Kim Phan, Dave Gettings, and Mark Furletti provide practical advice on how companies, especially fintechs, can operate without becoming a consumer reporting agency under the Fair Credit Reporting Act.
In this episode of FCRA Focus, hosts Kim Phan and Dave Gettings welcome Mark Furletti, co-leader of Troutman Pepper's Consumer Financial Services Regulatory practice. Mark shares his extensive knowledge on the Fair Credit Reporting Act (FCRA) and provides practical advice on how companies, especially fintechs, can operate without becoming a consumer reporting agency (CRA) under the FCRA. The discussion delves into the intricate definitions within the FCRA, common pitfalls, and best practices. Tune in to learn how to navigate the regulatory landscape and mitigate risks associated with consumer report information. Don't miss this insightful conversation packed with tips and real-world examples.
FCRA Focus: How to NOT Be Considered a CRA
Host: Kim Phan and Dave Gettings
Guest: Mark Furletti
Date Aired: November 19, 2024
Kim Phan:
Welcome, everyone, to the Troutman Pepper podcast, FCRA Focus. I'm Kim Phan, co-host of the podcast, along with my partner, Dave Gettings. Thank you for joining us today as we welcome our special guest, Mark Furletti, the co-leader of the Troutman Pepper Consumer Financial Service Regulatory practice.
Mark is a trusted advisor to our clients providing practical legal counsel advice to providers of financial services across numerous industries. Mark has an incredible breath of knowledge across many different consumer financial protection laws, just one of which is the Fair Credit Reporting Act. He regularly assists companies comply with FCRA, as well as navigating when the FCRA may or may not apply to specific products or services.
However, before we jump into that topic, let me remind you to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. While you're at it, head on over to Troutman.com and add yourself to our Consumer Financial Services email list which will allow you to get invitations to our webinars and receive our free alerts and advisories that we send out from time to time.
If you can't get enough of the FCRA and would like to take advantage of not just the free content we make available to our listeners but be interested in learning more about our subscription-based tracker service which provides information on federal and state regulatory and legislative developments, as well as summaries of FCRA case law on a weekly basis, as well as monthly roundtable discussions, please feel free to reach out. We can get you some additional information about that tracker service. We also cover topics such as debt collection and privacy and data security.
Now, setting all that aside, let's jump right into our topic for today. Mark, welcome. Why don't you tell our audience a little bit about yourself before we dive into the topic of how not to become a CRA?
Mark Furletti:
Thanks, Kim, and thanks for having me on the podcast. As you mentioned, I co-lead our regulatory practice. Most of the time, I spend advising fintechs and/or kind of other providers who are partnering with fintechs like banks or third-party service providers on requirements under the alphabet soup of consumer credit and consumer payments and general consumer protection laws, both at the federal and state level.
I also spend a fair amount of time advising folks on the Fair Credit Reporting Act and most of the time how not to become a CRA, unless someone is willing to undertake all of the obligations of a CRA.
Kim Phan:
Yes. You mentioned fintechs, and the reality is there are so many new and different innovative players that are entering the marketplace. Whether one of these companies is a consumer reporting agency and whether that company is providing consumer reports depends on some pretty circular definitions in the FCRA. How do you generally advise companies to try to untangle these definitions and figure out, navigate in between some of the somewhat archaic language that is attempting to be applied to modern-day online companies like fintechs?
Mark Furletti:
Yes. Kim, that's a really good question. What I do is I break the definition. I generally cut and paste the definition of consumer report and the definition of consumer reporting agency into a Word document or an email. Then I break it down into its, as I see it, 11 elements. Of these elements, two of them are circular, as you said. The definition of consumer report, a consumer report has to be provided by a “consumer reporting agency.” Then a consumer reporting agency has to be furnishing consumer reports.
The definitions are circular in that way, and so you can more or less read them together. If you strike out the two circular elements, it's roughly 9 or 10 elements that remain. The idea is if you don't want to be a consumer reporting agency or you don't want something to be a consumer report, then you have to break one of these elements. By breaking them, I mean not satisfy them.
