In this episode, Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, Ron Raether, and Ethan Ostroff discuss the regulation of credit header data and the potential impact on the FCRA and consumer reporting agencies, as well as users and data brokers.
Join us for the second episode in a special three-part series covering the CFPB's intention to propose new rules under the Fair Credit Reporting Act (FCRA). In this episode, Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, Ron Raether, and Ethan Ostroff discuss the regulation of credit header data and the potential impact on the FCRA and consumer reporting agencies, as well as users and data brokers.
Stay tuned for the third and final episode in this series, which will focus specifically on data brokers and the possibility of regulating them under the FCRA, and how this might affect data brokers as well as other types of entities, users, consumer reporting agencies, and resellers.
CFPB's Rulemaking Under the FCRA – Part 2
Hosts: Dave Gettings and Chris Willis
Guests: Kim Phan, Ron Raether, and Ethan Ostroff
Date aired: September 14, 2023
Chris Willis:
Welcome to this special joint edition of The Consumer Finance Podcast and FCRA Focus. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice, and I'm co-hosting today's episode with Dave Gettings, one of my partners who's the host of the FCRA Focus. Now, this is part two of a special three-part series we're doing on the CFPB’s forthcoming rulemaking under the Fair Credit Reporting Act. In this episode, we're going to be talking about two things. First, we're going to be highlighting the judicial environment around regulatory rulemaking, and especially aggressive regulatory rulemaking, which is what we have on our hands here. And then we're going to take a deep dive into the CFPB's apparent intentions with regard to credit header data and the idea of classifying those as consumer reports that are subject to the Fair Credit Reporting Act and all of the rules and regulations that apply under there.
But before we jump into that really fascinating set of topics, let me remind you to visit and subscribe to our blogs, troutmanpepperfinancialservices.com and consumerfinancialserviceslawmonitor.com, where you'll see our daily coverage about everything that's going on in the financial services industry. And in addition to the two podcasts you're listening to today, we have several others. We have Unauthorized Access, which is our privacy and data security podcast. We have The Crypto Exchange, which is about all things crypto, and we have our newest podcast Payments Pros, which is all about the payments industry. All those are available on all popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing.
And finally, don't forget to download and try out our nifty mobile app. It's a great one-stop shop for all of our thought leadership content that we put out among our consumer financial services group and our wider financial services industry group. It has all of our podcasts that you can listen to right there in the app. It has a great directory of all of our lawyers, more than 200 of us who practice in the financial services space. It has all of our thought leadership pieces like alerts, and it has a great calendar feature that shows you what conferences we'll be attending and speaking on. It's available for both iOS and Android. Just look for Troutman Pepper in your app store and download it and give it a try.
Now for today's discussion, Dave, and I'll be co-hosting it just like we did part one, but we're also joined by several of our other colleagues. So, we have Kim Phan, we have Ethan Ostroff and Ron Raether, all of whom are very experienced practitioners with respect to Fair Credit Reporting Act issues, and they're going to be an invaluable part of our discussion today. So, Dave, let me hand it over to you and let's get talking about the judicial environment that we promised the listeners we'd cover.
Dave Gettings:
Yeah, thanks, Chris. I appreciate you co-hosting the podcast with me again, and appreciate Kim, Ron and Ethan being on the podcast again. In terms of the judicial environment dealing with credit header data, there's been a lot of history surrounding this issue and it's been getting more and more contentious potentially with more defendants being willing to push back on the issue of whether credit header data is regulated. But the one thing I thought might be really powerful is to start or at least have Ron discuss a little bit of his history litigating against the CFPB and his history pushing back against the CFPB and how that can be effective for defendants and effective for clients that find themselves under CFPB scrutiny.
Ron Raether:
Great, thanks Dave and Chris. It's always enjoyable to participate in your podcasts. I'm looking forward to some engaging conversation, sort of like I had with the Fifth Circuit when it was reviewing a matter that involved a motion to compel one of my clients to respond to a civil investigation demand. I'm not going to go through the complicated or honestly, not complicated and kind of one-sided process that you go through with the CFPB when you challenge a CID, eventually you end up in the courts. In our particular case, the concern and the question really related to a data broker. My client was a data broker, the CFPB was attempting to exercise jurisdiction over my client. And then the statement of purpose, which is where the CFPB and the CID explains why they think they have the authority to be able to subpoena, or in this case compel documents and information from my client.
