In a new advisory opinion, the CFPB addresses the Fair Credit Reporting Act’s permissible purpose requirement as it applies to both consumer reporting agencies and users of consumer reports.
Consumer reporting agencies. FCRA Section 604(a) enumerates the circumstances under which a consumer reporting agency (CRA) may provide a consumer report to a user. These circumstances, set forth in Section 604(a)(3), include where the CRA has “reason to believe” that the user intends to use the report for one of the listed “permissible purposes.” Such purposes include where the user “intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving an extension of credit to, or review or collection of an account of, the consumer.” Another permissible purpose is where the user “has a legitimate business need for the information…in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.”
The CFPB states that it interprets the permissible purposes identified in Section 604(a)(3) to be “consumer specific,” meaning that “they apply only with respect to the consumer who is the subject of the user’s request—and a consumer reporting company may not provide a consumer report to a user under FCRA section 604(a)(3) unless it has reason to believe that all of the consumer report information it includes pertains to the consumer who is the subject of the user’s request.” In addition, a CRA may not provide a consumer report under Section 604(a)(3) “unless it has reason to believe that the user has a permissible purpose with respect to the consumer about whom the report is requested.” This also means, according to the CFPB, that a CRA may not provide a consumer report under Section 604(a)(3) “unless it has reason to believe that all of the consumers report information it includes pertains to the consumer who is the subject of the user’s request.”
In November 2021, the CFPB issued an advisory opinion that affirmed that the use of “name-only matching” by consumer reporting agencies, including tenant and employment screening companies, did not satisfy the FCRA requirement for a CRA ”to follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the [consumer] report relates.” “Name-only matching” means the matching of information by a CRA to a particular consumer who is the subject of a consumer report based solely on whether the consumer’s first and last names are identical or similar to the first and last names associated with the information, without verifying the match using additional identifying information for the consumer.
In the new advisory opinion, the CFPB goes a step further and states that “the use of poor matching procedures, such as name-only matching, can lead to violations of the FCRA’s permissible purpose provisions.” This is because a CRA using poor matching procedures “cannot rely on these procedures to form a reason to believe that all of the information it includes in a consumer report pertains to the consumer who is the subject of the user’s request.” As an example, the CFPB describes a scenario in which a CRA that conducts a public records search using name-only matching identifies one or more individuals with the same name as the consumer who is the subject of the user’s request and, instead of taking additional steps to match the information to the specific consumer who is the subject of the request, provides the user with a report containing a possible match or list of possible matches. According to the CFPB, in this scenario, the CRA has not formed a reason to believe that all of the information it includes in a consumer report pertains to the consumer who is the subject of the user’s request. By including information that identifies (even if not by name) consumers who are possible matches and consumer report information about those consumers (such as information bearing on creditworthiness), the CRA has provided consumer reports about those consumers to a user that does not have a permissible purpose to obtain them.
The CFPB also addresses the use of disclaimers by CRAs using matching procedures to warn users that the information on a consumer report may not belong to the consumer who was the subject of the user’s request. The CFPB states that a disclaimer “will not cure a failure to have a reason to believe that a user has a permissible purpose for a consumer report” and “will not change the fact that the consumer reporting company has failed to satisfy the requirements of 604(a)(3) and has provided a consumer report about a person lacking a permissible purpose with respect to that person.”
Users of consumer reports. Section 604(f) prohibits a person from using or obtaining a consumer report “unless…the consumer report is obtained for which the consumer report is authorized to be furnished under [FCRA Section 604]” and the purpose is certified in accordance with FCRA Section 607. The CFPB states that it interprets Section 604(f) “to provide that consumer report users are strictly prohibited from using or obtaining consumer reports without a permissible purpose.” The CFPB rejects the court decisions that have applied a “reason to believe” standard, stating that the plain language of Section 604(f) “clearly imposes a strict prohibition on using or obtaining a consumer report without a permissible purpose.” The CFPB’s interpretation appears to raise the potential for users to be held liable for FCRA permissible purpose violations resulting from a CRA’s matching procedures or mistakes. As a result, users will need to consider the impact of such potential liability on their selection and contractual relationships with CRAs. Notably, users have routinely relied upon the “reason to believe” standard – which the CFPB rejected – to defend against claims by consumers that it was an identity thief that applied for credit and triggered the user to make the credit inquiry.
Criminal penalties. In its background discussion, the CFPB highlights the potential for criminal liability arising from violations of the FCRA’s permissible purpose requirement. FCRA Section 619 imposes criminal liability on “any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses.” Section 620 imposes criminal liability on “any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to a person not authorized to receive that information.” (Except for one criminal matter mentioned on the Department of Justice’s website, we are not aware of any FCRA criminal prosecutions. The DOJ states that in 1998, it obtained the conviction of an individual in Colorado who had fraudulently obtained a credit report to use in a political campaign.)