chevron-down Created with Sketch Beta.


The CFPB’s Proposed Rulemaking and Its Implications for the Credit Reporting Industry

David Neal Anthony, Timothy J. St. George, Christopher J Capurso, Noah James DiPasquale, and Elizabeth Noland Butler


  • In 2023, the CFPB released new proposals that, if finalized, would have major effects on the entire ecosystem that collects, sells, and uses data about consumers and far-reaching impact on FCRA litigation.
  • FCRA-regulated entities would be required to quickly get up to speed to navigate the complexities and ambiguities of the proposed rulemaking, which will impact their compliance, regulatory, and litigation strategies, as well as internal policies and procedures to ensure FCRA compliance.
  • Based on the sweeping proposed reform with regard to the CFPB’s interpretation of the FCRA’s scope, it appears likely that some parts of the CFPB’s proposed rule will face significant legal challenges.
The CFPB’s Proposed Rulemaking and Its Implications for the Credit Reporting Industry
mohd izzuan via Getty Images

On September 21, 2023, the Consumer Financial Protection Bureau (CFPB) released an Outline of Proposals and Alternatives Under Consideration, which sets out a number of proposed changes to the Fair Credit Reporting Act (FCRA). If accepted, the proposals under consideration will affect the entire ecosystem that collects, sells, and uses data about consumers. The sea change reflected in the outline will likely increase FCRA litigation as consumers and entities navigate new obligations and ambiguities within the proposed rulemaking.

Overview of the Outline

The outline sets out an ambitious agenda for the proposed rulemaking that would have major impacts on

  • “data brokers” and “data aggregators,” which are not defined under the FCRA and which have not historically been considered consumer reporting agencies (CRAs);
  • CRAs;
  • furnishers of data to CRAs;
  • data sources for data brokers and data aggregators; and
  • end users of data obtained from CRAs and/or data brokers / data aggregators.

While the outline has wide-ranging implications for the entire consumer data ecosystem, in prepared remarks for a press call hosted by Vice President Kamala Harris, CFPB Director Rohit Chopra discussed only one aspect of the proposal: a rule barring the reporting of medical debt collections through the credit reporting system. Chopra noted that the CFPB’s rulemaking would “block medical debt collectors from weaponizing the credit reporting system to coerce patients into paying bills they may not even owe” and that the CFPB is “kicking off a rulemaking process to prohibit lenders from using certain medical billing information in their underwriting decisions.”

One of the most important impacts of the contemplated rule is that many businesses and use cases that do not meet the FCRA’s current definition of “consumer reporting agency” could be dragged into FCRA regulation (and litigation). From the outline, it is not obvious that the CFPB has considered the significant negative consequences of ignoring the plain language of the FCRA. For example, data that has been used for decades to prevent fraud and identity theft would no longer be permitted for those use cases outside the limited set of enumerated FCRA “permissible purposes” or under the potentially strict rules foreshadowed in the outline for obtaining consumer consent. However, that is only one of many monumental shifts that could change how the industry and courts understand the FCRA. Compliance requirements and risks for the potentially new and existing members of the FCRA-regulated consumer data ecosystem would also be more demanding in multiple, significant ways, some of which are identified below. Further, FCRA litigation would likely surge as entities that previously were not subject to the FCRA are required to quickly set up new compliance systems and navigate the complexities and ambiguities of the proposed rulemaking, and as consumers uncover novel claims as a result of the expanded regulatory scheme.

The outline follows an announcement of the planned initiative and is part of the first step of a formal CFPB rulemaking.

Impacts on Industries Likely Affected by the Proposed Rule

The contemplated rulemaking disclosed in the outline would affect participants in the consumer data ecosystem in a multitude of ways.

So-called data brokers and data aggregators. What qualifies as a “data broker” or “data aggregator”? In the CFPB’s view, a data broker or data aggregator is any company that collects and sells consumer data, for any purpose, and that also “assembles” or “evaluates” the data. Thus, it appears that the CFPB intends to expand the definition of “consumer report” beyond those data brokers that are CRAs “under current law.”

Further ignoring the FCRA’s definition of “consumer report,” the CFPB states that it intends to apply the statute where the information is used for any permissible purpose (ignoring the FCRA’s threshold eligibility requirements), regardless of whether the data broker knew that the information would be used or was intended to be used for that purpose. Indeed, the CFPB says that information would be considered a consumer report based only on the fact that the information might bear on eligibility—addressing only part of the FCRA’s definition of “consumer report.” It is likewise unclear how the CFPB intends to “clarify” the meaning of “assemble” and “evaluate” in a way that has not already been addressed by the courts.

