CFPB Tasked with FCRA Interpretation - FTC Issues Staff Report to Aid Transition
Since the Fair Credit Reporting Act (FCRA) was adopted in 1970, the Federal Trade Commission (FTC) has been the agency primarily responsible for interpreting the Act through formal rules and informal guidance materials. The Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 shifted the authority to publish FCRA rules and guidelines to the newly created Consumer Financial Protection Bureau (CFPB). On July 21, 2011,to celebrate the 40th anniversary of the FCRA and aid the CFPB as it takes over interpreting the FCRA, the FTC issued a staff report entitled “Forty Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report and Summary of Interpretations.” The staff report provides important insight into how the CFPB will interpret and enforce the FCRA going forward. This post summarizes some of the highlights of the staff report and the implications of the FTC’s newly issued FCRA interpretations.
Changing Opinions
This is not the first time the FTC has issued a comprehensive FCRA report. Given the large volume of guidance materials it has amassed over time, the FTC released “Commentary on the FCRA ” in 1990 – a compilation of statements regarding how the FTC would interpret and enforce the FCRA. Much has changed since the FTC issued the 1990 Commentary: the FCRA has been significantly amended, the FTC has issued numerous new interpretive guidance documents, and developments in technology and industry practices have rendered parts of the Commentary obsolete or outdated. As a result, the FTC withdrew the 1990 Commentary when it issued the new staff report. The new staff report provides an overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the FTC’s interpretations of the Act. The interpretations in the staff report differ from the 1990 Commentary in five significant areas, described below.
Commercial Transactions. The FCRA applies to written, oral, or other communications of information by consumer reporting agencies (CRAs) that fit the definition of “consumer reports.” To be considered a consumer report, information communicated by a CRA must bear on a consumer’s credit worthiness, standing, or capacity, character, general reputation, personal characteristics, or mode of living. Additionally, the information must be used or expected to be used to establish the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment, or other purposes specifically identified in the FCRA. One point of contention has been whether and how the FCRA applies in the context of an application for business credit as opposed to personal credit. Creditors will often obtain a credit report on the sole proprietor or other principal of a business and use the report to determine whether to extend credit to the business. It was the FTC’s position in the 1990 Commentary that “a report on a consumer for credit or insurance in connection with a business operated by the consumer is not a consumer report.” Courts have held that the purpose of the FCRA “is to protect consumers from inaccurate or arbitrary information in a consumer report which is used as a factor in determining an individual's eligibility for credit, insurance or employment” and the FCRA “does not apply to reports used for business, commercial or professional purposes.” For example, in Wrigley v. Dun & Bradstreet, Inc. a commercial reporting service issued credit reports to subscribers who used the information when deciding whether to extend commercial credit to a construction company. The reports contained the personal financial information of the construction company’s president. The court held that the credit reports were for the extension of commercial credit – even though the reports contained personal credit information – therefore the FCRA did not apply.
The staff report details how the FTC currently interprets the FCRA’s application to commercial transactions. To be sure, “a report that concerns the consumer’s business history (as opposed to personal credit or employment history) that is collected and provided by a commercial reporting service solely for use in business transactions is not a ‘consumer report’” and the report provider is not a CRA. However, “a report from a CRA on the personal credit of a consumer to a business credit grantor is a ‘consumer report’ regardless of the purpose for which the information may in fact be used.” This means that reports to business credit grantors by commercial reporting services that compile data and provide reports only for commercial purposes are not “consumer reports” subject to the FCRA. On the other hand, a report on an individual based on information that was collected for the purpose of reporting on that individual is a consumer report and the FCRA applies, even if the report is furnished in connection with a commercial transaction.
Joint Users. Does an entity become a CRA by virtue of sharing a consumer report with another party? According to the FTC’s prior interpretation, a user could share a consumer report with another user without becoming a CRA under certain circumstances. An agent could share with its principal, an employee with employer, and two users could share a consumer report for the same permissible purpose with the consumer’s consent. In these scenarios, the entity sharing the report and the recipient were deemed “joint users” and the sharing entity escaped CRA status. The FTC has now abandoned the “joint user” terminology, focusing instead on whether an entity meets the statutory definition of a CRA. If a user shares a consumer report “for the purpose of providing consumer reports to third parties,” the user may be deemed a CRA. However, a user who obtains a consumer report and shares it with another simply to effectuate a particular transaction initiated by the consumer "is not providing consumer reports to third parties” and, therefore, is not a CRA.
