The CFPB recently published an advisory opinion regarding the circumstances under which a credit report may be issued or used pursuant to the Fair Credit Reporting Act (FCRA). Commonly referred to as “permissible purposes,” the CFPB holds the position that obtaining or using a credit report without a permissible purpose is strictly prohibited. This advisory opinion is dually aimed at both consumer reporting agencies that generate credit reports as well as institutions that use credit reports in connection with applications for credit, insurance or employment.
Congress enacted the FCRA in part to ensure that consumer reporting agencies respected consumers’ rights to privacy. The FCRA generally accomplishes this by limiting access to a consumer’s credit information, operating under a general principle that this information may not be provided to third parties unless an exception to the general principle applies. The list of permissible purposes in Section 604 of the FCRA function as exceptions and allow this sensitive credit information to be shared with third parties.
In the section applicable to consumer reporting agencies, the CFPB details the importance of properly identifying the consumer about whom information is requested. The example cited is the insufficiency of using a name-only match which has the tendency to generate information related to multiple consumers, not just the one on whom information was sought. This practice is prohibited by the FCRA because it involves providing the information of consumers for whom the requesting institution did not have a permissible purpose to obtain credit information. For example, if an institution is allowed to submit a request for “John Smith” only, without any other identifiers such as social security number, information belonging to other individuals with the same name will be captured by this same search, and any other John Smith whose information is disclosed to a third party would not be done under a permissible purpose, which would therefore be a violation of the Fair Credit Reporting Act. The takeaway for consumer reporting agencies is clear: improve your matching processes to avoid FCRA violations.
In the section applicable to users of credit reports, the CFPB states that credit reports are prohibited from being used without a permissible purpose. The confusion surrounding the duties of users of credit reports seems to stem from the fact that the FCRA initially did not contain a prohibition aimed at users of credit reports, and only in 1996 was the FCRA amended to include prohibitions on the use of credit reports without a permissible purpose. As might be imagined, pre-1996 court cases established judicial precedent related to the topic, which isn’t easily overcome. The advisory opinion suggests that although some courts still rely on this pre-1996 precedent to apply a “reasonableness” standard when it comes to permissible purpose and users of credit reports, that this interpretation by courts is incorrect and users of credit reports are required to have a permissible purpose. The takeaway is, then, this: to use a credit report without a permissible purpose would violate a consumer’s right to privacy and undermine one of the very purposes of the Fair Credit Reporting Act, so this should be avoided, and institutions should be certain of their permissible purpose in obtaining and using a consumer’s credit report for any purpose.