members of the FCRA-regulated consumer data ecosystem are going to be more demanding in multiple, significant ways, some of which are identified below.
The Outline follows up on an announcement of the planned initiative, described here, and is part of the first step of a formal CFPB rulemaking. The Outline is supplied for initial comment to a panel of small businesses convened under the Small Business Regulatory Enforcement Fairness Act (SBREFA). After this SBREFA process is complete, then the CFPB will issue a proposed rule and open it up for comment, which the CFPB’s director indicated would likely occur in 2024.
Impacts on Industries Likely Affected by the Proposed Rule
The contemplated rulemaking disclosed in the Outline would affect participants in the consumer data ecosystem in many ways, including:
So-Called “Data Brokers” and “Data Aggregators”
Who qualifies as a “data broker” or “data aggregator”? In the CFPB’s view, a “data broker” or “data aggregator” is any company that collects and sells consumer data, for any purpose, and who also “assembles” or “evaluates” the data. The CFPB thus appears to intend to expand the definition of “consumer report” beyond those “data brokers” that are CRAs “under current law.”
Further ignoring the FCRA’s definition of “consumer report,” the CFPB states that it intends to apply the statute where the information is used for any permissible purpose (ignoring the FCRA’s threshold eligibility requirements), regardless of whether the data broker knew that the information would be used or intended to be used for that purpose. Indeed, the CFPB says that information would be a “consumer report” based only on the fact that the information might bear on eligibility — addressing only part of the FCRA’s definition of “consumer report.” It is likewise unclear how the CFPB intends to “clarify” the meaning of “assemble” and “evaluate” in a way that has not already been addressed by the courts.
The impacts for so-called “data brokers” and “data aggregators” go further.
- Among other implications is the fact that “data brokers” and “data aggregators” would be able to sell data only for permissible purposes allowed by the FCRA — principally for eligibility determinations for credit, insurance, or employment — or by way of written authorization of the consumer. Use of data for product improvement and identity verification to access an online account, for example, would be prohibited absent the consumer’s written authorization.
- In addition to limiting who can receive data from “data brokers” and “data aggregators,” those entities, once designated as CRAs, would need to give consumers (and identity thieves) rights to access and dispute their data, and consumers could sue them under the FCRA for violating those FCRA requirements.
Who is a CRA? The FCRA defines a CRA as a person who collects, assembles, or evaluates consumer credit information or other data on consumers for the purposes of furnishing consumer reports. In turn, a consumer report contains “seven factor” data reflecting on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, and is expected to be used for the purpose of establishing a consumer’s eligibility for credit, insurance, or employment, among other specific “permissible purposes.”
What are the impacts of the contemplated rulemaking for CRAs?
- Under current law, a CRA’s sale of identifying data — widely known as “credit header data” —about a consumer is not regulated by the FCRA, mainly due to courts consistently concluding such information does not bear on the factors listed in the statutory definition of “consumer report.” The CFPB seems to acknowledge this existing law and then, contrary to its statements on data brokers discussed above, proclaims that such information is now being used to determine “eligibility” and, as a result, is now regulated consumer report information that can only be used for FCRA permissible purposes. The Outline suggests that the CFPB is focused on subjecting all consumer data held by a CRA to the FCRA’s requirements, meaning that only persons with an FCRA “permissible purpose” can obtain this data from CRAs. That restriction would have major implications for end users as well, noted below.
- The Outline also reflects the potential for a proposed rule that would create an obligation not found anywhere in the FCRA for a CRA “to protect” consumer reports from a data breach or data security incident (i.e., unauthorized access). This would be contrary to the fact that courts consistently hold that the FCRA does not apply to such incidents, given the plain language of the statute.
- Other provisions of the rulemaking being contemplated by the CFPB would basically exclude from the ecosystem, any collection or distribution of medical debt collection information altogether. That will have major implications for users and furnishers as well, as noted below.
- The CFPB also proposes to give consumers the power to file a dispute not only for themselves, but also on behalf of whole groups of consumers (a sort of “class action” dispute), and the CRAs would have to investigate the dispute, and respond, on a group basis. This obligation would also apply to furnishers, as discussed below.