Departments of Motor Vehicles. The FTC no longer takes the position a DMV is a CRA when it provides motor vehicle reports for insurance underwriting purposes – even if it does so for a fee. Although a DMV or other government agency that supplies public records to third parties might be considered a CRA based on a literal reading of the FCRA, the staff report notes that such an interpretation would “lead to absurd results.” If government sources of public record information were CRAs, “government agencies would be required to suppress accurate public record information more than seven years old” and “those who provide information for use in public records – such as police officers – would be deemed furnishers, subject to a host of responsibilities under the FCRA.”
Identified Information. The FTC generally considers “credit guides” – listings that rate how well consumers pay their bills – to be consumer reports subject to the FCRA. However, the FTC previously did not consider credit guides to be consumer reports if they were coded to prevent the disclosure of a consumer’s identity. The FTC now takes the position that that credit guides (as well as other information) that do not identify consumers by name may constitute consumer reports if such guides can “otherwise reasonably be linked to the consumer.” The FTC voiced its concern that coding (particularly by Social Security number or other sensitive data) could readily lead to the disclosure of a consumer’s identity due to advancements in technology and the increasing availability of consumer data.
New Interpretations
The staff report addresses several issues not covered by the 1990 Commentary in an attempt to provide clarity regarding FCRA provisions that have generated a significant number of questions from the public. Importantly, the staff report delves into detail regarding when it is permissible for CRAs to issue (and users to obtain) consumer reports under the FCRA. One permissible purpose to obtain a consumer report is “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the … review or collection of an account of the consumer.” The staff report states that the “review” permissible purpose applies only when a creditor has an existing account relationship with a consumer and uses a consumer report solely to decide whether to modify the terms of the account. This means that even if a creditor has a permissible “review” purpose to obtain a consumer report, it may not exploit the report to market other products or services to the consumer. CRAs are also permitted to furnish a consumer report according to the written instructions of the consumer to whom the report relates. The staff report states that written consent only qualifies as an “instruction” if it clearly authorizes the issuance of a consumer report on that consumer. For example, “I authorize you to procure a consumer report on me” is sufficient if it is in writing, but the consumer’s signature on a form stating “I understand that where appropriate, credit bureau reports may be obtained” is not. The FTC highlights a consumer’s electronic signature may be an acceptable method of providing written instructions under FCRA. To be valid under the ESIGN Act, electronic authorization must be in a form that can be retained and retrieved in a perceivable form. The FTC notes “whether an e-mail, a mouse click ‘yes,’ or other electronic means clearly conveys the consumer’s instructions depends on the specific facts.”
The staff report also reflects the statutory modifications made to the FCRA over the years. Recently, the Dodd-Frank Act amended the FCRA to impose new requirements on users of consumer reports. The FCRA requires a person taking adverse action based in whole or in part on a consumer report to provide adverse-action notice to the affected consumer. Under new rules that took effect July 21, 2011, users of credit scores must include those scores (and related information) in adverse-action notices. This requirement also applies to adverse-action decisions not related to credit. Consequently, when a user takes an adverse action based on consumer report information, regardless of the weight the credit score plays in the decision, the user must provide the consumer with a host of new information. Additionally, the FCRA requires creditors to provide risk-based pricing notice to consumers when, based on the report, the creditors grant credit or amend existing credit on terms that are “materially less favorable” than the most favorable terms obtained by a substantial portion of consumers. The Federal Reserve Board and the FTC recently amended their respective adverse action and risk-based pricing rules to reflect the recent FCRA amendments. The new rules raise a host of questions, many of which are addressed in the staff report. As the new rules apply when a credit score is used in the evaluation of a consumer, the staff report squarely addresses what constitutes a credit score and when a credit score is considered “used” under the rules. The staff report clarifies that a score that is not used to predict creditworthiness, such as an insurance score, is not a credit score and need not be disclosed. The staff report also makes clear that “use” occurs at a very low threshold - if a credit score plays any role in a user’s decision regarding a consumer then it must be disclosed.
Future of FCRA Interpretation and Enforcement
The newly created CFPB is now the primary agency responsible for interpreting the FCRA. The CFPB is vested with exclusive rulemaking authority over all federal consumer financial law – this includes the authority to issue rules under existing consumer protection statutes such as the FCRA (with limited exceptions) as well as new rules to prohibit unfair, deceptive or abusive acts or practices. The primary role of the CFPB will be supervision in order to “prevent harm to consumers from unlawful financial practices and ensure that markets for consumer financial products and services are fair, transparent, and competitive.” To accomplish this, CFPB is assembling a team of examiners that will directly observe the business practices of entities subject to CFPB jurisdiction. Examiners will assess institutions’ compliance with the FCRA and other federal consumer protection laws. According to the CFPB website, the agency will require businesses to change their practices to comply with the law and may also “require improved employee training, implementation of better policies and procedures or quality controls, and in more serious cases, monetary compensation to consumers.”
