The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) and the Federal Trade Commission (“FTC”) continue to be active under the Fair Credit Reporting Act (“FCRA”). In prior years, this survey focused on legislation, enforcement, and litigation, but, with an activist CFPB focusing on ex ante regulation, rather than ex post enforcement, this survey primarily focuses on rulemaking and interpretation. Given this focus, we expect next year’s survey to cover an increasing number of legal and Administrative Procedure Act challenges to the CFPB’s regulatory determinations.
During the period covered by this survey, the CFPB has continued to sharpen its regulatory focus on the credit reporting industry. The CFPB issued two advisory opinions, one addressing background check procedures, and another discussing credit file sharing. In addition, the CFPB issued a proposed rule that would further restrict the inclusion and use of medical debt on consumer reports. Finally, while still in its preliminary stages, the CFPB has described a potential rulemaking to regulate “data brokers” under the FCRA.
In January 2024, the CFPB released an advisory opinion addressing background checks. This advisory opinion “affirms” that, in order to satisfy the requirement that consumer reporting agencies maintain procedures to ensure maximum possible accuracy under section 607(b) of the FCRA, background screening firms must have procedures in place to prevent duplicative public record information and information that has been “expunged, sealed, or otherwise legally restricted from public access” from appearing in background checks; and to ensure that existing disposition information regarding criminal charges, arrests, eviction proceedings, or other court filings are included in background checks.
With respect to “legally restricted” information, the CFPB interprets the FCRA to prohibit the reporting of consumer report information that would not be publicly available to users due to state or government entity restrictions. According to the CFPB, consumer reporting agencies must maintain procedures to ensure that “any inclusion of charges or arrest records in a consumer report complies with the law in the relevant jurisdiction from which the record originates.” Moreover, consumer reporting agencies must ensure that they include any existing disposition information if they are reporting a court filing. The FCRA prohibits most adverse information—including arrests, evictions, and other public record information—from appearing in a background check report for more than seven years. In the advisory opinion, the CFPB makes clear that the “occurrence” of the adverse event starts the clock for the adverse-item period, and that the period does not restart or reopen by the occurrence of subsequent events.
Under section 609(a) of the FCRA, consumer reporting agencies must clearly and accurately disclose to consumers “[a]ll information in the consumer’s file at the time of the request” and “[t]he sources of information.” A second CFPB advisory opinion, released on the same day as the background checks opinion, addresses consumer reporting agencies’ obligations to provide the so-called “file disclosures.”
The advisory opinion indicates that consumers do not need to use specific language, such as “file” or “complete file,” to trigger a file disclosure. Rather, the CFPB interprets section 609(a) “to require consumer reporting agencies to provide a file disclosure upon receipt of a ‘request’ from a consumer who provides proper identification even if the consumer does not use the specific term ‘request,’ ‘file,’ ‘complete file,’ or any other specific words in making such request.” To trigger section 609(a), consumers must only provide proper identification and make a “request.” Furthermore, according to the CFPB, a consumer’s request for a “credit report,” “report,” “file,” “record,” or “consumer report” would trigger the file disclosure requirements.
The advisory opinion also describes specific requirements regarding information that consumer reporting agencies must disclose to consumers under section 609(a). Focusing on the obligation to “clearly and accurately” disclose information, the advisory opinion explains that the file disclosure must be “understandable to the average consumer.” According to the CFPB, the file disclosure “must assist a consumer in identifying inaccuracies in their file, exercising their rights to dispute any incomplete or inaccurate information, and knowing when they are being impacted by adverse information in their file.”
The advisory opinion also highlights that section 609(a) requires a disclosure of “all information in the consumer’s file at the time of the request, including, among other things, all information the consumer reporting agency provided or might provide to a user.” When a consumer reporting agency provides summarized information to a user, section 609(a) requires that the consumer reporting agency disclose to the consumer the information that formed the basis of the summarized information. The CFPB further states that the file disclosure must accurately reflect information that was provided, or that might be provided, to users, including, for example, duplicative listings for a single case. Moreover, the advisory opinion indicates that there are a number of situations where a consumer reporting agency must provide information that is not or would not be included in a user report, such as when only summarized information, such as a credit or risk score, recommendation, or a tenant screening score, is provided to users. In these circumstances, the CFPB interprets the FCRA to require disclosure of the information that formed the basis of the summarized information to the user.