They listed a variety of different statutory schemes and what the Fifth Circuit eventually came around to finding is that the CFPB needed to state specifically what authority they thought they had over my client. The Fifth Circuit found that the CFPB did not have unfettered authority to cast a ballot for potential wrongdoing. And as a consequence, the Fifth Circuit quashed the civil investigation demand from the CFPB. Relevant here, and as we start to look at the CFPB's attempt to extend its rulemaking authority into areas that I would argue fall well outside the Fair Credit Reporting Act or any of the other, I think 16 or 17 statutes that Dodd-Frank gave the CFPB authority over. That Fifth Circuit decision, as well as other core challenges to the constitutionality of the funding of the CFPB and the oversight of the CFPB are going to become critical for us as we challenge anything that comes out of this rulemaking process in the courts.
Dave Gettings:
Thanks, Ron. Appreciate that and appreciate that insight about your experience with the CFPB. To maybe orient a little bit about how we got here on the credit header piece, I'd like to take a little bit of look at history in terms of what the FTC has done and then maybe turn it over to Kim a little bit to talk about what courts have done in interpreting credit header data and the fact that credit header data has traditionally not been regulated under the FCRA. Often when we look at agency guidance under the FCRA, we look at FTC informal staff opinion letters. We look at the FTC's 40 years of experience report that came out in 2011. So with respect to the staff opinion letters going as far back as the 1970s I believe, the FTC has generally held that credit header data when used appropriately, is not subject to the FCRA and is not regulated as a consumer report.
For example, in 1993, the FTC entered into a consent decree recognizing the ability of consumer reporting agencies to disclose credit header information independently of consumer reports. Then in 2011, the FTC’s 40 years of experience with the FCRA, the FTC noted that credit header information, which the FTC referred to as demographic and identifying information, is generally not considered a consumer report under the FCRA unless it is used for eligibility determinations. So that was really one of the key factors in some of the regulatory guidance leading up to this most recent CFPB proposed rulemaking. If consumer data was limited to credit header data and it was not used for eligibility determinations, there was really a pretty strong argument for defendants for the industry that that information was not credit header data. And Kim, would you like to talk a little bit about how courts have addressed this and interpreted some of these FTC guidance in actual litigation?
Kim Phan:
Well, thanks for handing that over to me, Dave, and I’ll actually defer to some of our actual litigators here on this podcast such as Ron, who might have specific experience in court about this. But you're absolutely correct that the definition of a consumer report is limited to communications by consumer reporting agencies that bear on what are called the seven factors. Whether or not a consumer is credit worthy, what their credit standing is, their credit capacity, their character, general reputation, personal characteristics or mode of living. So to the extent that identifying information that has been traditionally what is contained in the credit header information, usually a name, social security number, address, some other limited pieces of just pure factual information about a consumer that hasn't been considered bearing on one of those seven factors because really everyone has an address. That is not any indication of whether or not someone is worthy of credit or not, or worthy of insurance, or employment.
So the question as you were indicating is whether or not those particular pieces of information bear on any of that information in a way that could be used to make an eligibility determination. Again, whether or not someone has a name is not an indicator of whether or not they're credit worthy, whether or not someone has a phone number is not any sort of indicator of whether or not they should be employed or not. So those are the questions that have arisen, and the answer to those have been no, there's no usage of that information in a way that would implicate an eligibility determination under the Fair Credit Reporting Act.
Which is why courts have generally found, and there's a series of cases, for example, there was cases out of the Fourth Circuit, out of multiple judicial circuits, that have essentially concluded that credit header information that is not being used in a way that constitutes consumer report should not be subject to the FCRA. And more recently, and for many of you, you may have been impacted by the data breach that was experienced by one of the consumer reporting agencies, in that there was a multi-state litigation that was combined into the Northern District of Georgia. Even in that case where there was consumer harm alleged and lots of other issues related and arising out of that data breach, the court held that information such as names, social security numbers, dates of birth were only header information and should not be considered consumer report information. So even as recently as 2022, it's when that particular litigation was moving through the courts, this was a well-established principle that had not been overturned or challenged in courts.
