A hearing Thursday by the Senate Banking Committee that included testimony from the Bureau of Consumer Financial Protection (BCFP) and Federal Trade Commission (FTC) evidenced ongoing concerns regarding the security of the data collected by consumer reporting agencies – despite the credit freeze provision in the recently enacted financial regulatory reform law.
The Economic Growth, Regulatory Relief, and Consumer Protection Act, signed by the president in May, now requires credit reporting agencies (CRAs) such as Equifax – where a breach exposed the credit records of some 148 million consumers – allow consumers to place a credit freeze without assessing them a fee. Senate Banking Chairman Mike Crapo, R-Idaho, said the provision offers one measure of security for consumers’ data in the wake of the breach, but Ranking Member Sherrod Brown, D-Ohio, said consumers still don’t have enough control over the collection and use of their sensitive data.
Brown highlighted in particular a recent news report on a company called Mariner Finance, which he said exploits a loophole in the Fair Credit Reporting Act (FCRA) to view consumers’ credit records without their permission, “and then targets them with scams.”
Crapo said Thursday’s hearing, “An Overview of the Credit Bureaus and the Fair Credit Reporting Act,” was an effort to explore what more can be done to protect consumer data.
Peggy Twohig, the BCFP’s assistant director of supervision policy, in her written testimony outlined the bureau’s role under the Fair Credit Reporting Act (FCRA) and the Dodd-Frank Wall Street Reform and Protection Act (Dodd-Frank) in supervising depository and non-depository institutions, including the nationwide CRAs and companies that furnish consumer data to these entities. During Q&A, she said the BCFP is also cooperating with the FTC in an investigation into the Equifax breach.
FCRA supervisory authorities are spread across a wide range of financial regulators. In her testimony, Twohig noted that Dodd-Frank authorizes the BCFP to assess compliance with requirements of federal consumer financial laws, and these include most provisions of FCRA. The FCRA, along with its implementing regulation (Regulation V), she noted, “imposes obligations on the compilation, maintenance, furnishing, use, and disclosure of information associated with credit, insurance, employment, and other decisions made about consumers.” Dodd-Frank also prohibits covered persons (which include many CRAs) or service providers from engaging in unfair, deceptive or abusive acts or practices (UDAAP), she said.
The bureau holds supervisory authority over CRAs that are “larger participants” in the consumer reporting market, and it set a rule in 2012 to define these. At the time, Twohig said, the bureau estimated that 30 companies that account for about 94% of the market’s annual receipts met that threshold. These include the nationwide consumer reporting companies, consumer report resellers and specialty consumer reporting companies.
As for FCRA provisions for which the bureau has no supervisory authority – red flag guidelines and provisions, and disposal of records – supervision rests with the federal financial institution regulators, FTC, the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC).
Maneesha Mithal, FTC’s associate director in the privacy and identity protection division, provided an overview of the FCRA and the commission’s longstanding role in implementing it, including through rulemaking and educational initiatives. She said the commission has taken more than 60 law enforcement actions against companies that allegedly engaged in unreasonable data security practices. She added that the FTC last year “took the unusual step of publicly confirming its investigation into the Equifax data breach due to the scale of public interest in the matter.”
Mithal also detailed findings of a 2012 FTC study on consumer credit reporting following enactment of the Fair and Accurate Credit Transactions Act (which amended the FCRA); the Nationwide Consumer Assistance Program put in place by the three national CRAs in 2015 (following a settlement with 30 state attorneys general; and, during Q&A, said the FTC could use more authority to assess civil penalties against those violating the credit reporting laws and rules.