Kim Phan, Dave Gettings, Chris Willis, and Cindy Hanson explore the recent withdrawal of Consumer Financial Protection Bureau (CFPB) guidance affecting the Fair Credit Reporting Act (FCRA).
In this special crossover episode between FCRA Focus and The Consumer Finance Podcast, Kim Phan, Dave Gettings, Chris Willis, and Cindy Hanson explore the recent withdrawal of Consumer Financial Protection Bureau (CFPB) guidance affecting the Fair Credit Reporting Act (FCRA). This episode provides a comprehensive analysis of how these changes impact key areas such as preemption, background screening, permissible purpose, artificial intelligence, and state attorneys general enforcement actions. The discussion highlights the implications for consumer reporting agencies, furnishers, end-users, and the broader regulatory landscape, offering valuable insights for professionals navigating these evolving challenges. Tune in to understand the potential shifts in compliance and enforcement.
FCRA Focus x The Consumer Finance Podcast — Regulatory Rollback: Inside the CFPB’s FCRA Guidance Withdrawal
Hosts: Dave Gettings, Kim Phan, Chris Willis, and Cindy Hanson
Date Aired: June 10, 2025
Kim Phan:
Welcome back to the FCRA Focus podcast. I'm here today with my co-host, Dave Gettings, and some of our distinguished partners, who specialize in various aspects of the FCRA, Chris Willis and Cindy Hanson, to talk about the recent withdrawal of CFPB guidance, including a number impacting how to interpret the FCRA.
However, before we jump into that, let me remind you to visit and subscribe to our blogs, TroutmanFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. While you're at it, head on over to Troutman.com and add yourself to our consumer financial services email list, that'll allow you to get invitations to our webinars, receive our alerts, and advisories that we send out from time to time. But if you're one of those listeners who just cannot get enough of the FCRA, I would encourage you to explore our subscription-based tracker service, which provides information on federal and state regulatory and legislative developments, as well as summaries of FCRA case law on a weekly basis, as well as a monthly roundtable discussion of all of our subscribers to talk about the latest trends and developments. These tracker services can also cover other topics as well, including debt collection and privacy and data security. Feel free to reach out to me if you'd like to learn more about those services.
Now, jumping right in. Dave, would you like to introduce our guests?
Dave Gettings:
I would love to. Thanks, Kim. Appreciate the introduction. So, here with us today is, first, Chris Willis. He is the co-leader of the Consumer Financial Services Regulatory Practice Group at Troutman Pepper Locke, and an avid water skier, which we were discussing before the podcast. I've actually never seen him water ski, but I know he knows how to drive the boat. So, I will say, he's an avid water skier, boat driver. And Chris, is it sometimes water skier or always water skier?
Chris Willis:
Well, it's actually wake surfing, Dave.
Dave Gettings:
I totally got that wrong.
Chris Willis:
Water skiing is a little hard on my older body, but I do drive the boat for my wife to surf also, and my kids.
Dave Gettings:
Okay. So, I got it like half right. But thank you, I appreciate that. Then, with us is also Cindy Hanson, who, like me, is a suffering New York Giants fan. When she's not complaining about our quarterbacks or the lack thereof, she's defending class actions with a particular focus on the FCRA and privacy. Cindy, do you also water ski or just drive the boat?
Cindy Hanson:
I water-skied in my younger days. I haven't in a pretty long time. It's pretty hard on my back, so I don't do it anymore.
Dave Gettings:
We are all getting very old, it sounds like. All right. Well, Cindy, we're going to start with you and talk a little bit about preemption and the CFPB's recent withdrawal of its guidance related to preemption. So, rather than ask you a really artful question about it, I just want to jump right in. What is going on with the CFPB's withdrawal on its position regarding preemption?
Cindy Hanson:
Thanks, Dave, and hi to everybody. So, preemption is a very important issue under the Fair Credit Reporting Act. Obviously, when the Fair Credit Reporting Act was passed 50-plus years ago, one of the things that was of paramount importance to the consumer reporting agencies that were governed by the Fair Credit Reporting Act is that we would have a uniform system across 50 states. So, the theory was, we would have federal law that would apply to what the obligations of a consumer reporting agency are, what can and cannot be in a consumer report and other specific issues. But it would be one-size-fits-all across the United States.
