By Roy Urrico
The Identity Theft Resource Center (ITRC) sent a letter to the Consumer Financial Protection Bureau (CFPB) regarding a proposal to make the non-financial, personal information section of credit reports subject to the Fair Credit Reporting Act (FCRA) consent requirements. While the ITRC, an El Cajon, Calif.-based national nonprofit organization that supports identity crime victims, typically support proposals and decisions from the CFPB, the ITRC believe this proposal may have unintended consequences.
In September 2023, the CFPB announced an Outline of Proposals and Alternatives Under Consideration to enhance consumer protection, improve data security, and ensure fair and accurate credit reporting. The ITRC’s position on the CFPB’s outline centers on the CFPB seeking to shield identification information in credit reports from marketing and advertising, which the ITRC supports. However, the proposal would also limit additional information needed for fraud detection and prevention.
“Last fall, the CFPB started a process for new rulemaking. One of the things in that rulemaking would take that part of a credit report, which is referred to as a credit header, and make that a part of the actual credit report. Now, that is different than how this has operated for decades,” ITRC’s Chief Operating Officer James E. Lee told Finopotamus.
As reported by the ITRC, most identity crime victims who ask the organization for assistance seek help with identity misuse, many times the result of information stolen in data compromises. Last year, the ITRC tracked a record number of data compromises (3,205), which the ITRC believes will drive more identity crime in the form of schemes such as romance scams, cyberattacks and impersonation crimes.
It is important to verify identity data because identity fraud often incorporates elements of real identities, noted Lee. “We believe a requirement to obtain a consumer’s permission before using credit header data to verify identity information will only lead to a criminal denying consent and creating a barrier to fraud detection.”
In November 2023, NAFCU and CUNA also wrote a joint letter raising several similar objections to the CFPB’s FCRA rulemaking proposals. The letter to CFPB Director Rohit Chopra urged the bureau to hold a new Small Business Regulatory Enforcement Fairness Act (SBREFA) Panel where Small Entity Representatives (SERs), which includes credit unions, can better estimate the impact of the proposals in its FCRA rulemaking effort and the potential costs on operations.
Are Changes Brewing?
Lee explained credit headers normally contain non-financial information such as demographic and contact information about an individual. “It's not what's referred to as trade line data.” Tradelines help credit bureaus generate credit scores. “So, it is not accounts and how much you owe and who you owe, it is none of that information. What the CFPB wants to do is to put that below the line,” said Lee. He added, consumers would retain their rights to review and correct the information, but it would also restrict the data’s use elsewhere.
“If you restrict that data to only with the permission of the person trying to initiate a transaction, in essence, what you are going to be doing is blocking one of the only tools we have to prevent fraud,” Lee added. “Because someone fraudulently claiming to be a person could then deny the use of that data and could presumably then move forward with some alternate method of approving a transaction. So that in our view is very problematic.”
The ITRC, Lee said, has no issues with the CFPB and the FTC taking actions against data brokers, particularly in the marketing and selling information space. When it comes to the proposed rule, he pointed out, “There is a different law which already governs the use of information for fraud purposes that we think should continue to control. That’s the Gramm-Leach-Bliley Act (GLBA).”
The GLBA requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. “We are worried that restricting data (as proposed) will actually enable identity crime, not prevent it,” said Lee.
Early Part of the Process
Lee further explained, “There is no actual rule proposed just yet. (The CFPB) has only outlined potential proposals so far. We are waiting for the actual proposal, but based on the initial outline, the concern has come about because they are intending on expanding the definitions to include much more data and many more of the organizations that today use that data for anti-fraud.
“We just came off a year when there were the highest number of data breaches ever, stolen by criminals for the purpose of impersonating individuals,” Lee said. The stolen data, he held, will help fraudsters impersonate somebody to open up an account somewhere. The target usually is a business, a government agency, or some organization. “It is very important that we have tools to help prove that somebody is who they say they are.”
Identity criminals are specifically targeting the information being used as part of an enhanced identification process, Lee offered. “If we don’t have access to the tools to help identify people, we are just going to have more and more identity fraud, and we are going to have more and more data breaches because (fraudsters) are going to need that data.”
Affecting Credit Unions
A new rule governing data usage as proposed by the CFPB in its outline could impact credit unions and other financial institutions. “It absolutely could, particularly under Know Your Customer requirements (KYC),” suggested Lee. The KYC process includes identity, face and document verification. Financial institutions must comply with KYC regulations and anti-money laundering regulations to limit fraud.
“Using consumer header data as part of that (CFPB backed) process would in all likelihood restrict that and that would force organizations like credit unions, banks, anybody who has to go through that identity verification process to find a different way of doing it,” said Lee.
In the CUNA/NAFCU joint letter to the CFPB, the associations called for a new outline to be released because it currently represents “an unwarranted and vast expansion of the intent and scope of the FCRA to impose additional requirements on credit unions, exposing these community-based, not-for-profit financial institutions to myriad legal and compliance risks, for supposed benefits to consumers that have yet to be quantified.” The associations also noted the lack of details for SERs and stakeholders to offer any meaningful feedback at this time.