Dave Gettings:
Thanks, Kim. I appreciate you also kicking over to litigators. It's further example of how unscripted these podcasts tend to be. So Ron, do you want to talk a little bit about your insights in litigating credit header information and whether it's regulated by the FCRA?
Ron Raether:
I think you have to consider the audience and the audience are judges. Judges who are not versed in the Fair Credit Reporting Act. They don't necessarily understand our industry and how our industry operates. And to a certain extent, the credit header issue falls back to common sense. And so as Kim was instructing, it just doesn't make sense that your name, for example, is ever going to be sufficient enough to give you credit. Now, I'm not going to call anybody whose name may be well-known, somebody who might be running for president and having other issues right now, maybe their name is sufficient as to whether you're going to grant credit or employment or insurance. But for the majority of us it's not the case. Where you start to get into more complications in a court is when you start talking about age or you start talking about zip code or how long you've lived at a residence or how frequently you've moved, for example.
And then we get back to that common sense notion and we look at the definition of consumer report, which is really what we've been talking about, does it bear on? And then I think critically is that information used as a factor in credit granting decisions. If I look at what the CFPB is attempting to do here with its rulemaking and I look at the history of credit header data, it goes back to a concern that we had in the public data case. It goes back to a concern that's underlying a lot of the constitutional challenges with respect to the CFPB, and that's an attempt to exert authority beyond what Congress granted to the CFPB to begin to delve into areas that are problematic. So if I look at the credit header issue in the context of that question and what I think to be the core challenges, it's going to be important for us and it's going to be important for the industry to draw a line of designation between when traditional header information is in fact used in determining or granting decisions with respect to credit insurance or employment and the like.
My experience in litigating this question of header information and whether it is used to determine eligibility is ultimately going to depend on the context and the facts that we put before the court and that the court's considering. And I think when you look at how the market is currently performing, where institutions are using information in the context of determining eligibility, they're treating it as a consumer report subject to the Fair Credit Reporting Act. I think our concern here and what we need to be looking at as an industry and pushing back on the CFPB is an attempt to try to expand when credit header data is being used outside of the context of eligibility determinations for permissible purpose under the FCRA.
Dave Gettings:
Thanks, Ron. And so just to orient the listeners, when we talked in our earlier podcast, the one beginning this series on the CFPB's potential rulemaking, we talked about the CFPB issuing an FAQ that signaled what the potential credit header data regulation would look like. And so for the listener's benefit, the two items in the FAQ that focused on credit header data specifically were one, the CFPB said proposals under consideration would clarify the extent to which credit header data constitutes a consumer report. And according to the CFPB, this would reduce the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don't wish to be contacted, such as domestic violence survivors. The CFPB also said credit header data is personally identifying information like someone's name, address, or social security number, which is held by traditional bureaus.
The CFPB said much of the existing data broker market relies on credit header data purchased from the big three to create these individual dossiers. So that was 0.1 on the CFPB's FAQ. The CFPB also said as a consequence, it would generally not be legal to sell this kind of data for a reason other than a permissible purpose. CFPB said credit header data should be sold for purposes like credit underwriting, employment applications, insurance underwriting, and government benefits applications, but not, for example, for targeted advertising, to train AI, to sharpen chatbots or similar AI services, or as the CFPB likes to do, in terms of inflammatory remarks, or to individuals who could be stalkers or perpetrators of domestic violence. So, Ron and Kim, in your practices, what do you think the practical impact will be if the CFPB does require credit header data to only be sold for a permissible purpose or regulates a credit header data like a traditional consumer report? In your experience, is it only going to individuals who are quote, "stalkers or perpetrators of domestic violence" or are there other practical purposes that the CFPB regulation may hinder?
Kim Phan:
So, I would say that the existing law's already pretty clear. If credit head data is being sold for an eligibility purpose, it would be subject to the FCRA. So I'm not sure where the CFPB thinks they can expand on that particular issue, but with regard to making a determination about whether or not someone is a stalker or a perpetrator of domestic violence, I'm not sure how they intend for data brokers to figure that out, what the standard is going to be. How would they do their due diligence in that respect? I don't know if the CFPB is being necessarily very realistic about what they think their goals are here as well as I think the examples, Dave, as you're rightly pointing out, are inflammatory. I don't think there are any data brokers out there who are marketing themselves to stalkers.
