Earlier this week, the Federal Trade Commission ("FTC") withdrew its Statements of General Policy or Interpretations under the Fair Credit Reporting Act ("FCRA"),1 which includes the FTC's Commentary on the Fair Credit Reporting Act ("Commentary"). See 16 C.F.R. pt. 600. In addition, the FTC released a staff report—"Forty Years of Experience with the Fair Credit Reporting Act"—providing background on the FTC's role in connection with the FCRA, as well as compiling and updating the FTC's interpretations from the Commentary.2
The FTC withdrew its Commentary and issued its staff report one day before the "Designated Transfer Date," the appointed day on which the Consumer Financial Protection Act ("CFPA") became effective, and authority to enforce and administer the various consumer credit protection laws, including the FCRA, transferred to the new Consumer Financial Protection Bureau ("CFPB").
BASIS FOR REMOVAL OF COMMENTARY
In May 1990, the FTC issued its FCRA Commentary to "give clear advice on important issues" related to the FCRA. The Commentary has historically provided broad guidance on how the FTC believed that the FCRA should be interpreted, and for twenty years has served as a critical source of guidance for practitioners, courts, and other regulators.
The FTC's stated basis for removing its Commentary was twofold. First, the FTC highlighted that, since the Commentary was initially issued in 1990, the FCRA has been amended multiple times. The various changes, as well as the passage of over twenty years, have made the Commentary "become partially obsolete."
In addition, the FTC noted that the recently enacted CFPA significantly altered the FTC's role in connection with the FCRA. According to the FTC, the CFPA, which became effective yesterday (July 21), transferred much of the FTC's authority under the FCRA to the new CFPB, and the FTC stated that it "does not believe that it is appropriate to [also] transfer the Commentary given its staleness."
As it happens, however, the only FTC authority transferred to the CFPB is the authority to make several of the rules required of the FTC under the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), Pub. L. No. 108-159, 117 Stat. 1952 (2003), such as the Risk-Based Pricing Rule and the Free Credit Report Rule. The FTC retains its enforcement authority under the FCRA, which, in point of fact, is the only authority that the FTC has had with respect to the FCRA since the statute's enactment in 1970, at least until the advent of the FACT Act in 2003. Moreover, the FTC has not had the authority even to issue interpretations, such as the Commentary, since at least 1996, when Congress pointedly gave interpretive authority to the Federal Reserve Board, but did not extend such authority to the Commission. (This interpretive authority was subsequently withdrawn in 1999, when the banking agencies, but not the FTC, were given general rulemaking authority under the FCRA.) Nonetheless, the FTC's Commentary, whether properly authorized or not, has been the only substantial source of regulatory guidance under the FCRA since the statute's inception. The FTC's withdrawal of the Commentary, without notice or the opportunity for public comment, on July 20, one day before the regulatory upheaval of the Designated Transfer Date, was not welcome and not necessary.
FTC STAFF REPORT
The FTC's staff report deletes and modifies several FTC interpretations that were included in the Commentary, as well as adds several new interpretations. While we have not yet been able to conduct a comprehensive review of the various FCRA interpretations included in the staff report, some highlights include the following:
- Joint Users – The FTC replaced the Commentary discussion of "joint users" with a discussion that focuses on the consummation of a loan transaction regarding which two lenders are sharing a consumer report (without using the term "joint users"). Specifically, the FTC stated that a creditor would not become a consumer reporting agency by disclosing consumer report information about a loan applicant "to an entity that must participate in the transaction in order for it to be completed (e.g., if the creditor communicates with an actual or potential loan insurer or guarantor to determine whether the entity would issue its insurance or guaranty to the holder of an obligation)." Moreover, the FTC stated that, in these circumstances, "where the transactions are mutually dependent upon one another, the creditor's purpose is to use the report information to consummate the loan transaction for which the consumer applied."
- Account Review Permissible Purpose – The FTC stated that in order for a creditor to have a permissible purpose to obtain a consumer report to review an account, the creditor "must have an existing credit account with the consumer and must use the consumer report solely to consider taking action with respect to the account (e.g., modifying the terms of an open end account)."
