CFPB Tightens Obligations Of Credit Bureaus, Users Under FCRA’s ‘Permissible Purpose’ Provisions


Source: site

On July 7, 2022, the Consumer Financial Protection Bureau issued an advisory opinion interpreting the “permissible purpose” provisions of the Fair Credit Reporting Act (FCRA). The advisory opinion states that consumer reporting agencies (CRAs) may not share consumer reports unless they have reason to believe a user has a legally permissible purpose for requesting the information, and that the information it provides relates to the consumer subject to the request. The opinion also makes clear that CRAs and users of consumer reports have specific obligations to protect consumers’ privacy and may face criminal liabilities for violating FCRA’s permissible purpose provisions.

Overview of CFPB’s advisory opinion

The advisory opinion comes against the backdrop of a number of CFPB initiatives and announcements related to credit reporting, including a recent CFPB interpretive rule that encouraged states to pass more laws regulating the credit reporting industry. The opinion also builds on a CFPB advisory opinion warning CRAs that the
use of “name-only matching” procedures to match information to consumers does not satisfy their obligation to assure maximum possible accuracy in consumer reports. Further, it comes in the wake of the CFPB’s April 2022 lawsuit against a CRA for alleged violations of the Consumer Financial Protection
Act.

Specifically, the CFPB’s advisory opinion outlines its interpretation of obligations of CRAs and consumer report users under FCRA’s permissible purpose provisions, including that:

  • FCRA identifies a limited set of “permissible purposes” for which a CRA may provide a consumer report to a user, such as to determine an individual’s eligibility for credit, employment or housing.
  • CRAs may not provide a consumer report pursuant to FCRA under any circumstance not expressly permitted by the statute’s permissible purpose section.
  • The “permissible purposes” authorized by FCRA are consumer specific and only apply with respect to the consumer who is the subject of the user’s request.
  • A CRA may only provide a consumer report to a user if it has “reason to believe” that the user has a “permissible
    purpose” for requesting information about the individual. A CRA must also have “reason to believe” that all of the
    information it includes in a consumer report relates to the specific consumer who is the subject of the request.
  • Accordingly, a user’s mere request to obtain consumer information does not provide a CRA with a “reason to believe” the user has a permissible purpose for doing so.
  • Using name-only matching procedures or insufficient identifiers to match information to consumers also does not give a CRA “reason to believe” all of the information it provides pertains to the consumer and, thus, can result in CRAs providing consumer information to users who lack a “permissible purpose,” as well as violations of consumers’ privacy. Providing consumer reports of multiple people as “possible matches” without taking steps to identify the individual subject to the request also is not permissible.
  • The use of disclaimers by CRAs about insufficient matching procedures in their consumer reports does not cure a violation of FCRA’s permissible purpose requirements.
  • Users of consumer reports are “strictly prohibited” from using or obtaining consumer reports without a “permissible purpose.”
  • CRAs and users of consumer reports, including their agents and employees, may face criminal liability for violating these requirements, such as by obtaining a consumer report under false pretenses or providing consumer information to unauthorized persons.

What to expect

CRAs and other participants in the credit reporting market have received significant attention from the CFPB in recent months. The advisory opinion is yet another example of the bureau’s focus on the credit reporting industry, and it sends the message that the CFPB will not hesitate to take action against entities it deems to be in violation of FCRA’s permissible purpose provisions and thereby failing to adequately protect consumers’ privacy. This is underscored by the multiple citations within the advisory opinion to past CFPB and Federal Trade Commission enforcement actions concerning violations of FCRA’s permissible purpose provisions.

The CFPB says the advisory opinion applies to all “consumer reporting agencies” – not only to the nationwide CRAs. CRAs of all sizes, including specialty CRAs, should review their policies and procedures to determine whether these are reasonably designed to assure maximum possible accuracy of the information included in consumer reports and comply with FCRA’s permissible purpose provisions. Importantly, CRAs also should consider whether they are taking sufficient steps to match information to the consumer who is the subject of the report prior to providing that report to users. Users of consumer reports should similarly review existing processes to make sure that they have a “permissible purpose” under FCRA for requesting and obtaining consumer reports and that the “permissible purpose” is consistent with the purpose certified to the CRA from which the report is obtained.

Advisory opinions are issued by the CFPB pursuant to its Advisory Opinions Policy, which was announced in 2020. Under the policy, stakeholders may submit requests for the bureau to issue an advisory opinion, which takes the form of an interpretive rule, to resolve regulatory uncertainty.

Issuance of advisory opinions is consistent with the bureau’s increased reliance on guidance to convey supervisory
expectations on a broad range of consumer financial protection issues, as recently announced by Director Rohit Chopra.
To that end, on June 29, the CFPB issued an advisory opinion warning debt collectors that convenience fees may
violate the Fair Debt Collection Practices Act
. In May, the CFPB issued two circulars, one involving the misuse of the Federal Deposit Insurance Corporation’s name or logo, and another reminding creditors using complex algorithmic
credit models of their obligation to provide clear adverse action notices to consumers
. We expect the bureau will continue to leverage the use of guidance to communicate its positions on consumer financial protection laws as a way to regulate industry conduct without using traditional rulemaking processes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Finance and Banking from United States

ESG Weekly Update – June 23, 2022Debevoise & Plimpton

A number of the United States’ largest financial institutions – including BlackRock, JP Morgan Chase, Morgan Stanley, and Wells Fargo – have been notified by West Virginia officials that they could be banned from doing business …