The proposed impacts for so-called data brokers and data aggregators go further. Among other implications is the fact that data brokers and data aggregators would be able to sell data only for permissible purposes allowed by the FCRA—principally for eligibility determinations for credit, insurance, or employment—or by way of written authorization of the consumer. Use of data for product improvement and identity verification to access an online account, for example, would be prohibited absent the consumer’s written authorization.

In addition to limiting who can receive data from data brokers and data aggregators, the proposed rulemaking stipulates that those entities, once designated as CRAs, would need to give consumers (and, unintentionally, identity thieves posing as consumers) the right to access and dispute their data; and consumers would be enabled to initiate private suits against the newly designated CRAs for failing to fulfill those obligations.

Consumer reporting agencies. What is a “consumer reporting agency”? The FCRA defines “consumer reporting agency” as a person (defined by the FCRA as an individual, partnership, corporation, etc.) that collects, assembles, or evaluates consumer credit information or other data on consumers for the purposes of furnishing consumer reports. 15 U.S.C. § 1681a(f). A consumer report contains “seven-factor” data reflecting on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and it is expected to be used for the purpose of establishing a consumer’s eligibility for credit, insurance, or employment, among other specific permissible purposes.

The proposed rulemaking could have a substantial impact on CRAs. First, under current law, a CRA’s sale of identifying data—widely known as “credit header data”—about a consumer is not regulated by the FCRA, mainly due to courts consistently concluding that such information does not bear on the factors listed in the statutory definition of “consumer report”. 15 U.S.C. § 1681a(d). The CFPB seems to acknowledge this existing law and yet, contrary to its statements on data brokers discussed above, proclaims that such information is now being used to determine “eligibility” and, as a result, is now regulated consumer report information that can only be used for FCRA permissible purposes. The outline suggests that the CFPB is focused on subjecting all consumer data held by a CRA to the FCRA’s requirements, meaning that only persons with an FCRA permissible purpose can obtain this data from CRAs. That restriction would have major implications for end users as well, as noted below.

Second, the outline reflects the potential for a rule that would create an obligation previously not found in the FCRA for a CRA “to protect” consumer reports from a data breach or data security incident (i.e., unauthorized access). This would be contrary to the consistent holdings of multiple courts that the FCRA does not apply to such incidents, given the plain language of the statute requiring the “preparation” of a consumer report rather than mere data access. See, e.g., In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1312–13 (N.D. Ga. 2019) (holding that plaintiffs had not alleged adequate facts showing defendant “furnished” consumer reports to the hackers and that the stolen personal identifying information was not a consumer report under the FCRA).

Third, other provisions of the rulemaking under consideration by the CFPB would basically exclude from the consumer data ecosystem any collection or distribution of medical debt collection information altogether. That would have major implications for users and furnishers as well, as noted below.

Fourth, the CFPB proposes giving consumers the power to file a dispute not only for themselves but also on behalf of whole groups of consumers (a sort of “class action” dispute); and the CRAs would be required to investigate, and then respond to, the dispute on a group-wide basis. This obligation would also apply to furnishers, as discussed below.

Finally, the CFPB would have CRAs and furnishers interpret legal issues that may impact the accuracy of information provided, for example, by a court. Not only does such a requirement ignore what courts have found is required by the FCRA—that is, investigating only factual disputes about the completeness or accuracy of data—but it could also require the involvement of an attorney in every dispute to make sure that there are no “legal” issues that need to be resolved.

From a litigation perspective, these proposed changes would have major implications for CRAs’ litigation exposure under the FCRA. If implemented, these changes would expand CRAs and other FCRA-regulated entities’ obligations under the FCRA, which would inevitably result in increased litigation as these entities navigate the complexities and ambiguities of any new rules. For instance, there have been many recent cases in which courts have drawn distinctions and parameters around whether CRAs are required to investigate legal inaccuracies (i.e., the status of an allegedly discharged debt) as opposed to only factual inaccuracies. See Sessa v. Trans Union, LLC, 74 F.4th 38 (2d Cir. 2023); Mader v. Experian Info. Sols., Inc., 56 F.4th 264 (2d Cir. 2023). The CFPB’s proposed rulemaking would place a finger on the scale on this issue contrary to the prior holdings of several courts.

Furnishers. What is a “furnisher”? A furnisher is a person that supplies its own “transaction and experience” consumer data to a CRA. A creditor or servicer that supplies a CRA with data about a consumer’s performance of a credit obligation is a furnisher.

Furnishers could be greatly impacted by the proposed rulemaking. First, as with CRAs, the contemplated rule would give consumers the power to make a dispute on behalf of not only themselves but also whole groups of consumers, and furnishers would have to investigate and respond to these disputes on a group-wide basis.

