CFPB Tasked with FCRA Interpretation - FTC Issues Staff Report to Aid Transition
Since the Fair Credit Reporting Act (FCRA) was adopted in 1970, the Federal Trade Commission (FTC) has been the agency primarily responsible for interpreting the Act through formal rules and informal guidance materials. The Dodd-Frank Wall Street Reform and Consumer Financial Protection Act of 2010 shifted the authority to publish FCRA rules and guidelines to the newly created Consumer Financial Protection Bureau (CFPB). On July 21, 2011,to celebrate the 40th anniversary of the FCRA and aid the CFPB as it takes over interpreting the FCRA, the FTC issued a staff report entitled “Forty Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report and Summary of Interpretations.” The staff report provides important insight into how the CFPB will interpret and enforce the FCRA going forward. This post summarizes some of the highlights of the staff report and the implications of the FTC’s newly issued FCRA interpretations.
This is not the first time the FTC has issued a comprehensive FCRA report. Given the large volume of guidance materials it has amassed over time, the FTC released “Commentary on the FCRA ” in 1990 – a compilation of statements regarding how the FTC would interpret and enforce the FCRA. Much has changed since the FTC issued the 1990 Commentary: the FCRA has been significantly amended, the FTC has issued numerous new interpretive guidance documents, and developments in technology and industry practices have rendered parts of the Commentary obsolete or outdated. As a result, the FTC withdrew the 1990 Commentary when it issued the new staff report. The new staff report provides an overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the FTC’s interpretations of the Act. The interpretations in the staff report differ from the 1990 Commentary in five significant areas, described below.
Commercial Transactions. The FCRA applies to written, oral, or other communications of information by consumer reporting agencies (CRAs) that fit the definition of “consumer reports.” To be considered a consumer report, information communicated by a CRA must bear on a consumer’s credit worthiness, standing, or capacity, character, general reputation, personal characteristics, or mode of living. Additionally, the information must be used or expected to be used to establish the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment, or other purposes specifically identified in the FCRA. One point of contention has been whether and how the FCRA applies in the context of an application for business credit as opposed to personal credit. Creditors will often obtain a credit report on the sole proprietor or other principal of a business and use the report to determine whether to extend credit to the business. It was the FTC’s position in the 1990 Commentary that “a report on a consumer for credit or insurance in connection with a business operated by the consumer is not a consumer report.” Courts have held that the purpose of the FCRA “is to protect consumers from inaccurate or arbitrary information in a consumer report which is used as a factor in determining an individual's eligibility for credit, insurance or employment” and the FCRA “does not apply to reports used for business, commercial or professional purposes.” For example, in Wrigley v. Dun & Bradstreet, Inc. a commercial reporting service issued credit reports to subscribers who used the information when deciding whether to extend commercial credit to a construction company. The reports contained the personal financial information of the construction company’s president. The court held that the credit reports were for the extension of commercial credit – even though the reports contained personal credit information – therefore the FCRA did not apply.
The staff report details how the FTC currently interprets the FCRA’s application to commercial transactions. To be sure, “a report that concerns the consumer’s business history (as opposed to personal credit or employment history) that is collected and provided by a commercial reporting service solely for use in business transactions is not a ‘consumer report’” and the report provider is not a CRA. However, “a report from a CRA on the personal credit of a consumer to a business credit grantor is a ‘consumer report’ regardless of the purpose for which the information may in fact be used.” This means that reports to business credit grantors by commercial reporting services that compile data and provide reports only for commercial purposes are not “consumer reports” subject to the FCRA. On the other hand, a report on an individual based on information that was collected for the purpose of reporting on that individual is a consumer report and the FCRA applies, even if the report is furnished in connection with a commercial transaction.
Joint Users. Does an entity become a CRA by virtue of sharing a consumer report with another party? According to the FTC’s prior interpretation, a user could share a consumer report with another user without becoming a CRA under certain circumstances. An agent could share with its principal, an employee with employer, and two users could share a consumer report for the same permissible purpose with the consumer’s consent. In these scenarios, the entity sharing the report and the recipient were deemed “joint users” and the sharing entity escaped CRA status. The FTC has now abandoned the “joint user” terminology, focusing instead on whether an entity meets the statutory definition of a CRA. If a user shares a consumer report “for the purpose of providing consumer reports to third parties,” the user may be deemed a CRA. However, a user who obtains a consumer report and shares it with another simply to effectuate a particular transaction initiated by the consumer "is not providing consumer reports to third parties” and, therefore, is not a CRA.
Departments of Motor Vehicles. The FTC no longer takes the position a DMV is a CRA when it provides motor vehicle reports for insurance underwriting purposes – even if it does so for a fee. Although a DMV or other government agency that supplies public records to third parties might be considered a CRA based on a literal reading of the FCRA, the staff report notes that such an interpretation would “lead to absurd results.” If government sources of public record information were CRAs, “government agencies would be required to suppress accurate public record information more than seven years old” and “those who provide information for use in public records – such as police officers – would be deemed furnishers, subject to a host of responsibilities under the FCRA.”