- Prescreening – The FTC updated its discussion of prescreening to address the 1996 amendments to the FCRA that expressly permit such practice, as well to address relevant case law in this area. For example, the FTC stated that the FCRA prescreening provisions do not permit a person to obtain a consumer report "in situations not involving an actual offer of credit or insurance, such as where an apparent offer of credit is actually a sham used to engage in the targeted marketing of a non-credit product, or is some other guise to obtain a consumer report for an impermissible purpose." In order to distinguish between an actual firm offer and a "sham offer," the FTC stated that the entire transaction must be considered, including the type of credit offered, the purposes for which the credit may be used, including whether the credit is restricted to the financing of a non-credit product marketed jointly with the credit, the likelihood that the credit would be adequate to achieve those purposes, and whether any consumers applied for and received the credit. Finally, the FTC stated that the FCRA does not require a lender in its prescreened solicitation "to disclose the terms of the credit" the consumer will receive in order for the solicitation to be considered a "firm offer."
- Commercial Transactions – The FTC addressed the ability of a lender to obtain a consumer report in the context of a commercial transaction. Specifically, the FTC stated that a lender has a permissible purpose to obtain a consumer report relating to a consumer in connection with a business credit transaction "when the consumer is or will be personally liable on the loan as a co-signer or guarantor, because such a transaction involves the 'extension of credit to ... the consumer' by virtue of the individual's liability." Nonetheless, the FTC stated that a lender would not have a permissible purpose when the consumer would not be personally liable for repayment of the credit, even if the consumer is "an individual proprietor, shareholder, director, or officer of a corporation."
- DMVs – The FTC rejected its former interpretation in the Commentary that a state Department of Motor Vehicles providing motor vehicle reports for insurance underwriting could be a consumer reporting agency subject to the FCRA.
CFPB'S NEW FCRA ROLE
The CFPA did, in fact, remake federal agency jurisdiction under the FCRA. Existing general rulemaking power, which has heretofore been diffused among the federal banking agencies, transferred to the CFPB on the Designated Transfer Date of July 21, 2011. The Bureau will have general rulemaking authority under the FCRA, which rules will apply to all persons subject to the FCRA, "notwithstanding the enforcement authorities granted to other agencies under" the FCRA.
In addition, the CFPB is solely responsible for prescribing many of the specific rules required by the FACT Act, including rules regarding the provision of free credit reports to consumers, the use of medical information by lenders and the sharing of medical information among affiliated companies, the receipt of address discrepancy notices by users of consumer reports, prescreen opt-out notifications, the provision of risk-based pricing notices to consumers, the establishment of procedures regarding the furnishing of accurate information to consumer reporting agencies, the receipt of disputes directly from consumers, the provision of negative information to consumer reporting agencies, and certain definitions relating to the rights of identity theft victims. Rules regarding the receipt and use of information for marketing purposes by affiliated companies will be made by the CFPB in conjunction with the federal securities regulators. Importantly, however, the authority to make regulations to prevent and mitigate identity theft (the so-called "Identity Theft Red Flags Rule") under FCRA section 615(e) and to require the proper disposal of consumer report information under FCRA section 628 will remain with the FTC, federal banking agencies, and federal securities regulators.
The CFPB will enforce the FCRA and its implementing rules against banks with more than $10 billion in assets, but functional regulators will enforce these provisions against other regulated entities, and the CFPB and FTC will share residual jurisdiction. More specifically, the CFPA amended the FCRA to provide the CFPB with general enforcement power "with respect to any person subject to this title," but the FTC continues to maintain its general enforcement jurisdiction under the FCRA as well. Thus, as a practical matter, the CFPB and the FTC appear to share residual enforcement jurisdiction under the FCRA.
The CFPB, however, only has jurisdiction with respect to consumer reports used in connection with offering consumer financial products or services, such as loans and deposit accounts, meaning that the CFPB appears to have no authority over consumer reporting agencies that do not provide consumer reports in connection with consumer credit or deposit transactions, for example, consumer reporting agencies that provide employment background reports, insurance underwriting reports, tenant screening reports, and reports used in connection with government licensing or benefits decisions. Nor does the CFPB have enforcement authority over persons, such as landlords and insurance companies, that use consumer reports in connection with non-credit or deposit-related transactions. See, e.g., CFPA § 1027(f) ("the Bureau shall have no authority to exercise any power to enforce this title with respect to a person regulated by a State insurance regulator").
Footnotes
1. While the FTC's notice has not yet been published in the Federal Register, the text of the notice is available at http://www.ftc.gov/os/fedreg/2011/07/110720fcrafrn.pdf.
2. The FTC's report is available at http://www.ftc.gov/os/2011/07/110720fcrareport.pdf.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