Under the advisory opinion, FCRA section 609(a)(2) requires that file disclosures include the “source” of the information in the file. The opinion explains that consumer reporting agencies must disclose the original source of information and any “intermediary or vendor source[s].” By way of example, the CFPB explains that it has become aware that some consumer reporting agencies that acquire public records, including eviction proceedings, from vendors are disclosing only the jurisdiction for the records (e.g., a county court), but not the intermediary or vendor source for those records that provided the information from the original source to the consumer reporting agency. In these cases, the CFPB expects consumer reporting agencies to disclose both the original and vendor source for this information.
In June 2024, the CFPB issued a proposed rule that would restrict the inclusion and use of medical debt on consumer reports. If promulgated as a final rule, creditors would be prohibited from using or obtaining medical debt information for credit eligibility determinations, except that a creditor could use information about medical income or the purpose of a loan to qualify the consumer for the loan. In addition, the proposed rule would create a new limitation on consumer reporting agencies that would prohibit them from furnishing consumer reports containing medical debt information. Comments on the proposed rule were due on August 11, 2024.
Under the current legal framework, creditors can obtain and use the medical information if:
(i) The information is the type of information routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of proceeds;
(ii) The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction; and
(iii) The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination.
The proposed rule would amend this language to prohibit the use of medical debt information in connection with credit decisions, but retain exceptions for medical information relating to income, benefits, and the purpose of the loan, including the use of proceeds. Creditors would also be permitted to use medical debt to determine consumers’ eligibility for the reactivation of a debt cancellation contract, debt suspension agreement, or credit insurance product, but only if the medical condition or event is a “triggering event” for benefits under the contract or agreement.
The proposed rule would also prohibit consumer reporting agencies from furnishing medical debt information to creditors in connection with credit eligibility determinations. Specifically, the proposed rule would permit consumer reporting agencies to include medical debt information in consumer reports provided to creditors for credit eligibility purposes only when: “the consumer reporting agency has reason to believe the creditor is not prohibited from obtaining or using the medical information under [the revised section 1022.30]”; and “the consumer reporting agency is not otherwise prohibited from furnishing to the creditor a consumer report containing the medical debt information, including by a State law that prohibits furnishing to the creditor a consumer report containing medical debt information.”
In March 2023, the CFPB released a request for information regarding the business practices of data brokers, which sought input on the types of information data brokers collect and sell, and the data sources from which these data brokers obtain the information. The CFPB followed up with a frequently asked questions (“FAQ”) document indicating that the CFPB would be issuing a proposed rule under the FCRA “to address business practices used by companies that assemble and monetize our data.” According to the CFPB, the purpose of the proposed rule would be to “ensure the public is protected from modern-day data brokers.” The FAQ document outlined the major components of the forthcoming proposal, including capturing additional companies that sell certain data, clarifying the extent to which “credit header data” would constitute a consumer report, and describing the circumstances under which it would be appropriate for data brokers to sell credit header data.
In September 2023, the CFPB released an outline of proposals and alternatives (“Outline”) for the proposed data broker rule ahead of the required Small Business Advisory Review Panel meeting. In the Outline, the CFPB described a range of companies it considers to be “data brokers,” including companies that purchase or collect information from public sources, such as courthouses, and those that purchase or collect private information, including financial or health information.
The Outline states that the CFPB is considering proposing a rule that would deem consumer information provided to a user who uses it for a permissible purpose a “consumer report” under the FCRA. Under the rule, this information would be a “consumer report” regardless of whether the data broker knew or should have known that the user would use the information for that permissible purpose. If the CFPB adopts this proposal, any consumer information provided to a user who uses it for a permissible purpose would constitute a “consumer report,” regardless of specific guardrails that the data broker puts in place to prevent misuse of non-FCRA information, such as contractual restrictions or misuse detection programs. This would have a significant impact on companies that offer fraud detection products, which have traditionally been viewed as not covered by the FCRA.
The Outline also describes a proposal to designate data brokers that sell specific types of data—specifically, data typically used for credit and employment eligibility determinations—as consumer reporting agencies. As examples of this kind of information, the CFPB references “a consumer’s payment history, income, and criminal records” and indicates that this type of information would be considered a “consumer report” regardless of the purpose for which the data was used or collected.
The Outline also discusses proposals regarding credit header data. Credit header data includes consumer-identifying data, including name, social security numbers, phone numbers, and current and former address. The Outline states that the CFPB is considering a proposal that would “reduce, perhaps significantly, consumer reporting agencies’ ability to sell or otherwise disclose credit header data from their consumer reporting databases without a permissible purpose.” In explaining the rationale for this proposal, the CFPB references “increased computing power and increased reliance on complex algorithms to identify insights, [which] has resulted in credit header data being used more frequently for eligibility determinations.” The FCRA closely restricts the “permissible purposes” for which consumer report information can be provided. These permissible purposes include credit underwriting, employment eligibility, eligibility for government benefits, and other important transactions involving the consumer who is the subject of the information, but do not include law enforcement, theft prevention, research, and other important purposes. As a result, if credit header data is subjected to the FCRA, it could no longer be used for law enforcement—such as locating witnesses or suspects—or similar purposes.
