CFPB Proposes Removing Medical Debt From Credit Reports While Also Eyeing Broad FCRA Expansion
On September 21, 2023, the Consumer Financial Protection Bureau (CFPB) announced details of its anticipated rulemaking under the Fair Credit Reporting Act (FCRA). In connection with the announcement, the CFPB also issued an Outline of Proposals and Alternatives Under Consideration (the outline).
While the messaging and remarks delivered with the outline focus on the CFPB’s proposal to ban medical debt collection information from consumer reports and prevent lenders from using such information in underwriting, the outline actually reflects a wide range of consumer reporting proposals and builds upon the bureau’s recently announced plan to regulate certain data brokers under the FCRA.
If implemented, these proposals would expand the FCRA’s reach and have a significant impact on traditional consumer reporting agencies (CRAs), furnishers, users of consumer report information, certain “data brokers” and potentially the entities that provide consumer information to and receive consumer information from such “data brokers.”
Proposed restrictions on the use of medical debt information
As previewed in the outline, the CFPB’s preliminary proposal would effectively strike medical debt on consumer reports and prevent lenders from using medical debt collections information in underwriting determinations.
The bureau has long maintained that, unlike other credit reporting sources, medical debt tradelines fail to accurately predict a consumer’s creditworthiness. In early 2022, shortly after the No Surprises Act took effect, the bureau issued a compliance bulletin asserting that CRAs could violate the FCRA if they issued consumer reports reflecting inaccurate information about medical debts. The CFPB also released a report detailing the adverse impact of medical debt information in consumer reports. Earlier this year, the three nationwide CRAs voluntarily began removing certain medical debt information on consumer reports.
In addition to the CFPB’s recent focus on regulating medical debt, in July 2023, the White House published a request for information on financial products used to pay for healthcare – including medical credit cards and installment loans. This is part of a broader effort to reduce the burden of medical debt, by the CFPB, the US Department of Health and Human Services and the US Department of the Treasury. Recent CFPB research also has singled out consumer protection hazards in medical finance, suggesting a continued interest in the field.
FCRA expansion and clarifications
The outline also meaningfully builds on the bureau’s announcement in August 2023 of its plan to extend the FCRA’s obligations to certain data brokers and broaden the statute’s definition of “consumer report” to encompass credit header data. The outline also reflects proposals regarding additional entities and data that may satisfy the definition of “consumer reporting agency” or “consumer report,” application of certain permissible purpose provisions under the FCRA, and CRA and furnisher dispute handling obligations.
Proposals to expand and clarify the FCRA’s definition of ‘consumer reporting agency’ and ‘consumer report’
With respect to the definitions of “consumer reporting agency” and “consumer report,” the bureau proposes to:
- Expand such definitions to cover data brokers that sell certain types of consumer data, such as a consumer’s payment history, income and criminal records, regardless of the purpose for which the data was actually used or collected – or the expectations of the data broker regarding the use of such information.
- Provide a “bright-line” definition for when entities that facilitate electronic data access between parties, or otherwise act as intermediaries with respect to the transmission of consumer data, may engage in “assembling or evaluating” information, which is one component of the FCRA’s definition of “consumer reporting agency.”
- Identify the extent to which credit header data – e.g., identifying information such as name, date of birth and Social Security number – constitutes a “consumer report,” potentially narrowing the scenarios under which an entity may be permitted to sell or disclose such data.
- Address the role of CRAs in targeted marketing, including by clarifying that certain targeted marketing activities by CRAs, even if the CRA does not directly share consumer information with a third party, may constitute “furnishing” a consumer report and, thus, implicate the FCRA’s permissible purpose requirements.
- Address whether and when aggregated or anonymized information, which is sometimes shared by CRAs for marketing or other purposes, constitutes a “consumer report.”
Each of these proposals – if implemented – would have a profound impact across many sectors and with respect to a variety of industry participants. For example, if the bureau takes the position that “credit header data” constitutes a consumer report, the action could have a negative effect on a business’s ability to identify fraud and identity theft.
Proposals to clarify when a CRA can issue a consumer report
The bureau plans to set firmer parameters around when the permissible purposes set forth in the FCRA would apply. In particular, the outline includes proposals to:
- Address what is needed in order to obtain written instruction sufficient to provide a permissible purpose under 15 USC § 1681b(a)(2), including the steps that companies must take to obtain the consumer’s written instruction, who can obtain written instruction, limits on the scope of any authorization and methods for revoking any ongoing authorization.
- Specify that the FCRA’s “legitimate business need” permissible purpose, which is reflected in 15 USC § 1681b(a)(3)(F), only applies where consumer report information is being used to determine the consumer’s eligibility for the requested transaction – which must have been initiated by the consumer for personal, family or household purposes – or is actually needed in connection with an account review to determine whether the consumer continues to meet the terms of the account.
- Expand protections against unauthorized access to consumer reports by making a CRA’s failure to sufficiently protect against – for example, a data breach – a potential violation of the statute.
These new initiatives come just over a year after the bureau issued an advisory opinion emphasizing the narrow circumstances under which CRAs may provide consumer report information to third parties and the potential consumer harm associated with impermissible disclosure of consumer report information.
Proposals regarding CRAs’ and furnishers’ dispute handling obligations under the FCRA
In the last year, the CFPB has devoted significant attention to ensuring that CRAs and furnishers understand and comply with their dispute handling obligations under the FCRA and Regulation V. The bureau doubles down on this effort by including in the outline proposals to:
- Clarify that, in the bureau’s view, CRAs and furnishers must reasonably investigate both “legal” and “factual” disputes – a position the CFPB has previously taken in amicus briefs.
- Address how furnishers and CRAs must investigate and attend to “systemic issues” affecting the completeness or accuracy of consumer reports– including by mandating a specific process through which a consumer could notify a CRA or furnisher of possible systemic consumer reporting issues that affect other similarly situated consumers and requiring specific action by CRAs and furnishers in response to such.
The bureau is still a long way away from issuing any final rules on the proposals under consideration. These proposals are currently submitted for comment from the bureau’s Small Business Review Panel and still need to be formally issued in a proposed rule, followed by a final rule.
Notwithstanding, the bureau’s proposals reflect its interest in erecting substantial new compliance requirements and liability for certain entities involved in the collection and transmission of consumer information. Entities should remain engaged throughout the rulemaking process and also consider current policies and procedures in place regarding both the sharing and receipt of consumer information.
In connection with the proposals, the CFPB also has invited feedback from stakeholders that do not qualify as small business entities. Feedback is due to the bureau by October 30, 2023.