The Consumer Bankers Association (“CBA”) recently published a letter it sent to the CFPB describing the information that banks typically use for identity verification and fraud prevention and addressing the impact of subjecting such information to the requirements of the Fair Credit Reporting Act (“FCRA”).

The letter is a response to CFPB Director Chopra’s recent remarks detailing proposed changes to the FCRA. Specifically, the remarks single out so-called “credit header data” – name, date of birth, and Social Security number – for future inclusion in the FCRA’s definition of what constitutes a “credit report.” The CBA’s letter is in response to Director Chopra’s request during those remarks for input and aid from industry participants in crafting the proposed rule changes.

As it is now, the FCRA establishes requirements for how a creditor or other furnisher of information to a credit bureau must respond to direct and indirect disputes involving credit report information appearing on an individual’s credit report. The FCRA also requires that any attempt to access a consumer’s credit report be made with a “permissible purpose.” By broadening the definition of credit report to include such “credit header data” the CBA warns that the CFPB could create substantial confusion as to a bank’s compliance obligations and call into question certain customary procedures. As the CBA letter describes, credit header information is routinely used by banks to verify a consumer’s identity in order to complete any number of transactions as well as to determine whether certain account-level information can be legally shared with an individual purporting to be the consumer. Furthermore, this credit header data is integral to most banks’ current methods of fraud prevention.

The CBA raises concerns that by subjecting such routine information to the FCRA’s requirements, the CFPB could substantially hinder banks’ routine identity verification and fraud prevention practices. Indeed, subjecting credit header data to the FCRA could have the unintended consequence of aiding would-be identity thieves. As the CBA notes, if – during the time sensitive initial investigations into whether a consumer is the victim of identity theft – a bank must “proactively identity a ‘permissible purpose’” before accessing an individual’s credit header data, the fraudster could have additional time to successfully complete any fraudulent transaction.

Ultimately, the CBA suggests that, as credit header data is already protected and regulated under the Gramm-Leach-Bliley Act (“GLBA”) and Regulation P, expanding the FCRA to cover such information is unnecessary. If it is ultimately included in the statutory definition of “credit report,” the CBA requests that the CFPB consider excluding the use of credit header data by banks for the purposes of identity verification and fraud prevention from coverage under the FCRA.