The Consumer Financial Protection Bureau (CFPB) recently issued a Notice of Proposed Rulemaking (NPRM) that would modify Regulation V, which implements the Fair Credit Reporting Act (FCRA), by adding restrictions to what is considered “permissible purpose.” Comments on the proposed rule are due March 3, 2025.
The NPRM proposes to update or add definitions to a variety of terms and also add some restrictions to the provision and use of credit reports. Those most affected by the proposed changes would probably be data aggregators and data brokers, but there may be some concerns for banks as well.
One change that is likely to affect banks is the change to the requirements for written permission from the consumer as a permissible purpose for a credit pull. Even where banks and other lenders have at least one other permissible purpose for a credit pull, it is common to obtain written permission as an additional basis for permissible purpose as part of a belt-and-suspenders approach to FCRA compliance.
For permissible purpose based on consumer consent, the NPRM would require a written disclosure stating which CRA the information would be pulled from, who will receive the report (which may not be more than one entity), the product or service for which the report will be furnished, including limitations on the scope of such use, and instructions for revoking consent, which may not be more onerous that the process for granting consent.
This disclosure would have to be provided segregated from other material, likely on a separate page, and therefore likely could not be included in the boilerplate language on application forms. Additionally, the written consent would be effective for no more than one year after the signature date.
Because written consents would have to be revocable, some risk may arise for banks that use written consent in addition to another permissible purpose. For example, if a bank pulls a credit report regularly to ensure that the customer still qualifies for a product, but, in an abundance of caution, also obtains written consent, there could potentially be UDAAP risk if the customer is informed in disclosures that they have a right to revoke consent.
Because the bank would have permissible purpose even without written consent, it could continue to pull credit even if the customer revokes, which may lead to allegations that the disclosure was misleading or deceptive. Additionally, because creditors are prohibited from charging fees or imposing penalties based on a customer’s decision to revoke, a bank would likely not be able make the consumer’s consent a requirement for a particular product.
The NPRM also makes a clearly articulated effort to close loopholes that data aggregators and data brokers use to sell data for marketing purposes without following the procedures set out in Regulation V. It will require, for example, that a data aggregator who does not provide the information to a lender but instead sends out marketing material advertising the creditor’s products to consumers based on the creditor’s specifications, like income or credit use, would be considered a CRA even though the creditor does not receive the information.
The NPRM would similarly require permissible purpose for the sale of “credit header” information such as name, address, etc. and for the sale of de-identified data. The NPRM proposes several alternatives for de-identified data, ranging from the strictest proposal, which treats de-identification as irrelevant to whether the data constitutes a consumer report, to the most lenient, which treats de-identified data as a consumer report if it is linked or reasonably linkable to a consumer, it is used to inform a business decision about that consumer, or the recipient identifies the consumer. If the NPRM is implemented without substantial changes, the closure of these loopholes would probably significantly curtail the availability of curated marketing leads based on consumer behavior or credit profiles.
As always, please reach out to our Hotline staff with any questions or concerns you may have about current or future requirements under Regulation V, the FCRA, or other compliance matters.