Numerous financial trade organizations and members of Congress have advocated for federal regulators to hold credit reporting bureaus accountable for the security of vast amounts of personal information in their possession.
However, because of certain federal statutes dictating what actions certain regulators can and cannot take against certain market participants, the task of holding those credit bureaus responsible when things go wrong is more convoluted than many realize.
Peggy Twohig of the Consumer Financial Protection Bureau (CFPB) and Maneesha Mithal of the Federal Trade Commission (FTC) said their agencies want to focus more attention on credit reporting agencies while testifying before the Senate Banking Committee, but noted that the bureau could not enforce against data breaches and the FTC could not hand out civil penalties to violators.
The hearing, titled “An Overview of the Credit Bureaus and the Fair Credit Reporting Act,” also featured Maneesha Mithal, assistant director of privacy and identity protection at the FTC’s Bureau of Consumer Protection.
Twohig said the bureau believes that credit agencies should be examined for data security compliance and held accountable when negligence is revealed.
When asked by Sen. Elizabeth Warren (D-Mass.) why the bureau has not issued rules regulating credit agencies, Twohig responded by noting that the bureau although the bureau has authority to make rules enforcing the Fair Credit Reporting Act (FCRA), it does not have authority under the Gramm-Leach-Bliley Act, which implements the FTC's Safeguards Rule, to regulate large credit bureaus pertaining to the safeguarding of sensitive consumer information.
“The bureau’s rules are applicable to any person subject to the FCRA, except certain motor vehicle dealers,” Twohig said. “The bureau does not, however, have rulemaking authority (or supervisory or enforcement authority) under Sections 615(e) and 628 of the FCRA. These provisions direct the federal banking agencies, the National Credit Union Administration, the FTC, the Commodity Futures Trading Commission and the Securities and Exchange Commission to promulgate regulations relating to red flags and [the] disposal of records.”
As a covered person, the bureau also would be able to subject a credit rating agency to its UDAAP authority in a case involving data breaches or security, similar to what the CFPB did in its 1016 enforcement action against Dwolla.
Mithal backed up Twohig’s point regarding which agency has the regulatory authority to hold credit reporting bureaus accountable when breaches occur, noting that the FTC “has exclusive enforcement authority with respect to nonbank consumer financial services providers.”
However, Mithal also said the FTC could benefit from increased authority to pursue civil penalties in cases involving data breaches where companies violate the laws. Thus, the bureau would not have enforcement oversight over safeguarding information, but could issue civil penalties. The FTC has enforcement capabilities in security actions but cannot issue civil penalties, simply redress for consumers.
Mithal also noted that the FTC’s Safeguards Rule “requires financial institutions, or companies that are significantly engaged in offering consumer financial products or services, to develop, implement, and maintain a comprehensive information security program for handling customer information,” and that such a plan “must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.”
Highlighting the fact that credit bureaus hold the most sensitive information about consumers of any entity, Mithal said it is on them to protect that information. The statement came in response to questions from Senate Banking Committee Chairman Mike Crapo (R-Idaho) about the data breach at Equifax, which compromised sensitive information belonging to more than 145 million people.
Ahead of the hearing, NAFCU Executive Vice President of Government Affairs and General Counsel Carrie Hunt wrote committee leaders in support of measures to strengthen the credit reporting system while increasing oversight to prevent major breaches.
“Negligent entities should be held financially liable for any losses that occurred due to breaches on their end so that consumers aren’t left holding the bag,” Hunt wrote. “When a breach occurs at a credit bureau, depository institutions should be made aware of the breach as soon as practicable so they can proactively monitor affected accounts. Furthermore, compliance by credit bureaus with GLBA [the Gramm-Leach-Bliley Act] and these notification requirements should be examined for, an enforced by, a federal regulator. Finally, any new rules or regulations to implement these recommendations should recognize credit unions’ compliance with GLBA and not place any new burdens on them.”
A letter endorsed by the American Bankers Association (ABA), the Consumer Bankers Association (CBA), the Credit Union National Association (CUNA), the Financial Services Roundtable (FSR), the Independent Community Bankers of America (ICBA), the National Association of Federally-Insured Credit Unions (NAFCU) and The Clearing House in the wake of the Equifax breach stressed the trades’ contention that there should be a national cybersecurity standard to hold companies that collect and store consumer data accountable. ICBA filed suit against Equifax in December 2017 in response to the breach.
“Data security breaches continue to put millions of consumers at risk, and protecting consumer information is a shared responsibility of all parties involved,” the trades wrote. “That is why the undersigned financial organizations and our members have supported comprehensive data protection and consumer notification legislation across several Congresses and have worked closely with key members of this committee and many others in the House and Senate to help advance this worthy cause.”
Sen. Tim Scott (R-S.C.) used the hearing as an opportunity to promote his bill, titled the “Credit Access and Inclusion Act of 2018” (S. 3040), introduced in June, which would amend the Fair Credit Reporting Act, to allow certain consumer credit information to be reported to consumer reporting agencies to help individuals who are considered “credit invisible.”
Twohig said the bureau is interested in alternative scoring models, noting that “if that information is accurate and predictive” it could be the solution to providing more credit.