The Outline includes proposals that would “clarify” permissible purposes for which users can obtain consumer reports under the FCRA. Specifically, the CFPB is considering whether to provide further clarification on what is needed for a consumer to provide “written instructions” pursuant to section 604(a)(2) of the FCRA. This proposal might include limits on the scope of written instruction authorization, required steps for obtaining written instructions, methods that permit consumers to revoke these instructions, and limits on who can collect the instructions.
The Bureau is also considering proposals regarding the “legitimate business need” permissible purpose that would indicate that this permissible purpose “requires a transaction to have been initiated by the consumer for personal, family, or household purposes and permits use of consumer reports only for the purpose of determining the consumer’s eligibility for the business transaction,” and “is an account review for which the use of a consumer report is actually needed to make a decision about whether the consumer continues to meet the terms of the account.”
Finally, the Outline addresses disputes involving legal matters. The CFPB acknowledges that some consumer reporting agencies and furnishers have attempted to draw a distinction between a “legal” and a “factual” dispute, and have taken the position that the FCRA requires only investigation of the latter. The CFPB takes the position that “[t]he FCRA does not distinguish between legal and factual disputes, and accordingly, it does not exempt ‘legal disputes’ from its requirement that consumer reporting agencies and furnishers must reasonably investigate disputes.” As examples, the CFPB references state foreclosure law interpretation disputes regarding whether debts are collectible, in addition to contractual liability disputes related to obligations to pay. The CFPB is considering whether to “codify” this interpretation in the proposed rule.
In October 2023, the CFPB announced two enforcement actions against TransUnion (“TU”): one concerning its rental screening subsidiary, TransUnion Rental Screening Solutions, Inc. (“TURSS”), and a separate action against TU regarding security freeze allegations. The enforcement action against TURSS was joined by the FTC and was filed as a joint complaint and stipulated order in federal court. The security freeze action was brought by only the CFPB and was settled as an administrative consent order.
In the joint complaint against TURSS, the agencies alleged that the company failed to follow reasonable procedures to assure the maximum possible accuracy of eviction records in its tenant screening reports, and failed to identify third-party vendors that provided criminal and eviction records in disclosures to consumers. With respect to accuracy, the agencies alleged that TURSS violated section 607(b) of the FCRA by: reporting multiple events relating to the same eviction case; providing stale or inaccurate case dispositions for eviction proceedings; labeling amounts in dispute as “judgment amounts;” and failing to prevent the inclusion of sealed records . The agencies also alleged that, in violation of section 609(a) of the FCRA, TURSS did not disclose the third-party vendors from which it obtained criminal and eviction proceeding records.
The CFPB’s consent order against TU stemmed from an alleged backlog of approximately 40,000 security freeze and lock requests dating back to at least mid-2018. The Bureau’s first allegation is that TU failed to timely place or remove security freezes and locks in violation of FCRA section 605A(i)(2), ( j)(2), (i)(3), and ( j)(4)(c), while falsely representing to consumers that the request was processed. The Bureau found that these failures constituted unfair and deceptive acts or practices under the Consumer Financial Protection Act. The second allegation concerned prescreening lists—specifically, that TU unlawfully failed to exclude active-duty military members and potential victims of identity theft from pre-screened solicitation lists in violation of FCRA section 605A(b)(1)(B) and (c)(2). The consent order requires TU to pay $3 million in consumer redress and a $5 million civil money penalty. The consent order also requires TU to take a number of affirmative steps, including creating a committee to identify and assess potential consumer risks related to ongoing or recurring technology issues and to take appropriate remedial steps.
In September 2023, the FTC filed an enforcement action against TruthFinder and Instant Checkmate, alleging that the two companies operated as “consumer reporting agencies” under the FCRA and failed to comply with several provisions of the FCRA that apply to consumer reporting agencies. TruthFinder and Instant Checkmate offer people search services to consumers and businesses. A consumer reporting agency is defined, in pertinent part, as a person who assembles or evaluates information on consumers for the purpose of providing consumer reports such as, credit reports, background screening reports, or tenant screening reports to third parties.
