The Consumer Financial Protection Bureau has proposed substantial changes to the Fair Credit Reporting Act that would require any company that collects and sells consumer data to be covered by the 1970 law.
The proposal marks a monumental shift in how courts have interpreted requirements under the FCRA, experts said, and could limit the ability of consumers to verify their identities to companies such as Netflix or Hulu while also opening the floodgates for data brokers and aggregators to be sued in class-action lawsuits.
The CFPB released
However, much of that work has already been done by the three credit reporting bureaus — Equifax, Experian and TransUnion — which
"In our country, one in three adults, some 100 million Americans, struggle with unpaid medical bills," Harris said on a press call with reporters. "Once this rule is final, it will mean that consumer credit reports will not include medical debt, and that creditors will not be able to use medical debt to determine a person's eligibility for credit."
Addressing medical debt is just one part of the proposal, but it is expected to draw the ire of medical service providers and collection agencies, as well as banks and financial firms that rely on accurate information in credit reports to make underwriting decisions.
"Removing this data from the system will degrade the value of traditional credit reports," said Alan Wingfield, a partner at Troutman Pepper. "It could have a negative impact on credit models, with creditors not understanding the full financial pressure consumers are under if [consumers] have a lot of unpaid medical debt that they are responsible for but that is eradicated from the system."
Chopra said the CFPB's proposed rule would prohibit lenders from using certain medical billing information in underwriting decisions. The CFPB's research found that half of all debt collections were for medical bills and that most debt collectors have no way of verifying the accuracy of a medical debt.
"Medical billing history has very limited predictive value in underwriting decisions on loans," Chopra said on the press call. "If credit bureaus are pulling much of this information already because it isn't a good predictor of risk, why should creditors see your medical bills at all? Why are we continuing to allow debt collectors to use credit reports to pressure people into paying questionable bills?"
Under the proposal, the CFPB is considering rewriting exemptions in the FCRA for medical debt, said a senior CFPB official.
The CFPB kicked off the rulemaking by issuing a
Though Harris and Chopra confined their comments on Thursday to medical debts, the financial reporting and data industry has focused its attention on the second part of the proposal, which would subject a wide range of companies — from fraud prevention companies to identity theft providers — to the FCRA and its reporting requirements. In August, the CFPB and the White House convened a roundtable on the harmful practices of data brokers, which the CFPB has referred to as "the surveillance industry."
In March, the CFPB issued a request for information on data brokers and the types of information that is collected and sold. The bureau received more than 7,000 comments, which the bureau said informed its proposal.
The changes proposed to the FCRA are so far-reaching that lawyers representing a wide range of financial firms said they are preparing for litigation. Technically, the CFPB can only be sued after a rule has been finalized.
"We have concerns that some of the proposals may push the limits of the Bureau's authority under federal law," said Dan Smith, president and CEO of the Consumer Data Industry Association. Smith emphasized that consumer reporting companies help consumers confirm their identities and weed out bad actors from abusing consumers' personal information.
Currently, a wide range of companies that use data for purposes other than credit are not subject to the Fair Credit Reporting Act. The FCRA strictly limits the use of credit report data from being sold for any reason other than what Congress has specified as having a "permissible purpose," such as credit underwriting, insurance and employment.
The CFPB's proposal seeks to restrict the sale of data for permissible purposes only. For example, the use of data for identity verification to access a streaming service or an online account would be prohibited without a consumer's written authorization.
"What the CFPB is saying is they want to regulate based on the nature of the data, not on how the data is being used, which is directly in conflict with the definition under the FCRA," said Ron Raether, a partner at Troutman Pepper.
The current credit reporting system in the U.S. is strictly voluntary; so-called credit furnishers are not required to report information to the three major credit bureaus. By designating third-party data brokers and data aggregators as "credit reporting companies," covered under the FCRA, the CFPB's proposal would mandate that a broad range of companies be subject to the law's requirements even if they are not using the data for credit purposes.
Some experts said the CFPB could potentially be disrupting the ecosystems that banks and financial firms have built to prevent fraud and correctly verify the identity of customers. If brokers and aggregators are designated to be credit reporting companies, those firms would have to give consumers the right to access and dispute their data, and could be sued for violating the FCRA's requirements.
Under the FCRA as currently interpreted, banks cannot be sued by a consumer if a credit report contains inaccurate information. Instead, the bank is allowed to correct the information under a consumer dispute process. But the CFPB's proposed rulemaking "appears to be specifically written to make class actions against banks for credit reporting possible," said Wingfield.
"What they're trying to do through this rulemaking is a change in the law, under FCRA, to pave the way for class actions against furnishers," he said.
Another major concern involves the sale of so-called "credit header data," which is the portion of a credit report that contains an individual's name, birth date, Social Security number, phone numbers and current and past addresses. Data brokers rely on credit header data purchased from the three main credit bureaus for all sorts of purposes, from marketing to criminal background checks.
"The SBREFA outline proposes requiring consumers' personal identifiable information — often referred to as "credit header data" — to be subject to the FCRA," said Lindsey Johnson, president and CEO of the Consumer Bankers Association, in a press release. "Banks spend millions of dollars to protect their customers' data and prevent fraud, sometimes utilizing credit header data to do so. While we understand the concerns stemming from the use of this information by unscrupulous nonbank companies, such as those on the dark web, it is also critical for the Bureau to recognize the impact this potential requirement would have on the well-regulated banking industry."
The CFPB's proposal would significantly reduce the sale of credit header data without a permissible purpose. Doing so would impact a wide range of industries and companies including identity verification, fraud prevention firms and debt collectors that conduct skip-tracing, which is used to locate people who are missing or have defaulted on debts.
"The industry needs to galvanize and react to what the CFPB is doing," said Raether. "We need to be looking not just at the rulemaking process but litigation options and legislative options as well, to make sure the views of the industry and the consequences are getting some voice and consideration."