There are preemption sections in the FCRA. They do not cover the entire field. Everyone understood that. But for a very long time, they were broadly interpreted and the states pretty much didn't do much. I would say, in the last five to 10 years, we began to see some states start to pass some laws related specifically to trying to limit further what could go into a consumer report. So, certain types of criminal records, even if they were convictions, which under the FCRA can be reported indefinitely. There were limitations put on those, or as some of you may have heard, states have been trying to put limitations on medical debt or on course debt.
Originally, when the industry would file suit that these statutes were preempted, they largely met with pretty good success. And so, a couple of years ago, the CFPB in 2022, there was some litigation going on about preemption. And the CFPB put in this interpretive rule that basically said, "FCRA preemption is very narrow," and that it only applies to those provisions of the FCRA that are specifically enumerated, and even if it is specifically enumerated, then, only to the extent that the preemption section actually referred to the issue that was the subject of the preemption litigation. So, this interpretive rule really emboldens state legislatures, and frankly, some courts to push the envelope on preemption, and to find more and more state statutes were not preempted.
The withdrawal of this interpretive rule, which was very important to industry, we think should help in efforts to go back to a uniform structure of the Fair Credit Reporting Act and a one-size-fits-all, that if you can report certain information under the FCRA, then it should be reportable throughout the United States. One of the things that my lobbying friends would hear is when they would go to state legislatures and try to talk to them about statutes that they believe or bills that they believe were preempted, state legislators were very quick to point to this CFPB interpretive rule. So now, with its withdrawal, hopefully we will hear less about it.
The CFPB's position on preemption, as I said, was quite narrow and it gave a reading that I don't think any of us ever envisioned when we were reading the preemption sections of the FCRA. So, I think more to come on this, but to the extent that we have states really pushing the envelope, this is one less thing they can point to, to try to argue that their proposed legislation is not in fact preempted. Dave, I think it will be interesting to see what comes. There is some pending litigation right now on some preemption issues. I think it will be interesting to see what comes if the courts now, that this interpretive rule has been withdrawn, recognize that the CFPB likely overstepped its bounds with this interpretation.
Dave Gettings:
Yes. Something I've been wondering on this withdrawal, and frankly, all the withdrawals, is whether the courts are going to continue to look to the guidance as a guide, so to speak, even if they can't cite you it. Because they think, "Oh, this was the CFPB's opinion before the Trump administration. So, we're going to continue looking toward it, even if it's not binding or not official rulemaking," so to speak.
Cindy Hanson:
My view on that is it's going to be what the judge in that circumstance, what he or she wants to rule, and does the withdrawn guidance, whatever it may be, help or hurt them. So, I think they will cite to withdrawn guidance when it helps them, and they will cite to the fact that it was withdrawn in other circumstances. Maybe I'm a little skeptical here. My view is, they will use it, it helps the position that they're trying to substantiate.
Dave Gettings:
Like every jaded litigator probably saying.
Cindy Hanson:
Exactly.
Kim Phan:
Well, Dave, I know that from Cindy's guidance that she just talked about, it's very broad base, and we'll have, I'm sure, serious implications. I'm looking more narrowly at just the background screening space. I know that there were a couple of big retractions there as well with regard to matching, and the content of background screening reports. Can you touch on that a little bit?
Dave Gettings:
Yeah. Absolutely, Kim. Thanks. The two areas in background screening that I think were most interesting on the withdrawal were both matching and the content of consumer reports. First, with respect to matching, way back in November of 2021, the CFPB issued its advisory opinion on name-only matching. In that opinion, it really waded into what was a heavily litigated space on what were proper matching procedures for consumer reporting agencies. And these matching procedures are the procedures the CRA follows deciding whether a public record is a match to the consumer who is the subject of the report, which could lead to the CRA, then, including that record on the report.
So, in November 2021, the CFPB stated that it's been a consistent view of the Bureau that name-only matching is not a procedure that assures maximum possible accuracy. So, the CFPB went on to say, that consumer reporting agencies that use name-only matching violate the FCRA. So, effectively, what that meant is, the CRA had branded it, violative of the FCRA. If you've got a public record that's on John Smith, to use one of the most common names I could think of, and the report is on John Smith, and you match John Smith to the public record, John Smith, just with the name.
Now, in practice, that is really not happening very often, because CRAs do generally have much more sophisticated matching algorithms, but the CFPB waded into the space nonetheless. The withdrawal of the guidance does not mean CRA should start using name-only matching. In fact, I don't think that's going to occur. But as Cindy mentioned, the withdrawal of the guidance does at least take away that argument for the consumer's bar, pointing to the advisory opinion. The other area that I think was pretty interesting and also really in a hotly litigated space was on the content of the consumer report. There, the CFPB really threw a grenade into several significant issues on content.