Identified Information. The FTC generally considers “credit guides” – listings that rate how well consumers pay their bills – to be consumer reports subject to the FCRA. However, the FTC previously did not consider credit guides to be consumer reports if they were coded to prevent the disclosure of a consumer’s identity. The FTC now takes the position that that credit guides (as well as other information) that do not identify consumers by name may constitute consumer reports if such guides can “otherwise reasonably be linked to the consumer.” The FTC voiced its concern that coding (particularly by Social Security number or other sensitive data) could readily lead to the disclosure of a consumer’s identity due to advancements in technology and the increasing availability of consumer data.
The staff report addresses several issues not covered by the 1990 Commentary in an attempt to provide clarity regarding FCRA provisions that have generated a significant number of questions from the public. Importantly, the staff report delves into detail regarding when it is permissible for CRAs to issue (and users to obtain) consumer reports under the FCRA. One permissible purpose to obtain a consumer report is “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the … review or collection of an account of the consumer.” The staff report states that the “review” permissible purpose applies only when a creditor has an existing account relationship with a consumer and uses a consumer report solely to decide whether to modify the terms of the account. This means that even if a creditor has a permissible “review” purpose to obtain a consumer report, it may not exploit the report to market other products or services to the consumer. CRAs are also permitted to furnish a consumer report according to the written instructions of the consumer to whom the report relates. The staff report states that written consent only qualifies as an “instruction” if it clearly authorizes the issuance of a consumer report on that consumer. For example, “I authorize you to procure a consumer report on me” is sufficient if it is in writing, but the consumer’s signature on a form stating “I understand that where appropriate, credit bureau reports may be obtained” is not. The FTC highlights a consumer’s electronic signature may be an acceptable method of providing written instructions under FCRA. To be valid under the ESIGN Act, electronic authorization must be in a form that can be retained and retrieved in a perceivable form. The FTC notes “whether an e-mail, a mouse click ‘yes,’ or other electronic means clearly conveys the consumer’s instructions depends on the specific facts.”
The staff report also reflects the statutory modifications made to the FCRA over the years. Recently, the Dodd-Frank Act amended the FCRA to impose new requirements on users of consumer reports. The FCRA requires a person taking adverse action based in whole or in part on a consumer report to provide adverse-action notice to the affected consumer. Under new rules that took effect July 21, 2011, users of credit scores must include those scores (and related information) in adverse-action notices. This requirement also applies to adverse-action decisions not related to credit. Consequently, when a user takes an adverse action based on consumer report information, regardless of the weight the credit score plays in the decision, the user must provide the consumer with a host of new information. Additionally, the FCRA requires creditors to provide risk-based pricing notice to consumers when, based on the report, the creditors grant credit or amend existing credit on terms that are “materially less favorable” than the most favorable terms obtained by a substantial portion of consumers. The Federal Reserve Board and the FTC recently amended their respective adverse action and risk-based pricing rules to reflect the recent FCRA amendments. The new rules raise a host of questions, many of which are addressed in the staff report. As the new rules apply when a credit score is used in the evaluation of a consumer, the staff report squarely addresses what constitutes a credit score and when a credit score is considered “used” under the rules. The staff report clarifies that a score that is not used to predict creditworthiness, such as an insurance score, is not a credit score and need not be disclosed. The staff report also makes clear that “use” occurs at a very low threshold - if a credit score plays any role in a user’s decision regarding a consumer then it must be disclosed.
Future of FCRA Interpretation and Enforcement
The newly created CFPB is now the primary agency responsible for interpreting the FCRA. The CFPB is vested with exclusive rulemaking authority over all federal consumer financial law – this includes the authority to issue rules under existing consumer protection statutes such as the FCRA (with limited exceptions) as well as new rules to prohibit unfair, deceptive or abusive acts or practices. The primary role of the CFPB will be supervision in order to “prevent harm to consumers from unlawful financial practices and ensure that markets for consumer financial products and services are fair, transparent, and competitive.” To accomplish this, CFPB is assembling a team of examiners that will directly observe the business practices of entities subject to CFPB jurisdiction. Examiners will assess institutions’ compliance with the FCRA and other federal consumer protection laws. According to the CFPB website, the agency will require businesses to change their practices to comply with the law and may also “require improved employee training, implementation of better policies and procedures or quality controls, and in more serious cases, monetary compensation to consumers.”
Since the adoption of the FCRA, the FTC has enforced the Act at the federal level by bringing enforcement actions against CRAs, entities that furnish information to CRAs, and users of consumer reports such as creditors and employers. The CFPB and FTC now have joint FCRA enforcement authority over a host of industries. As we noted in a previous post, the FTC is actively addressing FCRA compliance and we expect its efforts to extend beyond traditional CRAs. Earlier this year the FTC found that Social Intelligence Corporation - an Internet and social media background screening service - is a CRA subject to the FCRA. Like the FTC, we expect the CFPB will broadly interpret and actively enforce the FCRA. In so doing, the CFPB may give heavy weight to the FTC’s interpretations of the FCRA, making the staff report invaluable to businesses handling consumer report information. With new FCRA rules in place and an additional agency tasked with FCRA enforcement, businesses are wise to determine whether they are subject to the FCRA and to consider FCRA compliance.