Chamber Urges Withdrawal of CFPB's Proposed Rule on Data Broker Practices

To Whom It May Concern: 

The U.S. Chamber of Commerce (“Chamber”) appreciates the opportunity to submit comments to the Consumer Financial Protection Bureau (“CFPB”) regarding its Proposed Rule on Protecting Americans from Harmful Data Broker Practices (Regulation V) (the “Proposed Rule”).^[1]

As enumerated below, we believe that the CFPB should withdraw the Proposed Rule for the following reasons:

·       The Proposed Rule would harm consumers and other stakeholders.

·       The Proposed Rule would exceed the CFPB’s legal authority.

·       The CFPB should work with its regulatory partners to achieve its goals in this field through the enforcement of existing laws and regulations.

The Proposed Rule would significantly and irrevocably alter the use of data in the marketplace and the financial markets. It would cause harm to consumers and other stakeholders by heavily restricting or eliminating efforts to provide key services to consumers, including fraud prevention and detection and identity theft programs. The Proposed Rule would also significantly increase compliance costs, especially for entities that would be deemed a Credit Reporting Agency (“CRA”) for the first time under the Proposed Rule. In addition to its harmful impacts, the Proposed Rule exceeds the CFPB’s statutory mandate under the Fair Credit Reporting Act (“FCRA”) by ignoring the text of the statute and running afoul of First Amendment protections. And while the FCRA certainly incorporates privacy protections for consumer reporting data, the FCRA is not a broad privacy law in the way the CFPB attempts to use it in the Proposed Rule. For these reasons, the CFPB should withdraw the Proposed Rule. 

Consumer data plays a critical role in the modern economy. Financial institutions and other companies use consumer data in fraud prevention efforts. Companies use consumer data to verify the identities of consumers seeking to make transactions in the marketplace, to provide consumers more tailored products, and to reduce risk for consumers and the market. Law enforcement uses consumer data for purposes that include locating missing children and arresting suspected criminals. Data brokers, including those offering products and services not regulated by the Fair Credit Reporting Act (“FCRA”), play an important role in providing the products and services. In doing so, data brokers help consumers receive better-tailored and lower-priced products and services across a wide range of contexts—all while subject to a range of different regulatory schemes. 

The CFPB now would impose its own vision of how the data economy should operate, disregarding both market forces and the policy judgments reflected in governing law. To do so, it would unmoor the FCRA from its intended purpose and transform it into a general-purpose privacy statute by, among other actions:   

·       Greatly expanding the circumstances in which types of activities conducted by a data broker and third-party use of information provided by a data broker will subject that data broker to the FCRA;

·       Substantially expanding the types of information to be treated as a “consumer report” subject to the FCRA; and

·       Imposing unworkable requirements upon certain customer disclosures and consents. 

These and other significant changes contemplated by the Proposed Rule would significantly disrupt the data broker marketplace and harm consumers. Unintended consequences of the Proposed Rule would include increased fraud, limitations on lawful uses of data by law enforcement, a less seamless transaction experience, and higher costs for consumers. Further, the Proposed Rule would have a chilling effect on the willingness of creditors to extend credit, resulting in reduced competition and a reduction in credit access. These impacts are incompatible with the purpose of the CFPB to “ensur[e] that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent, and competitive.”^[2]

Moreover, the Proposed Rule would overstep the CFPB’s rulemaking authority under the FCRA. The CFPB may prescribe rules “as may be necessary or appropriate to enable the [CFPB] to administer and carry out the purposes and objectives of” the FCRA.^[3]

However, this authority does not allow the CFPB to override the statutory text of the FCRA or otherwise act contrary to Congress’s intent.^[4]

[4] 5 U.S.C. § 706(2)(B).

Because the Proposed Rule ignores the purpose of the FCRA and contradicts its plain text, it would not be upheld if challenged in court.^[5]

[5]See, e.g., Freeman v. Quicken Loans, Inc., 566 U.S. 624, 629-30 (2012).

               I.         The Proposed Rule would harm consumers and other stakeholders. 

Consumers derive enormous benefits from data-driven services. Data that are not considered “consumer reports” under the FCRA, including certain credit header data, are used in numerous ways to protect consumers, improve their access to the financial system, and to deliver them cutting-edge products across sectors. The communication and use of such data, when done in accordance with existing law and regulation, is critical to the ability of companies to develop fraud, risk, and identity tools to protect consumers and businesses. Without the exchange of data as permitted under the FCRA, Regulation V, the Gramm-Leach-Bliley Act (“GLBA”), and other laws, companies would not be able to provide these important services in a cost-effective way. Ignoring these benefits, as well as substantial concerns raised during the rulemaking process, the Proposed Rule would make it significantly harder, if not impossible, to offer products and services that rely on data that is not considered a “consumer report” under the FCRA and Regulation V. As a result, the Proposed Rule would result in significant negative consequences and harm consumers. 

a.     The Proposed Rule would negatively impact tools used to prevent, detect, and prosecute financial and non-financial crime. 

Consumer data plays a significant role in preventing, detecting, and preventing both financial and non-financial crimes. Among other uses, consumer data is used as a part of identity verification, the detection and prevention of fraud, compliance with Know Your Customer (“KYC”) requirements, and supporting the efforts of law enforcement to prevent crime and locate missing persons.

Expanding the definition of “consumer report” in Regulation V to include all credit header data, credit history data, credit score data, debt payment data, income and financial tier data, and potentially de-identified data, as in the Proposed Rule, could prevent financial institutions from using the data for the essential anti-fraud purposes for which it is used today. Credit header data, for example, plays an important role in preventing fraud by helping companies determine whether certain data have been associated with previous fraudulent applications, bankruptcies, or reported identity theft. The protections afforded by existing identity theft and fraud prevention and detection tools would be weakened if all credit header data were required to be treated as a consumer report. Significantly, the CFPB suggests that companies could achieve these theft and fraud prevention goals by collecting data from alternate sources, but fraud prevention and detection are not permissible purposes under the FCRA. As a result, the Proposed Rule would significantly weaken existing fraud prevention and detection tools. Further, alternate sources of data simply do not have the same accuracy, comprehensiveness, or timeliness as credit header data. To the extent businesses and financial institutions need to utilize data from alternative sources that may not be as accurate, the Proposed Rule could also frustrate the consumer experience and result in increased fraud.

Continue Reading Here

---

^[1]

See CFPB, Proposed Rule; Protecting Americans from Harmful Data Broker Practices (Regulation V), 89 Fed. Reg. 101402 (Dec. 13, 2024), https://www.federalregister.gov/documents/2024/12/13/2024-28690/protecting-americans-from-harmful-data-broker-practices-regulation-v (hereinafter “Proposed Rule”).

^[2]

12 U.S.C. § 5511(a).

^[3]

Id. §§ 5512(b)(1), 5481(12), 5481(14).

^[4]

5 U.S.C. § 706(2)(B).

^[5]

See, e.g., Freeman v. Quicken Loans, Inc., 566 U.S. 624, 629-30 (2012).