So, the first was, in order to again maintain reasonable procedures to ensure maximum possible accuracy, the CFPB started discussing things that a CRA couldn't do or must do, so to speak. First, the CRA to prevent duplicative reporting of public record information needed to have procedures to ensure that it wasn't re-reporting multiple entries on the same conviction or the same landlord tenant record. The second was the CFPB advised that a CRA must report available disposition information related to arrest or criminal records. So, in other words, even if you are accurately reporting the arrest or accurately reporting a criminal record, if there was disposition information, the CRA had to continue reporting it. So, dismissed, for example, had to be there according to the CFPB. Then, another one that was, I thought, even more controversial, frankly, the CFPB opined that you could not report sealed or expunged public records, or really any public record that the CFPB envisioned was no longer in public view.
There's a lot more interesting tidbits out there about that guidance, but the 60,000-foot view, each of those areas on matching and on content of public records, that the CFPB waited into in November 2021. And then, later in January 2024 have now been withdrawn by this recent guidance. So, Kim, I'm going to continue talking, but I'm going to ask a question to you now related to permissible purpose. So, let's talk a little bit about the CFPB's guidance that it's withdrawn on permissible purpose.
Kim Phan:
Well, it actually flows directly from that guidance you were just talking about, the name matching. So, great segue to this issue.
Dave Gettings:
It's almost like we planned that, Kim.
Kim Phan:
In July of 2022, there was an advisory opinion that built on that prior name matching guidance, that essentially said, that when you use name matching only, you're not forming a reasonable belief under the FCRA for a consumer reporting agency to provide information that they know is about the consumer who is the subject of the request. The CFPB noted that even if a CRA said something along the lines of, "Hey, just so you know, we use name matching only. Some of the information we're providing could be a false positive, just keep that in mind," those types of disclaimers, according to the prior CFPB guidance was not enough to cure the FCRA violation.
Their big concern, of course, was those false positives, that information about someone who was not the subject of the inquiry was being handed out. But what I thought was really interesting about that prior guidance, and it was useful to have been withdrawn, is not only was the focus of that advisory opinion on the consumer reporting agency's obligations, but on the end users themselves. The CFPB in that guidance had pointed out that A, end user is prohibited from obtaining a consumer report without a permissible purpose. And if the end user incorrectly input the consumer data when submitting an inquiry to the consumer reporting agency, maybe they misspelled their last name or they put in – they fact fingered the date of birth. Then, that end user was receiving a consumer report without a permissible purpose on that individual if they were receiving a false positive.
Under the prior guidance, that was a strict liability standard. Removing that from these not knowing negligent-type issues, these little errors that we know happen all the time, removing that strict liability standard I think is going to be very good for end users and remove some of the fear that could have been out there with regard to that interpretive guidance.
Dave Gettings:
I think that's a good take. It was, in my view, never the intent of the FCRA when there's a simple mistake like that to give rise to a negligent or potentially willful violation of the permissible purpose provisions.
Kim Phan:
I agree.
Dave Gettings:
So, Kim, artificial intelligence is part of almost every conversation it seems we have these days. What impact will the withdrawal of the guidance have in that area?
Kim Phan:
So, the CFPB issued a separate guidance. This was a circular, so not an advisory opinion. I don't really know what the CFPB defined these, all these different guidance documents as, but this was a circular and this was in November of 2024. It also looked at this background screening issue. It specifically talked about the use of dossiers that were being compiled about employees, as well as algorithmic scoring, essentially AI that's being used to make determinations about employees. The CFPB wanted to make 100% clear that the FCRA should apply to all of that. And that if an employer is using some sort of dossier or algorithmic scoring, they have to get an employees' permission to procure that consumer report, provide notice before and after of any adverse actions, and make sure they have a permissible purpose.
The third-party providers that were compiling these dossiers and determining some of the scoring, the CFPB said, should be treated as consumer reporting agencies. But let's talk about those third-party service providers. Who these entities are that they were targeting were the types of third-party technology companies that sprung up during COVID. The reality that if someone's not sitting at their desk where a manager or someone else could be monitoring them. There were all types of technologies that were developed to monitor, say, driving habits, calculate how much time someone was spending on a particular task, how much time they were spending in meetings, taking screenshots of their computer to make sure that they're actually doing work, checking their browser history, things like that. That just sort of made sense in a world where everyone was working remotely and that employers were looking for ways to try to make sure that the same level of productivity and efficiency was happening when people were at home.