That's just not a realistic point of view with regard to whereas the CFPB says, they're trying to address market realities. And I don't think that is a true market reality with regard to how the data broker industry today operates. But I think it's even more problematic that they're targeting, again, very specific activities like targeted advertising and training AI. Artificial intelligence is very much a hot topic issue right now amongst the press, the regulators, everyone's sort of looking at how this will evolve, especially with generative AI, with ChatGPT hitting the marketplace and others like Bard following suit. The reality is, those models, I don't know what their concern is with regard to, again, credit header data being fed into those. I mean, certainly there are privacy and security considerations, but how the data broker industry is responsible for that, I'm not quite sure where the CFPB is connecting those dots.
Ron Raether:
Yeah, I agree, Kim. Talk about throwing the baby out with the bathwater. Trying to suggest that credit header data is the only means by which you can get access to somebody's name, address, date of birth, the information that has been traditionally designated as header data. I don't think anybody listening to this podcast would think that header information is the only source and that any stalker is going to use that information in order to track somebody down and harm them. When I see that type of statement, and then I also see some attempt by the CFPB to relate this to artificial intelligence or sharpening chatbots, again, I don't know who is the technologist there at the CFPB that thinks that header data is the only source for AI, derivative AI, or chatbots. But it begs the question to me, who's running for office?
Because this just seems to be throwing out marketing terms and items that are going to get attention of the media. And in stark reality though, why are we throwing out the baby with the bathwater? Because let's say we need to do skip tracing, we want to find somebody or we want to do fraud prevention. What is a good source of being able to determine somebody's address or how frequently they have moved from one location to another? Header data is going to be a fairly good indication of that. And in fact, being able to use that information in products that don't satisfy the permissible use requirements of the FCRA, that's helpful to consumers.
And I think it's going to be important in the conversations both with the CFPB as they consider these regulations, but ultimately if they try to regulate credit header data in a way that's offensive to the language of the Fair Credit Reporting Act, it's going to be important for courts to consider the consumer harm that's going to come about as a consequence of the CFPB trying to over-regulate, extend its authority beyond what I think Congress not only provided to them and Dodd-Frank, but also what Congress clearly delineated in deciding what's regulated by the Fair Credit Reporting Act and what's not. That abusive extension of authority to where Congress didn't intend there to be regulation. Courts need to consider the practical effects of that and considering whether this was permissible or not for the CFPB to extend regulatory authority over.
Dave Gettings:
Chris, I love kicking questions over to you as the co-host, especially questions in your bailiwick about regulatory overreach potentially. Do you think the CFPB has the authority to interpret the definition of consumer report this way in terms of this reach, which is a little bit inconsistent with how it's interpreted in the past? And if not, what do you think targets are going to do? How do you think they're going to push back?
Chris Willis:
I think my answer, Dave, to that question is just no, I don't think the Bureau has the authority to do it. And there are a number of factors surrounding that. Not only do we have the points that Ron was making a moment ago about the fact that credit header data doesn't fit well into the definition of consumer report in the statute, but in addition, keep in mind that we are likely to see in the near future a pretty significant official erosion of court deference to agency interpretations of their own statutes that they administer in the form of the Chevron deference case that the Supreme Court has accepted cert on and will decide next term.
The court may do away with Chevron deference or may merely limit it. But the point is, we live in an era now where the federal courts are really not inclined to give much, if any, deference to an agency's interpretation of statutes that it's charged with enforcing or administering by Congress, rather the court proceeds to make its own interpretation of the statute based on the plain language of the statute itself. So not only do I think the Bureau's position is a stretch, it loses credibility because it is contrary to prior interpretations of the law and it will be tested by targets of the Bureau's authority in a court system where judicial respect for and deference to the administrative state's interpretation of law is clearly on the wane. So I think this is a long-term dangerous move for the Bureau that has a high likelihood of failing when it is finally tested in court, but nevertheless, the Bureau seems intent on moving forward with it.