Second, as with CRAs, the contemplated rule would require furnishers to evaluate legal issues raised by a dispute. This proposed change would also drastically alter the litigation landscape for furnishers as consumer plaintiffs undoubtedly would seek to have courts defer to the CFPB’s interpretation of what constitutes a viable dispute.

Third, medical debt collection information would be excluded from the consumer data ecosystem, so furnishers that currently report medical debt would no longer have any way to share this data with end users through CRAs.

Data sources for data brokers and data aggregators. What is a “data source” for data brokers and data aggregators? Data brokers and data aggregators collect data from a wide variety of governmental and business sources.

The proposed rulemaking would severely impact data sources for data brokers. For instance, supplying data to data brokers and data furnishers, which would now be regulated directly under the FCRA, could result in some data sources becoming furnishers themselves. This would saddle these data sources with the duties of a furnisher under the FCRA with regard to ensuring accuracy of data, responding to disputes, and putting in place identity theft protections. This could become problematic, especially if the data source makes no effort to associate a record with a specific purpose (i.e., doing nothing more than parroting the public record sources such as court records). In addition, data sources could see an increase in FCRA litigation as consumer attorneys try their luck in filing furnisher-specific claims against them.

End users. What is an “end user”? An end user is a person that consumes consumer data for business purposes. Those purposes can include marketing; identity verification; fraud prevention; and eligibility determinations of consumers for products and services, including, but not limited to, credit, insurance, and employment.

There are a multitude of potential impacts for end users. First, a major effect of the inclusion of data brokers and data aggregators in the definition of “consumer reporting agency” is that users would only have the ability to look to the consumer data ecosystem for data if the user has an FCRA permissible purpose, or if the written instructions of the consumer give the user permission to access the consumer’s data. This would have a detrimental effect on preventing fraud and misuse, especially when combined with the CFPB’s intent to restrict the “legitimate business need” permissible purpose.

Second, materially changing the current understanding of “aggregated” (i.e., anonymized) data could eliminate numerous use cases that benefit consumers by improving functionality and reducing the price of products and services.

Third, the outline includes the prospect that the CFPB would promulgate specific requirements for a consumer’s written instructions, including required steps to obtain authorization, who can collect written instructions, and limits on the scope of authorization. The outline also confirms the consumer’s right to revoke authorization and contemplates methods for such revocation. The CFPB has not explained whether this would be a prospective requirement or if it intends to apply its rule to data already collected and not flagged for this purpose.

Fourth, the outline seeks to clarify when an end user has a “legitimate business need” for which a CRA may furnish a consumer report. The FCRA provides that a legitimate business need includes a need for the information (i) in connection with a business transaction initiated by the consumer, or (ii) to review an account to determine whether the consumer continues to meet the terms of the account. The proposal seeks to limit those needs, respectively, to (i) determining eligibility for a consumer-purpose transaction, or (ii) actual account reviews for which the consumer report information is required to determine whether the consumer continues to meet the terms of the account.

Finally, users would not have access to medical debt collection data through the regulated consumer data ecosystem, which could result in riskier credit decisions that would otherwise not be made in the current environment.

Small Business Regulatory Enforcement Fairness Act Process

The outline was supplied for initial comment to a panel of small businesses (including CRAs, data brokers, and furnishers) that convened under the Small Business Regulatory Enforcement Fairness Act (SBREFA). The SBREFA process was conducted on a remarkably condensed timeline over a few weeks in October 2023, just one month after the CFPB unveiled the outline.

Following the SBREFA process, a collection of financial industry trade groups sent a letter to Chopra regarding their concern that the process had been rushed and that industry members had not been provided with sufficient detail regarding the proposed rulemaking changes to enable a proper review process. The letter requests that the CFPB issue an Advance Notice of Proposed Rulemaking (ANPR) before it publishes a Notice of Proposed Rulemaking (NPRM) to allow the industry and other stakeholders to fully review and respond to the significant implications of the proposed rulemaking.

Based on the sweeping proposed reform with regard to the CFPB’s interpretation of the FCRA’s scope, it appears likely that some parts of the CFPB’s proposed rule will face significant legal challenges.


This proposed rulemaking, if it proceeds as outlined, will have a dramatic effect across the board for all businesses involved in the consumer data ecosystem. FCRA-regulated entities will be required to navigate the complexities and ambiguities of the proposed rulemaking, which will impact their compliance, regulatory, and litigation strategies. These entities will be forced to adjust their current policies and procedures to ensure compliance with the CFPB’s anticipated expansion of FCRA-related obligations, which could result in an increase in FCRA-related litigation. In other words, the proposals under consideration will reshape all aspects of the consumer data ecosystem. Accordingly, comments and advocacy by these affected stakeholders will be vital to ensuring that the vast implications of such rule changes are considered in the process.