Since the adoption of the FCRA, the FTC has enforced the Act at the federal level by bringing enforcement actions against CRAs, entities that furnish information to CRAs, and users of consumer reports such as creditors and employers. The CFPB and FTC now have joint FCRA enforcement authority over a host of industries. As we noted in a previous post, the FTC is actively addressing FCRA compliance and we expect its efforts to extend beyond traditional CRAs. Earlier this year the FTC found that Social Intelligence Corporation - an Internet and social media background screening service - is a CRA subject to the FCRA. Like the FTC, we expect the CFPB will broadly interpret and actively enforce the FCRA. In so doing, the CFPB may give heavy weight to the FTC’s interpretations of the FCRA, making the staff report invaluable to businesses handling consumer report information. With new FCRA rules in place and an additional agency tasked with FCRA enforcement, businesses are wise to determine whether they are subject to the FCRA and to consider FCRA compliance.
Physicians Seek Relief On Eve of FTC's Red Flags Enforcement Deadline
As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.)
Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.
The Definitions of "Creditor" and "Credit"
"Creditor" and "credit" are defined terms under the FACTA Red Flags Rule. The Fair and Accurate Credit Transactions Act (FACTA) (15 U.S.C. § 1681a(r)(5)) incorporates by reference the definitions of "creditor" and "credit" found in the Equal Credit Opportunity Act (ECOA). The ECOA defines "creditor" as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. § 1691a(e). The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." 15 U.S.C. § 1691a(d).
The FTC's Position
As noted in the AMA complaint, the FTC's position on the application of the Red Flags Rule to physicians (and to attorneys) was first spelled out on April 30, 2009 in a footnote of its "Extended Enforcement Policy: Identity Theft Red Flags Rule":
In FACTA, Congress imported the definition of creditor from the [ECOA] for purposes of the [FCRA]. This definition covers all entities that regularly permit deferred payments for goods or services. The definition thus has a broad scope and may include entities that have not in the past considered themselves to be creditors. For example. creditors under the ECOA include professionals, such as lawyers or health care providers, who bill their clients after services are rendered.
(Emphasis added.)
In May 2009, the FTC published another document on its website entitled "'The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft.” That document stated as follows:
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.
In a press release dated July 29, 2009, the FTC referenced a document that provided answers to frequently asked questions (FAQs), which reiterated its position that attorneys and health care providers are required to comply with the Red Flags Rule when their billing arrangements qualify them as creditors under FACTA and the ECOA:
the definition of "creditor" is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.
The AMA's Position
The AMA argues that physicians are not creditors under the Rule and that the practice of allowing deferred payment by patients, particularly in emergency circumstances, serves a number of purposes unique to the profession:
. . . The practice of not demanding payment at the time care is provided serves several purposes. It gives a benefit to patients who are often under stress when receiving care. It underscores that the physician has a fiduciary relationship with the patient and thereby furthers the patient-physician relationship. Where the patient is insured, the practice enables the insurer to determine what portion of the bill is covered and what amount should be billed to the patient. Because the amount that the patient will owe the physician is not certain at the time that services are provided, the physician does not defer payment of a “debt” by billing after the patient is treated. In many cases, a physician is not entitled to bill patients immediately upon providing services under contracts with health insurance carriers.
Physicians also provide emergency medical care to patients whose identifying information may be unknown to them and who may even be unconscious. In some emergency situations, which may occur for certain physicians on a regular basis, there is no practical way for the physician to bill for his or her services at the time of those services. Further, it would violate the norms of human decency, not to mention principles of ethical conduct . . . , for a physician to demand payment at the time of service in such situations. Indeed, federal law requires a physician to provide services to a patient in an emergency condition without regard to the patient’s ability to pay. See 42 U.S.C. § 1395dd.
The AMA further argues that the Red Flags Rule would interfere with the patient-physician relationship and a physician's ethical responsibilities:
the FTC’s attempt to impose a duty upon physicians to investigate each patient’s identity in advance of treatment conflicts with basic precepts concerning the patient-physician relationship and physicians’ ethical responsibilities to safeguard that relationship. “From ancient times, physicians have recognized that the health and well-being of patients depends upon a collaborative effort between physician and patient.... The patient-physician relationship is of greatest benefit to patients when they bring medical problems to the attention of their physicians in a timely fashion, provide information about their medical condition to the best of their ability, and work with their physicians in a mutually respectful alliance.” AMA, Ethical Opinion 10.01 (“Fundamental Elements of the Patient-Physician Relationship”). Because the success of diagnosis and treatment depends on patients’ willingness to divulge often private and highly sensitive information to their physicians, the patient-physician relationship “is based on trust and gives rise to physicians’ ethical obligations to place patients’ welfare above their own self-interest and above obligations to other groups, and to advocate for their patients’ welfare.” AMA, Ethical Opinion 10.015 (“The Patient-Physician Relationship”). Contrary to these obligations, the FTC requires physicians to approach each new patient with skepticism concerning his or her identity. As a result, the FTC’s Extended Enforcement Policy compromises physicians’ ability to gain new patients’ trust, which is essential to the well-being of patients.