Dave Gettings:
Yeah, I agree, Chris, and some of the things we always like to look at on this podcast are maybe what are the less obvious downstream effects of what defining credit header data as a consumer report might be. It's more than just data brokers. It's users who potentially all of a sudden could be liable for purported permissible purpose violations without realizing it. It's users who may have new adverse action requirements and new disclosure and authorization requirements under 1681b without realizing it. And it's also consumer reporting agencies who may all of a sudden be considered resellers of consumer report information with respect to credit header data and have some of the reseller obligations that are unique to resellers under the FCRA and under, for example, 1681i. So there's all sorts of downstream effects of the CFPB’s proposal, which people may not be considering and which may be a surprise to some. So it's something certainly we need to keep watching. Ron and Kim, any last-minute thoughts on the impact of these proposed regulations as we wrap up the podcast?
Kim Phan:
Yeah, Dave, I wanted to point out one group that the CFPB should be thinking about in particular here of downstream effects is consumers themselves. If creditors aren't able to utilize fraud tools that rely on credit header data, if debt collectors aren't able to use skip tracers that also may rely on credit header data or if there are other current business uses that make the credit granting process more streamlined and efficient, if those go away, the effect will be higher cost of credit to consumers, less availability of credit consumers, and all of those downstream effects are a negative impact on the group that the CFPB purportedly wants to protect.
Chris Willis:
And Kim, I think your point about fraud is a really important one because think about your typical fraud screening tool not being used for eligibility and therefore you don't have detailed adverse action notices or key factors coming out of it in a FCRA score disclosure. But if one of those fraud products all of a sudden becomes a consumer report, then it seems likely that that would drive towards much more specific adverse action notices coming out of the fraud product, which of course serves to do nothing but educate the fraudsters about how to evade the effectiveness of the fraud product even faster. And so, in addition to the consumer aspects you're talking about of increasing the cost of credit, you'll just have massive support being thrown behind organized financial crimes that happen in the United States.
Ron Raether:
What's really interesting to me is that there's a lack of regard for the data ecosystem that exists currently within I think both the United States and the world market. And the problem is that in the US I think our enforcement authorities have become too enamored with the stick and not made any consideration to the carrot. As a consequence, while I will not dispute that there might be a few bad actors out there, the majority of the people that operate within this industry are good companies looking to comply with the law where appropriate, following the fair information privacy principles, which is what the FCRA is really based on. And using data in a way that's helpful and positive for consumers with every attempt made to try to prevent criminals from misusing information. I think an example sort of brings home why if the CFPB does a blanket extension of the definition of consumer report to header information without thinking about the other elements such as that the information has to be used or expected to be used in a factor in granting eligibility with respect to credit.
If the CFPB went beyond that, I think let's just consider, for example, a streaming service. I want to watch a streaming service and I can't remember my password and I get blocked. And so now I'm going through a process to try to have them verify who I am so that they can turn on the streaming service for me and I can enjoy my favorite movie or my favorite show. If header data is determined to be consumer report information, it cannot be used in the process by that company to verify my information, which as a consequence, that could mean I don't get to watch my movie because no one has sufficient information, the ability to verify who I am on the phone so that I can get my streaming service turned on.
I don't think that society wants that. I don't think that was the intent of Congress when it passed the Fair Credit Reporting Act in 1972 to put such restrictions and controls on what is really, for the most part, innocuous information. And it's going to be interesting to see how the CFPB reacts to comment during the rulemaking process. I suspect they're going to go forward with their rule regardless of what is submitted. And so, as a consequence, the courts are going to have to start to consider the balances that I think need to be in place against regulation and entrepreneurialism, market developments and other considerations beyond just the buttons that the CFPB seems to be trying to push in their FAQs.
Chris Willis:
Well, thanks very much for that discussion, Ron, Kim, Dave and Ethan. This has been an incredibly useful discussion, and I'm sure our listeners have really enjoyed it. I know I have. And of course, thanks to our listeners for listening to today's joint episode of the Consumer Finance Podcast and FCRA Focus. Before we sign off, let me remind you to visit and subscribe to our blogs, troutmanpepperfinancialservices.com and consumerfinancialserviceslawmonitor.com. While you're at it, why don't you head over to troutman.com and add yourself to our consumer financial services email list. If you do that, you'll get notices of our industry only webinars and copies of the alerts that we send out on important topics like the one we're talking about today. Don't forget to check out, of course, our very cool mobile app, which is a one-stop shop for all of our thought leadership content, both podcasts and written. And don't forget to stay tuned for a great new episode of The Consumer Finance Podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.