Kim Phan:
Right. A consumer reporting agency, you are not a consumer reporting agency if what you're furnishing is not a consumer report. It’s not a consumer report if it's being furnished by something other than a consumer reporting agency, right?
Mark Furletti:
Exactly. Right. If we can just get out of one of the elements of the definition of consumer report or get out of one of the elements of consumer reporting agency, we can do either one of those things, not to do both. Then, generally speaking, we should not be deemed a CRA, and what we're providing should not be deemed consumer reports.
Dave Gettings:
Hey, Mark. This is Dave. I really like your quarter zip, by the way, and I wish we were recording this by video since it's one of the first quarter zip appearances of the fall. At a high level, for the listeners, what industries are we talking about? What types of business are these companies doing, no names, obviously, please, that puts them or at least at risk of asking the question of am I a CRA, am I not a CRA?
Mark Furletti:
Sure. Yes. That's a good question. Stepping back, whenever we have information that is being shared by one entity with another entity and the information relates to a consumer or consumer behavior, I think it's wise to ask the question might this be a consumer report, or might the person providing it be a consumer reporting agency? Particularly today, there are just innumerable fintechs that are out there, either selling products directly that should not be consumer reports because they're breaking an element. Or there's an array of events where fintechs and third parties are sharing information about consumers.
To give an example, so one would be I'm going to launch a fintech, and what I'm going to do is provide information. Let's say I have information about consumer's device IDs or about their IP address, and I'm going to sell that. We can discuss why I think that should not be deemed consumer report information, but someone should at least ask that question. Is this information that we're selling about consumers, could it be consumer report information? Could we be a CRA?
A different type of arrangement might be where a bunch of fintechs get together and say, “Hey, we want to share information as like a consortium on fraud.” Let's say fraud information about specific consumers or even credit losses about specific consumers. So then, again, those in that forming that consortium, someone should ask the question might the consortium, might they be a CRA? Might the reports that are being shared be consumer reports? You have to go through the factors because I could give you examples of cases where that would clearly be a consumer report and the consortium a CRA. I can give you examples where they clearly wouldn't be.
To answer your question, if you're sharing at any time we have this information sharing from one entity to another and it relates to consumers or consumer behavior, someone should at least ask the question are we covered and do the run to the analysis so that they can be confident that they're not. Or if they are, that they can comply with their requirements.
Kim Phan:
Right. The answer to that question depends on whether or not they're satisfying all the different elements of these definitions of the FCRA, the consumer reporting agency definition, the consumer report definition, which you mentioned to a certain extent, if you can break any one of these elements and not satisfy either one of these definitions, then you would not be considered a CRA.
When working with these various companies, Mark, do you often see a particular element being the one's most often focused on with regard to breaking these definitions? I'm assuming some of these elements are a little harder to break. If you're communicating information to a third party, that's pretty much going to happen across the board, so that's probably not the element you're trying to break. Are there other elements, ones that we think companies are able to rely on more often than others?
Mark Furletti:
Yes, for sure. One of the ones you can almost never break is a CRA means any person, so hard not to be a person. Another one that's really hard to break is for monetary fees, most people doing this generally are on a cooperative nonprofit basis. Most folks doing this are doing this for money, so those tend to be pretty hard to break.
The ones that we see broken most commonly would include serving as a factor in establishing the consumer's eligibility for credit. Two of the elements, the fourth and fifth element in my analysis is, is the information going to be used, expected to be used, or collected for eligibility determinations. If the answer is yes, then you might be a CRA if all the other elements are met.
The way you “break” this one perhaps is to disallow people, other folks that might be obtaining this information, from using it for eligibility determinations. Then you prohibit them from doing that so that you don't expect it to be used that way. When you collect it, you don't collect it for that purpose. Then you ensure that when it's used, it's not used for that purpose.
What might that look like? You might say to someone, “Here's a fraud tool, and the fraud tool is going to tell you the likelihood that this application for credit, let's say, is fraudulent.” But you're not allowed to use the tool to deny. What you might do is use the tool to put people into buckets for additional exploration or treatment to actually answer the question of whether or not you think it's fraudulent.
