As the Consumer Financial Protection Bureau (CFPB) prepares a proposed rule expanding the scope of the Fair Credit Reporting Act (FCRA), multiple trade organizations are urging the agency to exempt processes used for fraud detection and identity verification.
The letter – endorsed by the Consumer Bankers Association, the Consumer First Coalition, and the Electronic Transactions Association – stressed “the importance of detecting and stopping fraud and protecting consumers from the harms of identity theft.”
Based on an outline of the forthcoming proposal, provided in accordance with the Small Business Regulatory Enforcement Fairness Act (SBREFA), the trades expressed concerns the new rule “could subject identity verification and fraud detection processes and the data used therein, credit header data, to the regulatory framework of the FCRA.” This, they contended, could expose consumers to greater identity theft risk and “create conflicts with existing financial regulatory obligations beyond the scope of FCRA.”
The CFPB’s SBREFA outline included several lines addressing how the bureau envisions FCRA provisions applying to identity verification and fraud protection processes. Many pertain to potential liabilities to be assigned to “data brokers” who buy and sell consumer data for various purposes, including targeted marketing strategies.
“The CFPB understands that some consumer reporting agencies may operate consumer reporting databases without adequate or reasonable data security safeguards, exposing consumer report data to unauthorized access and increasing the risk of identity theft, fraud, and other consumer harms,” the CFPB wrote in its SBREFA outline. “The CFPB is aware that unauthorized users have gained access to consumer reports maintained by consumer reporting agencies on a number of occasions. The CFPB is considering a proposal to address a consumer reporting agency’s obligation under the FCRA to protect consumer reports from a data breach or unauthorized access. For example, the CFPB is considering providing that failure to protect against unauthorized access to consumer reports by third parties may violate FCRA sections 604 or 607(a).”
The trade groups argued that applying FCRA requirements to these non-credit-related matters could lead to more data breaches and more fraud.
“An overly broad expansion of FCRA will harm the very consumers the FCRA and CFPB exists to protect as the consumer protections in the FCRA will be extended to identity thieves,” the trades wrote. “It will be more difficult and burdensome for financial institutions to verify a consumer’s identity, and the financial institution would effectively be required to share the true consumer’s private information with the thief upon request.”
From a compliance standpoint, such processes are necessary for institutions to fulfill regulatory requirements such as those mandated by Bank Secrecy Act/Anti-Money Laundering (BSA/AML) statutes and regulations.