- Finally, the CFPB would also have CRAs and furnishers interpret legal issues that may impact the accuracy of information provided, for example, by a court. Not only does such a requirement ignore what courts have found is required by the FCRA — investigating only factual disputes about the completeness or accuracy of data — but could also require the involvement of an attorney in every dispute to make sure there are no “legal” issues that need to be resolved.
Who is a furnisher? A “furnisher” is a person who supplies their own “transaction and experience” consumer data to a CRA. A creditor or servicer who supplies a CRA with data about a consumer’s performance of a credit obligation is a furnisher.
What are the impacts for furnishers?
- As with CRAs, the contemplated rule would give consumers the power to make a dispute on behalf of not only themselves but also whole groups of consumers, and furnishers would have to investigate and respond to these disputes on a group basis.
- As with CRAs, the contemplated rule would require furnishers to evaluate legal issues raised by a dispute.
- Medical debt collection information would be excluded from the consumer data ecosystem, so furnishers who currently report medical debt would no longer have any way to share this data with end users through CRAs.
Data Sources for “Data Brokers” and “Data Aggregators”
Who is a “data source” for “data brokers” and “data aggregators”? “Data brokers” and “data aggregators” collect data from a wide variety of governmental and business sources.
What are the impacts of data sources for “data brokers”? Supplying data to “data brokers” and “data furnishers,” who would now be regulated directly under the FCRA, could also result in some data sources becoming “furnishers” themselves. This would saddle these data sources with the duties of a furnisher under the FCRA as to accuracy of data, responding to disputes and putting in place identity theft protections. This could become problematic, especially if the data source is making no effort to associate a record with a specific purpose (i.e., doing nothing more than parroting the public record sources such as court records).
Who is an end user? An “end user” is a person who consumes consumer data for business purposes. This can include marketing, identity verification, fraud prevention, and eligibility determinations of consumers for products and services including but not limited to credit, insurance, and employment.
What are the potential impacts for an end user?
- A major effect of the inclusion of “data brokers” and “data aggregators” in the definition of CRA is that users will only have the ability to look to the consumer data ecosystem for data if the user has an FCRA permissible purpose, or the written instructions of the consumer give the user permission to access the consumer’s data. This will have a detrimental effect on preventing fraud and misuse, especially when combined with the CFPB’s intent to restrict the “legitimate business need” permissible purpose.
- Likewise, materially changing the current understanding of “aggregated” (i.e., anonymized) data could eliminate numerous use cases that benefit consumers by improving functionality and reducing the price of products and services.
- The Outline also includes the prospect that the CFPB will promulgate specific requirements for a consumer’s written instructions, including required steps to obtain authorization, who can collect written instructions, and limits on the scope of authorization. The proposal also confirms the consumer’s right to revoke authorization and contemplates methods for such revocation. The CFPB has not explained whether this would be a prospective requirement or if it intends to apply its rule to data already collected and not flagged for this purpose.
- The Outline seeks to clarify when an end user has a “legitimate business need” for which a CRA may furnish a consumer report. The FCRA provides that a “legitimate business need” includes a need for the information (i) in connection with a business transaction initiated by the consumer, or (ii) to review an account to determine whether the consumer continues to meet the terms of the account. The proposal seeks to limit those needs, respectively, to (i) determining eligibility for a consumer-purpose transaction, or (ii) actual account reviews for which the consumer report information is required to determine whether the consumer continues to meet the terms of the account.
- Users will not have access to medical debt collection data through the regulated consumer data ecosystem, which could result in the making of riskier loans that would otherwise not be made in the current environment.
As we have been discussing on our special podcast series that anticipated these new rules under the FCRA, after the comment period is complete, the CFPB will issue a final rule. A final rule is unlikely before 2025. Based on the sweeping proposed reform as to the CFPB’s interpretation of the FCRA’s scope, it appears likely that some parts of the CFPB’s proposed rule will face significant legal challenges.
This proposed rulemaking, if it proceeds as outlined, will have a dramatic effect across the board for all businesses involved in the consumer data ecosystem. Comments and advocacy will be required by these affected stakeholders.