For example, you might say, “I'm going to put people based on this. Let's say it's a fraud score, and I'm going to put them in three buckets; the green bucket, the yellow bucket, and the red bucket. The green bucket, I'm not going to do anything with those folks. They're going to sail on through. Then the people in the yellow bucket, I might ask them to, let's say, validate or verify some piece of information that we know that they have like do they have a car loan or not or an out-of-wallet question or something along those lines.” Then the people who are in the red, you might ask them to send in or scan a copy of, let's say, a driver's license or a bank statement or something along those lines.
Then the determination of whether or not they get credit if they're in that yellow or red bucket, it turns totally 100% on how they respond to the follow-up request. It doesn't turn in any way on the original fraud score. In that sense, we'd argue that the fourth and fifth elements are broken, and that this product is not a consumer report, and the provider of it is not a CRA.
Another example might be the furnishing of reports to “third parties.” A consumer report is, it has to be provided to a third party. We have some clients that will provide reports to consumers themselves. In that case, the consumers themselves are not third parties, so you can break that element. Another element that's possible to break is assembling or evaluating. Let's say that all you do is take information from some data source, let's say a deposit account, and pass it through to third parties unfiltered without modification. There's an argument there that you have an assembled or evaluated the information depending on how it's presented. These are some examples.
I guess one final example, Kim, is a consumer report is on a consumer. Going back to what I was talking about earlier, if you have a report that, let’s say, is on a car, there's vehicle accident history reports, well, that shouldn't be a consumer report. Even though a consumer, the driver of that car, is probably the one who was at fault for the accident or is responsible for the accident, that is a report on a vehicle, not on a consumer. Likewise, you could argue that a report on an IP address or something on those lines is not a consumer report because it's a report on an IP address, again, not on a consumer. That's kind of, I'd say, one of the other ones that we commonly see broken.
Dave Gettings:
Mark, speaking from a litigator’s perspective, you mentioned user collected as one of the factors. I often get a sense that most clients have a pretty good sense of how their information is being used and can control that element fairly well with restrictions in the contract, with monitoring. But sometimes, they're surprised as to how the information is collected. Maybe they get it from a third-party source. Or maybe they've got a program where they've got an FCRA platform, and what they're trying to use is a non-FRCA platform and have to be concerned about how to split the data.
Do you often see the – also, just to finish out the litigator’s perspective, collected seems to be the element plaintiffs’ counsel will go to if they can't prove used. Do you see the collected factor come up a lot and client struggling to deal with it?
Mark Furletti:
Yes. I mean, this is where – I mean, normally, at least for the user, right? The provider can control why it's collected, right? On the provider side, when you're the one, let's say, selling this information, the ones that are hard to control is use because you can have a sense of how it’s expected to be used and why you collected it. But you don't know how it's going to be used.
You're right. On the opposite side, on the user side, you know how you use it, but you don't know why it was collected. If it was collected for eligibility terminations but then you don't use it, you think that you're breaking that element, let's say, it doesn't work. As you said, the plaintiff’s lawyer would possibly attack the collection's component of that. Yes. I think depending on whether you're the provider of the information or the recipient, any these three can be a little tricky, and you have to possibly engage in a discussion with your counterparty there to make sure that between you and the counterparty, we have all three of these nailed down and “broken.” We’re not using, not expect – there's no expectation to use any that wasn't collected.
Kim Phan:
Yes. It sounds like the devil is really in the details with regard to how these products and services are set up with how you contract with regard to end users on how they're using these products and services. Following up on Dave's litigation question, I mean, what if a company gets this wrong, right? What's the risk? Are we looking at litigation? Are we looking at regulatory enforcement from the CFPB, the FTC, or State AG’s? I mean, what are we seeing out there when companies are getting this wrong?
Mark Furletti:
I'd say yes to all of those, Kim. This can be bad. Next to the TCPA, and Dave could speak to this, as well as anybody, given –
Dave Gettings:
Do not get me started to the TCPA.
