The
The Consumer Financial Protection Bureau is preparing to announce new rules that could upend those efforts. Director Rohit Chopra
In other words, to meet the identity fraud reduction objectives championed by President Biden and Congress requires use of the exact data, by some of the same companies, that may be negatively impacted by the CFPB's rules.
The responsible use of consumer data is something all policymakers should support. How and for what purposes consumer information is commoditized and sold is a reasonable question for federal regulators to ask. However, the answer to that question should not compromise uses of consumer data that not only uphold a safe and sound banking system, but also support the broader societal good of reducing identity crime.
The CFPB can achieve its stated objectives while avoiding major unintended consequences. Federal policies have long recognized that identity verification and fraud reduction are critical processes that should be preserved and not inappropriately caught up in unrelated or adjacent policies. Entire bodies of regulation, such as those related to anti-money-laundering and know-your-customer obligations, exist to ensure financial institutions only open accounts for consumers whose identities can be verified. The provision of law that created the CFPB itself in several instances directs the bureau to exempt fraud prevention activities and data from certain rulemakings.
Rep. French Hill, the No. 2 Republican on the House Financial Services Committee, promised bankers Tuesday that he will continue to push back against Biden administration regulators, especially on bank-fintech partnerships and digital assets.
Where the CFPB could stray from achieving its objectives is if it pulls identity verification and fraud prevention activities (and the data necessary to protect consumers from identity fraud) into the regulatory structure of the Fair Credit Reporting Act. These rules govern the consumer credit market, set standards for creditworthiness determinations and provide American consumers with certain rights related to their credit histories. Critically, all of these rules and rights are only applicable to consumers who have already had their identity positively validated.
There are numerous reasons why this sort of policy change doesn't make sense and would end up causing significant consumer harm. One example: There's a line of thinking that consumers should have the right under the FCRA, for example, to view and correct any data on them held in a database by any private company, not just credit bureaus. From a fraud prevention perspective, this begs the question: When a person's identity is stolen — which happens to thousands of consumers each day — to whom are those rights granted? The answer is the individual — in this case, the criminal — who has control of the victim's identity, and who would be empowered to dispute and alter accurate information about their victim.
When data used by financial institutions and their service providers to verify identities and prevent fraud is incorrect, it is almost always because either 1) the actual consumer made a typo when entering their data into a financial application or 2) the data was provided by someone committing a crime. In the former case, the financial institution will usually extend the consumer the opportunity to correct the mistyped information so that their application can proceed to credit eligibility determination. In the latter case, the financial institution can prevent a criminal from opening an account and further harming an identity theft victim.
The CFPB has an opportunity to update parts of the FCRA to address how consumer data is used for marketing purposes in a way that preserves the tools the financial industry uses to protect consumers from identity fraud. If it inappropriately expands the FCRA, the identity fraud reduction initiatives supported by the president and Congress would be derailed. It's not even a matter of walking a fine regulatory line: The rules — like the processes themselves — that separate fraud and identity from credit evaluation are bright and distinct. The CFPB just needs to be sure it supports, and doesn't muddy, those distinctions to the detriment of consumers.