The Consumer Financial Protection Bureau (CFPB) is a relatively new federal agency primarily responsible for protecting consumer use of financial products and services through enforcement of federal consumer financial laws. This responsibility includes oversight of the release and use of consumer reports to entities investigating the creditworthiness of consumers applying for jobs, credit, leases and insurance.
In July, the agency issued an advisory opinion on this topic called “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.” The opinion takes a close look at the Fair Credit Reporting Act’s (FCRA’s) requirement that consumer reporting agencies (CRAs) may only release consumer reports to users for “permissible purposes” that are “consumer specific.”
According to the Bureau’s website, its advisory opinions are meant to “assist regulated entities to better understand their legal and regulatory obligations through advisory opinions.” These opinions are “interpretive rules issued to resolve regulatory uncertainty.”
This opinion reflects FCRA’s focus on privacy since consumer reports may include the “credit, criminal, employment, and rental histories” of consumers. This kind of information in the wrong hands puts a consumer at elevated risk of identity theft and “invasion of … privacy, as well as reputational, emotional, physical, and economic harms.”
Guidance for consumer reporting agencies
Federal law broadly defines “consumer reporting agency.” In addition to the big three (Equifax, TransUnion and Experian), the FCRA considers other entities that provide similar information to fall within the definition.
When a CRA releases a consumer report, it must have reason to believe that the requesting user has a permissible purpose for the information. FCRA permits release of a consumer report to further any of four specific purposes:
- In response to a consumer’s written request
- For credit purposes
- For employment purposes
- For insurance purposes
A CRA may provide a consumer report only if it reasonably believes the document contains information restricted to the specific person who is the subject of the request. For example, it would violate the law for a CRA to release multiple reports with the same consumer name after using “insufficient identifiers in matching procedures, such as name-only matching.”
In this example, some of the reports would include information about people other than the exact consumer who was the subject of the request. There would be no permissible purpose for using those “extra” reports and it would violate the privacy of those who were not the subject of the report request. Requests and releases must be consumer specific.
Finally, a consumer reporting agency cannot use disclaimers in a situation like this to escape its legal responsibility to use sufficient identifying procedures to accurately match a report to the correct consumer.
Guidance for entities requesting consumer reports
On the other side, FCRA also requires anyone requesting or using a consumer report to only do so with a permissible purpose under the Act. A requesting entity must certify that it will use it only for one of the permitted purposes.
The Act also requires that the requesting party have a “legitimate business need for the information … in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.”
Takeaways
Both the CFPB and the Federal Trade Commission (FTC) can bring enforcement actions for violations of permissible-purpose limitations. An attorney can advise a consumer whether they have legal remedies under federal or state laws through agencies or in court.
Anyone who believes that a CRA may have wrongly released their consumer report to a third party or that a third party requested or used their report without a permissible purpose should seek the guidance of an experienced consumer protection lawyer. Much may be at stake, including potential intrusion into privacy and identity theft.