The FTC alleged that TruthFinder and Instant Checkmate were consumer reporting agencies, despite disclaimers on the companies’ websites stating that they do not assemble or evaluate data for the purpose of providing consumer reports to third parties. To support its case, the FTC alleged that the two companies used search engine advertising keywords that relate to employment and tenant screening, such as “best background check for landlords” and “pre-employment screening” to promote the use of both Instant Checkmate and TruthFinder background reports for use in employment and tenant screening, directing Microsoft and Google to display Instant Checkmate and TruthFinder advertisements when consumers search for words or phrases relating to background screening. In addition, the FTC alleged that the companies selected the “broad” match setting for Microsoft and Google advertising keywords containing terms that relate to employment, tenant, or credit screening under the FCRA. The “broad” match setting instructs Microsoft or Google to display advertisements when consumers and businesses search for not only the keyword itself but also synonyms and related terms. The FTC also alleged that the companies actually knew that their customers have regularly used Instant Checkmate and TruthFinder background reports for employment and tenant screening, and, in numerous instances, customers directly communicated to defendants, including by e-mail and phone calls, that they had used or were using Instant Checkmate and TruthFinder background reports for employment or tenant screening.
Thus, the FTC alleged that the two companies were consumer reporting agencies, not based on their direct statements or marketing of their products for background screening purposes, but on the fact that they promoted their websites to individuals searching for specific background screening–related terms. The FTC further alleged that Instant Checkmate and TruthFinder had violated various technical provisions of the FCRA, which is perhaps unsurprising given that the two companies did not consider themselves to be consumer reporting agencies governed by the FCRA. The companies resolved the matter by consenting to the entry of a permanent injunction in which they agreed to pay a $5.8 million penalty and, among other things, establish, implement, and maintain a comprehensive monitoring program to regularly review, assess, and determine the extent to which each company is operating in whole or in part as a consumer reporting agency.
In September 2024, the CFPB entered into a consent order with TD Bank related to allegations that the bank furnished inaccurate information about consumers. One allegation involved the bank’s failure to enter data from a third-party collections company regarding consumer payments into its system of record, which resulted in the bank not furnishing payments information to consumer reporting agencies as part of routine reporting regarding credit card information. In addition, the bank allegedly inaccurately and incompletely furnished the bankruptcy status of credit accounts by failing to indicate the status of accounts in bankruptcy (e.g., petition filed, discharged, withdrawn, or dismissed); furnishing information about credit cards in discharged status for several months, as opposed to only the month in which the discharge occurred, which the Bureau considered to be “industry standard under the Metro 2 format;” and failing to accurately furnish information about the correct bankruptcy chapter for discharged credit card accounts. In the consent order, the Bureau alleged that the bank failed to establish and implement reasonable policies and procedures regarding furnished information. The Bureau also alleged that the bank failed to promptly correct inaccurate incomplete information furnished to consumer reporting agencies after it detected issues.
Another set of allegations involved the reporting of information about “hundreds of thousands” of deposit account openings that the bank either suspected or had confirmed to be fraudulent. The Bureau alleged that the bank identified a large number of suspected or confirmed fraudulent accounts in January 2022, but did not fully correct the issue until August 2023. As a result of these practices, the Bureau alleged that the bank failed to promptly correct information furnished to nationwide specialty consumer reporting agencies in violation of FCRA section 1681s-2(a)(2), and failed to establish and implement reasonable procedures regarding the furnishing of deposit account information. In addition, the consent order described alleged issues regarding the reporting of dates of first delinquency and the proper reporting of account status, consistent with the CARES Act amendments to the FCRA regarding accommodation programs.
Finally, the CFPB alleged that the bank did not have sufficient processes in place to reasonably and timely investigate direct and indirect disputes from consumers pursuant to section 611. It alleged that the bank redirected resources away from dispute investigation “to prioritize a separate regulatory matter.” The Bureau considered these allegations to constitute abusive acts or practices under the Consumer Financial Protection Act because the bank took unreasonable advantage of the inability of consumers to protect their interests in selecting or using a consumer financial product or service. In reaching this conclusion, the CFPB noted that the bank decided to divert resources away from dispute investigations, which “took away the consumer’s ability to protect themselves against inaccurate information on their credit report.” The Bureau also alleged that the bank failed to properly notify consumers of disputes the bank deemed as “frivolous or irrelevant.”
As a result of these findings, the CFPB ordered the bank to pay a $20 million civil money penalty and $7.76 million in redress to impacted consumers. It also required that the bank adopt additional compliance monitoring and reporting, including board reporting, and develop a compliance plan that provides reporting to the CFPB, among other requirements.
