BankThink

CFPB should not thwart the bipartisan effort to combat identity fraud

CFPB
The CFPB is considering new rules governing the collection and sale of consumer data. If it's not careful, the agency could find itself inadvertently assisting identity thieves, writes Jason Kratovil.
Joshua Roberts/Bloomberg

The White House recently touted new bipartisan legislation introduced in Congress aimed at cracking down on identity fraud through significant investments and policy changes. Crimes like identity theft have a real impact on consumers: Traditional identity fraud cost Americans a reported $23 billion in 2023. Channeling federal policies and resources toward reducing identity crime is a worthwhile and potentially effective effort that can help mitigate this harm.

The Consumer Financial Protection Bureau is preparing to announce new rules that could upend those efforts. Director Rohit Chopra has made clear his plans to impose new regulations on data brokers and restrictions on the sale of some types of data. Motivating this is a desire to rein in certain marketing practices, particularly when those practices allow bad actors to compromise consumer privacy using broker data. One such data source in the CFPB's crosshairs is called credit header data, which is made available by the major credit reporting agencies and includes the basic identity information (name, date of birth, address, Social Security number) of credit-active Americans. Analytics relying on this and other data often underpins technology solutions used by companies, law enforcement and government agencies to detect and prevent identity fraud.

In other words, to meet the identity fraud reduction objectives championed by President Biden and Congress requires use of the exact data, by some of the same companies, that may be negatively impacted by the CFPB's rules. 

The responsible use of consumer data is something all policymakers should support. How and for what purposes consumer information is commoditized and sold is a reasonable question for federal regulators to ask. However, the answer to that question should not compromise uses of consumer data that not only uphold a safe and sound banking system, but also support the broader societal good of reducing identity crime.

The CFPB can achieve its stated objectives while avoiding major unintended consequences. Federal policies have long recognized that identity verification and fraud reduction are critical processes that should be preserved and not inappropriately caught up in unrelated or adjacent policies. Entire bodies of regulation, such as those related to anti-money-laundering and know-your-customer obligations, exist to ensure financial institutions only open accounts for consumers whose identities can be verified. The provision of law that created the CFPB itself in several instances directs the bureau to exempt fraud prevention activities and data from certain rulemakings.

Rep. French Hill, the No. 2 Republican on the House Financial Services Committee, promised bankers Tuesday that he will continue to push back against Biden administration regulators, especially on bank-fintech partnerships and digital assets.

April 30
Rep. French Hill, R-Arkansas

Where the CFPB could stray from achieving its objectives is if it pulls identity verification and fraud prevention activities (and the data necessary to protect consumers from identity fraud) into the regulatory structure of the Fair Credit Reporting Act. These rules govern the consumer credit market, set standards for creditworthiness determinations and provide American consumers with certain rights related to their credit histories. Critically, all of these rules and rights are only applicable to consumers who have already had their identity positively validated.

There are numerous reasons why this sort of policy change doesn't make sense and would end up causing significant consumer harm. One example: There's a line of thinking that consumers should have the right under the FCRA, for example, to view and correct any data on them held in a database by any private company, not just credit bureaus. From a fraud prevention perspective, this begs the question: When a person's identity is stolen — which happens to thousands of consumers each day — to whom are those rights granted? The answer is the individual — in this case, the criminal — who has control of the victim's identity, and who would be empowered to dispute and alter accurate information about their victim. 

When data used by financial institutions and their service providers to verify identities and prevent fraud is incorrect, it is almost always because either 1) the actual consumer made a typo when entering their data into a financial application or 2) the data was provided by someone committing a crime. In the former case, the financial institution will usually extend the consumer the opportunity to correct the mistyped information so that their application can proceed to credit eligibility determination. In the latter case, the financial institution can prevent a criminal from opening an account and further harming an identity theft victim.

The CFPB has an opportunity to update parts of the FCRA to address how consumer data is used for marketing purposes in a way that preserves the tools the financial industry uses to protect consumers from identity fraud. If it inappropriately expands the FCRA, the identity fraud reduction initiatives supported by the president and Congress would be derailed. It's not even a matter of walking a fine regulatory line: The rules — like the processes themselves — that separate fraud and identity from credit evaluation are bright and distinct. The CFPB just needs to be sure it supports, and doesn't muddy, those distinctions to the detriment of consumers.

For reprint and licensing requests for this article, click here.
Regulation and compliance Fraud Fraud prevention CFPB News & Analysis
MORE FROM AMERICAN BANKER