Finally, the AMA argues that, when Congress intends to regulate the practice of medicine, it does so expressly (e.g., in enacting the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Court's Analysis in ABA v. FTC
Naturally, the analysis of the District Court in ABA v. FTC (currently on appeal) is of interest here. In that case, the court applied the test for review of agency action set forth in Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984), and concluded that the FTC's actions violated the Administrative Procedure Act and must be rejected "because the Red Flags Rule cannot be properly applied to attorneys in the overly broad manner in which the Commission seeks to enforce it."
First, the court found that "it was not 'the unambiguously expressed intent of Congress,' Chevron, 467 U.S. at 842-43, to bring attorneys within the purview of the FACT Act and thus subject them to regulation by the Commission's Red Flags Rule." Footnote 9 of the court's decision, while dicta, is particularly interesting for purposes of the new AMA lawsuit. There, the court rejected the FTC's reliance on a particular Sixth Circuit case regarding medical providers:
The Court is not persuaded that the Commission's reliance on Barney v. Holzer Clinic, Ltd., 110 F.3d 1207 (6th Cir. 1997), is sound given that the Sixth Circuit expressly refused to address the question of whether a medical services provider was a creditor under ECO Act, id. at 1209 . . . and made findings to the contrary, id. at 1211 ("The provision of medical treatment under this program is not a credit transaction, either under the technical language of the ECO[ Act] or in the more common sense of the term, any more than is a court-appointed attorney's agreement to represent an indigent defendant.").
(Emphasis added.)
The court also rejected the FTC's reliance on the Federal Reserve Board's staff notes to Regulation B (which state that, if a doctor or lawyer allows the client or customer to defer the payment of a bill, that deferral of debt is credit for purposes of the “incidental credit” regulation, even though there is no finance charge and no agreement for payment in installments). The court did so "because those interpretations were made in a context totally unrelated to identity theft, and therefore the Court is not convinced that it is proper to presume that Congress intended to adopt the Regulation B interpretations when it enacted the FACT Act. Accordingly then, absent any legislative history showing that the Federal Reserve Board's staff's interpretation of Regulation B was actually considered by Congress when enacting the FACT Act, and given that the purposes of the FACT Act and Regulation B do not square with one another, the Court cannot draw the inference the Commission urges."
The court also noted that monthly billing by lawyers is driven by practical considerations: "Invoicing clients for services previously rendered, instead of demanding immediate payment when service is provided is more likely an outgrowth of practicality and necessity, rather than an attempt to provide clients credit."
Although the court resolved the issue under the first prong of Chevron, it went on to determine that, "even if [it] were to reach question two of Chevron by finding that the FACT Act did not foreclose the Commission's regulation of attorneys, it would still find that the Commission's interpretation of the FACT Act and its resulting application of the Red Flags Rule to attorneys is unreasonable and therefore undeserving of deference."
In its Chevron prong two discussion, the court took issue with the FTC's interpretation of what it means to "defer" payment, again noting the practicality of monthly billing by lawyers:
To invoice client at the end of each month is not delaying payment or giving a client a right to postpone payment. As a practical matter in the legal context, legal services are not the type of services that can in may instances be billed and payment received simultaneously with the occurrence of the services, as can be done, for example, when one's furnace is repaired or catering services are provided for a wedding. . . . And as a practical matter, it would be unreasonable to expect attorneys to bill for services in any manner other than periodically, especially given the frequent unanticipated services attorneys have to perform for their clients or the practical reality that clients may lack the ability to immediately access funds when legal services unexpectedly have to be performed without delay. Not only would immediate billing and collection of fees and expenses be impractical, considering the unique nature of the practice of law, but contrary to the Commission's position, conducting a legal practice in that manner would be extremely costly and time consuming. It does not take much imagination to appreciate the added cost and burden attorneys would incur if they were required to immediately calculate, bill and collect their fees after each task is performed or else run afoul of the Commission's construction of the FACT Act through its adoption of the Red Flags Rule.
Query whether the same analysis should apply to physicians. We shall see.
So, Must Physicians Comply with the Red Flags Rule by June 1?
Yes, for now. Indeed, the BNA Privacy and Security Law Report reports that, pending resolution of the litigation, the AMA has encouraged physicians to comply with the rule, using online resources provided by the AMA.