In Department of Agriculture Rural Development Rural Housing Service v. Kirtz, the U.S. Supreme Court ruled that the FCRA operates as a waiver of sovereign immunity and allows consumers to sue the government for violating the duties imposed on furnishers. This decision appears to resolve a circuit split with respect to whether a federal government agency is subject to the FCRA private right of action. The Court held that the “FCRA effects a clear waiver of sovereign immunity,” by authorizing “consumer suits for money damages against ‘[a]ny person’ who willfully or negligently fails to comply with [the statute]” and “defining the term ‘person’ to include ‘any . . . governmental . . . agency.’”
As explained above, the CFPB has indicated its intention to propose rules requiring that consumer reporting agencies and furnishers of information review and resolve disputes that require an interpretation of legal issues that could impact the accuracy of underlying information. In recent cases, however, federal circuit courts have adopted a different view on this question. Two cases decided during the period of time covered by this Annual Survey addressed the issue of legal and factual disputes and recognized the pointlessness of a consumer reporting agency, or even a furnisher, trying to resolve issues that are essentially legal disputes.
In Holden v. Holiday Inn Club Vacations Inc., the Eleventh Circuit considered issues arising out of a dispute of information relating to the plaintiffs’ default on promissory notes used to purchase time shares in Las Vegas and Cape Canaveral. The plaintiffs claimed that they no longer owed the money, because the “sales transaction was fraudulently represented at the time of sale” or provided inaccurate information without properly re-investigating the dispute. The court declined to “impose a bright line that only purely factual or transcription errors are actionable under the FCRA,” but nevertheless held that to be actionable, a claimed inaccuracy must be “objectively and readily verifiable.” The court explained that “the problem for [the plaintiffs] is that the alleged inaccurate information is not objectively and readily verifiable because it stems from a contractual dispute without a straightforward answer,” given the inconsistent results under applicable state law when interpreting timeshare agreements like the ones in question. The court held that, in any event, the defendant Holiday Inn, the furnisher of the information, had determined that the debt was due and collectible, but it happened that the plaintiffs disagreed with that determination.
In Chaitoff v. Experian Information Solutions, Inc., the plaintiff consumer disputed information on his credit report with the defendant consumer reporting agency, claiming that the defendant made a mistake when it failed to note on his credit report that he had signed an agreement with his mortgage lender allowing him to make lower payments to avoid foreclosure. The lower court held that any dispute about the existence or effect of this agreement was a legal dispute, for which the defendant agency could not be held liable. Although the Seventh Circuit agreed that legal disputes are beyond a consumer reporting agency’s duty to investigate, it found that the dispute was factual rather than legal. The defendant failed to report that the plaintiff entered a modified payment plan with his lender, and the plaintiff claimed that the inaccuracy prevented him from getting a subsequent loan, both of which are factual issues.
The Chaitoff court also held, however, that consumer reporting agencies are immune from liability for credit report errors related to a legal dispute with respect to a debt’s validity. The court explained that “‘the paradigmatic example of a legal dispute is when the consumer argues that although his debt exists and is reported in the right amount, it is invalid due to a violation of law,’” which is beyond the knowledge of the consumer reporting agency. As a result, the court acknowledged that, “[w]e have long held that [consumer reporting agencies] are not well suited to adjudicate legal defenses to a debt, so they are not liable for reporting information that may be legally inaccurate.”
In Ingram v. Experian Information Solutions, Inc., reversing a summary judgment for the defendant debt collection agency and the defendant furnisher of information, the Third Circuit held that a furnisher of information to a consumer reporting agency may not decide that a dispute referred to it by the consumer reporting agency is frivolous and on that basis decline to investigate. The plaintiff filed a dispute regarding a fraudulent account with a consumer reporting agency, which forwarded it to the defendant furnisher for investigation, as required by the FCRA, and the plaintiff alleged that the furnisher failed to reasonably investigate his dispute. The court recognized that a consumer reporting agency may decline to investigate a frivolous dispute, and that a furnisher may decline to investigate a frivolous dispute when it is received directly from the consumer who is the subject of the information, but that a furnisher has no discretion to decline to investigate an indirect dispute forwarded to it by the consumer reporting agency. Several lower courts had previously held that a furnisher had no obligation to investigate an indirect dispute where a consumer had not provided sufficient information to enable the furnisher to conduct an investigation, reasoning that without a “bona fide” dispute, there is nothing to investigate. The Ingram court declined to adopt this reading of the statute, stating that Congress would have provided furnishers with the ability to decline to investigate indirect disputes, if it had intended to do so.