Mark Furletti:
Right. But the second best statute for a plaintiff’s lawyer after the TCPA, at least on the federal laws that we work on the most, is probably this one because you have these statutory damages for a willful violation of a hundred to a thousand dollars per violation. There have been efforts in Congress to align the FCRA with some of the other statutes in the Federal Consumer Credit Protection Act to make it more of like the lesser of one percent of the creditors’ net worth and/or a million bucks or 500,000 or whatever.
But the FCRA – that hasn't been done, so we have this pretty big willful violation penalty that can come into play that, of course, drives real interest on the part of the plaintiffs’ bar in the FCRA and in FCRA cases. There are firms that specialize in this area, and that's all they do is bring these kinds of lawsuits on behalf of consumers, both on an individual or class basis. Then on the CFPB side, you certainly have a fair amount of enforcement there as well or threats of enforcement. Then you have examinations and things. Yes, Kim, I think you can get hit from all angles on this one.
Kim Phan:
I just want to point out for our listeners. I'm sure there are some folks who are thinking to themselves, “Well, I'm not doing anything that even comes close to me being considered a CRA.” But the reality is there may be others, especially in the world of fintechs, where there's lots of parties working with each other. If they're working with a third-party vendor like a data aggregator who may or may not be considered a CRA going forward based on CFPB interpretation, right? I think I'm doing everything above board, and I'm using a data source who says, “We're not a CRA. Here's some data that you can use to make decisions about your consumers that we don't consider a consumer report.” If they get it wrong, what's the risk to me?
Mark Furletti:
Yes. I mean, that's a tough question. I think one answer, someone might argue that, well, it doesn't matter what you knew or didn't know if it was like, in that case, collected to serve as a factor in establishing the consumer's eligibility, and you bought it. Even though you did not use it for any other purpose, I think someone could argue that you violated the FCRA nonetheless.
Now, hopefully, in that case, you have an identity that might help you to some extent mitigate some of the damages of that, but that's not a great position to be in. I think what you want to do is in your agreement, if you're a recipient of this kind of information, you want to make sure that in your agreement that you have reps and warranties about exactly the nature of the product and indemnities and those things. I think in that scenario, Kim, I do think the recipient could have some exposure.
Dave Gettings:
Yes. Kim, from the litigators’ perspectives, there's a lot of potential risk for the “accidental user” who didn't realize they were using a consumer report. You could get a permissible purpose claim against you under 1681b. If you get a dispute and don't realize you have obligations under the Fair Credit Reporting Act because you didn't think you were subject to it, you could get hit with the 1681s-2(b) claim. If you're in the employment space, which is not what we've been discussing today, you've got pre-adverse action obligations. Not understanding you are receiving a consumer report because, frankly, it really isn't or shouldn't be, can put you into a whole host of questions you didn't see coming.
Kim Phan:
It seems like the question of whether or not a company is or is not a CRA is complicated at the least but fraught with danger at the most. Are there other best practices or advice that you would offer to our listeners, Mark, to help navigate this?
Mark Furletti:
I mean, look, I think most critical would be just raise the issue and ask the questions. You could – if you're the provider, you may want to consider having some canned responses that you can provide to a user or a potential recipient to give them comfort, so they understand where they stand. If you're the recipient, you might want to ask some questions about this, just so ideally before – if we have a situation where consumer information is going to be provided from A to B, A and B should both be on the same page as to whether or not it constitutes consumer report information. There should be in their agreement this – the agreement between A and B should address this issue, and the party should be clear. If there's any lack of clarity, the parties should discuss it with each other. I'd say that's the most critical.
At the outset, someone asking the question is probably the most important thing. I would just say I'd err on the side of asking the question, even if it initially might seem stupid to ask the question, just because you'd rather be safe in this area than sorry.
Kim Phan:
Sounds good. Dave, any last thoughts from you?
Dave Gettings:
No. The quarter zip is just really, really helping me on this podcast.
Kim Phan:
Mark, thank you so much for coming on the podcast today and sharing your insights with us. I'm sorry that the audience can't see your quarter zip. Thank you to our audience for tuning into today's episode. If you enjoyed today's podcast, please let us know by leaving a review on your podcast platform of choice. Of course, stay tuned for our next episode of the FCRA Focus podcast. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.