Small Business Review Panel Issues Report On FCRA Rulemaking
This week the Small Business Review Panel issued its “Final Report” on the CFPB’s Fair Credit Reporting Act (FCRA) proposals. This is part of the Consumer Financial Protection Bureau’s rulemaking process. The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 provided new avenues for small businesses to participate in the federal regulatory arena, and required certain covered agencies (including the CFPB) to form a Small Business Advocacy Review (SBAR) Panel before publishing a proposed rule with an Initial Regulatory Flexibility Analysis. The panel is comprised of a chair from the covered agency, the Chief Counsel for Advocacy, and the Administrator of the Office of Information and Regulatory Affairs and meets with representatives of directly regulated small entities. This process is meant to create an opportunity to provide advice and recommendations on regulatory alternatives to minimize the burden on small entities.
AFSA submitted comments in November on some of the CFPB’s proposals during the SBAR. Below are a summary of AFSA’s comments and what the panel suggests on the same proposals.
“Credit Header” Data
AFSA: We pointed out that credit header data is often central to tools used by financial institutions and other businesses to verify identities and prevent identity theft and fraud. Preventing fraud and identity theft is strongly pro-consumer, as persons whose identities are stolen can suffer harm to their credit. Businesses are suffering severe harm from fraud and identity theft. A regulation which would complicate and restrict one of the most important fraud fighting tools out there – using credit header data as the basis for identify verification – would be a huge step back.
SBAR: Similarly, the report recommends that the CFPB consider the ways that entities currently use credit header data, including for identity verification; fraud prevention and detection; and in employment background checks, and work to mitigate negative effects.
Permissible purposes
Written instructions of the consumer. AFSA explained that member companies have developed certain FCRA policies to ensure that when needed, proper written instructions are obtained and consumer report data is used in accordance with the consumer’s instructions. Changes to the required steps to obtain authorization, who can collect written instructions, and limits on the scope of authorization will be an additional compliance burden on small businesses who already have well-functioning compliance programs in place.
SBAR: The report recommends that the CFPB endeavor to ensure that any written instructions requirements do not conflict with other regulatory frameworks for consumer authorization of data sharing, including any framework adopted in a final CFPB Personal Financial Data Rights Rule. As an alternative approach, the report also recommends that the CFPB consider requiring data deletion upon consumer request rather than one-time-use consumer authorization.
Data security and data breaches: In our comments, AFSA clarified that unauthorized access of consumer report information by a fraudster is not the equivalent of a consumer reporting agency or a lender purposely disseminating consumer report information to unauthorized parties. Doing so would unnecessarily confuse the term and run contrary to the purpose of original intentions of the FCRA. Additionally, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to safeguard sensitive data. The GLBA set specific criteria relating to the safeguards that certain nonbank financial institutions must implement as part of their information security programs. Member companies’ compliance programs have been built and updated in accordance with GLBA standards.
SBAR: The report has several recommendations in this space. As one alternative to the CFPB proposal, the report suggests the CFPB consider extending the application of the FTC’s GLBA Safeguards Rule to entities that are not already covered by that rule. The report also recommends that the CFPB consider options to minimize the burden of the proposal under consideration on small entities while achieving the purposes of the rulemaking. For example, the CFPB should consider capping damages that consumer reporting agencies would be required to pay in the event of a data breach and exempting breaches involving certain types of consumer reports to the extent the CFPB has authority to do so.
Disputes involving legal matters: AFSA’s comments on this section focused on the plain reading of the statute, which contradicts the CFPB’s interpretation of the FCRA in its statement of policy. The statute requires credit reporting agencies (CRAs) to guard against, and credit furnishers to reasonably investigate, factual inaccuracies, not to resolve legal issues that would require a judicial ruling to resolve the dispute. The CFPB’s position that allows legal challenges through FCRA investigations, if followed, would allow collateral attacks on issues that only can only be resolved by final judicial rulings. That legal disputes should be subject to FCRA investigation requirements is not only inconsistent with the court’s authority over legal disputes, but is also contrary to the statutory text, Congressional intent, and well-established court precedent. Moving forward with such rulemaking creates the significant risk that CFPB’s rulemaking will be found to be arbitrary and capricious and is also likely to increase market confusion.
SBAR: The report suggested that the CFPB clarify in any proposed rule that the CFPB is not proposing to require consumer reporting agencies or furnishers to distinguish between disputes involving legal matters and other disputes for purposes of the FCRA’s dispute obligations, but rather to investigate all disputes in accordance with the FCRA’s requirements, regardless of how they might be characterized. The report also recommended that the CFPB consider providing examples of types of disputes that could be characterized as legal in nature but that must nonetheless be investigated under the FCRA.
Disputes involving systematic issues: For indirect disputes, AFSA’s comments state, a furnisher must report the results of its investigation of the “disputed information.” The “disputed information” is information that has been disputed by one consumer. For direct disputes, a furnisher must report the results to “the consumer” disputing the information (and correct the reporting if necessary). The FCRA does not contemplate that dispute investigations or results would be performed in as broad of a fashion as the Outline proposes and risks the transmission of data that the consumer did not otherwise authorize. This is also already addressed by state notice requirements. Ultimately, the FCRA already solves for systemic problems and harms caused by systemic issues by prohibiting a furnisher from reporting information to a CRA that it knows or has reasonable cause to believe is inaccurate.
SBAR: The report recommends that the CFPB clarify the definition of a systemic issue for purposes of the proposal under consideration. In doing so, the CFPB should consider providing examples of types of errors that would or would not be considered “systemic” if they were the basis of a consumer dispute. The report also recommends that the CFPB consider how to mitigate any unintended consequences of the proposal under consideration, such as potential abuse by, for example, credit repair organizations, and whether a different approach is warranted for consumer reporting agencies that furnish “one-time-use” consumer reports.
Medical debt collection information: The CFPB’s original proposal would lead to significant consumer harm. AFSA addressed this issue in its letter, and discussed that eliminating medical debt from an ability-to-repay analysis could trap consumers in a cycle of debt. For example, in the case of traditional installment loans (TILs), lenders conduct an ability to repay a loan using a monthly net-income/expense calculation to ensure that proposed monthly payments can be met through monthly cash-flow. This is a healthy use of credit. If enforceable medical debt is scrubbed from the analysis, a cycle-of-debt situation could occur, where delinquent borrowers have no choice but to refinance the loan in the hope that they will be able to repay it further down the line. It will also likely cause lenders to implement tighter lending policies, which would result in a reduction of credit availability. AFSA believes the CFPB’s proposed actions are too broad and would upend a responsible lending system.
SBAR: Amongst other recommendations, the report shares AFSA’s concern, and proposes that the CFPB request public comment on the potentially negative effects to consumers and small entities if certain medical debts cannot be considered in making underwriting decisions or be included on consumer reports, and that the CFPB consider any conflicting obligations on creditors under TILA and Regulation Z.
January 11th, 2024