The scoring was a result of that. These same third-party technology providers that were enabling employers to be able to do this with their employees, were also offering value-added scoring, things like recommendations with regard to predicting whether or not someone is doing a good job, whether or not they are starting to look at other sites, like employment sites, and maybe they might be looking to leave their job at some point, or maybe they're engaging in behavior that should lead to some sort of disciplinary action.
Now, with the withdrawal of this guidance I think it's going to be great, because those entities were never intended to be consumer reports, and that was not their vision of doing those type of worker productivity services. Now, companies can hire those types of service providers to monitor an increasingly flexible workforce without having to run the risk of potentially violating the FCRA by doing so. I think that's also a very good withdrawal.
Dave Gettings:
Yes, I think that makes sense, Kim. Speaking of potential future actions and enforcement, now, Chris was going to touch a little bit on state AG, correct?
Kim Phan:
That's right. Chris, I know part of the CFPB did that big announcement with the withdrawal of, I think it was 67 different interpretive guidance. But there was a separate interpretive rule that was withdrawn as well on the scope of the state attorneys general to bring enforcement actions. Do you want to tell us more? What's going on there?
Chris Willis:
That's right. This was a pretty controversial one too, and also one that I think we're all relieved was withdrawn. So, by way of background, there's a section of Dodd-Frank, Section 1042, that gives state attorneys general the right to bring certain enforcement actions under the Consumer Financial Protection Act, or Dodd-Frank, and namely, the ability to two claims of Dodd-Frank UDAP against various actors under certain circumstances. The interpretive rule that you were referring to was released by the CFPB in 2022 and basically took the text of the statute a step further and said that, well, because Dodd-Frank incorporates and references the other preexisting consumer protection federal laws, like the Truth in Lending Act, FCRA, Equal Credit Opportunity Act, et cetera. That the state attorneys general cannot only bring claims under Section 1042 for Dodd-Frank UDAP violations, but also, for any of those preexisting consumer laws, which are called the enumerated consumer laws in Dodd- Frank.
So, a state could bring a claim under the Equal Credit Opportunity Act, for example, even though there is no authority under that statute itself for a state to do so. It's limited only to federal enforcement. So, several states sort of adopted that view and said, "Yes, we're going to proceed on this basis," but it was still a matter of some controversy because it really was an instance of bootstrapping under the statute that's not clearly called for by the language of the statute. Now, the CFPB has withdrawn that. Now as a practical matter, of course, there are some states who believe that this interpretation was correct and they may pursue claims under the enumerated consumer laws, and then, it'll be up to the defendants in those cases to litigate that issue in whatever court they happen to find themselves.
Dave Gettings:
Thanks, Chris. So, it really does sound like it'll be a little bit uncertain as to what state AGs are doing going forward regardless of the withdrawn guidance.
Chris Willis:
It is, but under the Fair Credit Reporting Act, it doesn't necessarily make that big of a difference because there is an enforcement right for state attorneys general in the Fair Credit Reporting Act itself. So, the interpretive rule, the controversial part of it doesn't really impact what states can do under that particular statute.
Dave Gettings:
Right. That makes sense. So, thank y'all for being here. Appreciate you taking the time to discuss the CFPB's withdrawal of the guidance. I think it's important to note that, even though this guidance withdrawal is really impactful, it may not necessarily be completely permanent. When the Bureau withdrew the guidance, it says it intends to continue reviewing all the guidance documents it's issued to determine whether it should ultimately be retained. So, I think everyone's expectation is it's, at least in this administration, not going to be rekindled, so to speak, but we never know what's going to happen going forward and we'll continue to monitor it. So, Kim, any parting words before we close out?
Kim Phan:
Just to thank Chris and Cindy for being here. I think this has been a great discussion, and I think there have been useful tidbits that have been released to make sure that companies are aware of some things that were previously risky that they might think about taking up again, even if down the road, Dave, as you noted, some of this guidance could make its way back.
Dave Gettings:
Thanks, Kim, and we'd like to thank everyone for listening to the podcast today. Don't forget to visit our blogs, ConsumerFinancialServicesLawMonitor.com and TroutmanFinancialServices.com. And please subscribe to our podcast at all of your favorite podcasting locations. Thanks for listening.
Copyright, Troutman Pepper Locke LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper Locke. If you have any questions, please contact us at troutman.com.