The CFPB recently issued an Advisory Opinion on Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports to reiterate privacy concerns and potential liability when consumer report information is provided outside of a “permissible purpose”.
The Fair Credit Reporting Act (FCRA) dictates when a consumer reporting agency (CRA) can provide a consumer report or, in other words, when there is a permissible purpose to do so. Financial institutions often look to Section 604(a)(3) to determine whether there is a permissible purpose to obtain a consumer report, “in connection with a credit transaction” or whether there is a “legitimate business need”.
The FCRA may also be violated when a CRA provides information for individuals who were not the subject of such a request. For instance, when there are multiple individuals with the same name, “name-only matching” procedures by a CRA are insufficient. For example, if a consumer report is requested on “John Doe”, a CRA can only provide information it reasonably believes belongs to that “John Doe”.
The CFPB has noted that some CRAs get information that doesn’t use identifying information beyond a name. Such information might then get included in another individual’s consumer report by mistake. A CRA may also do a public records search that only matches names and, in turn, the CRA provides a list of possible matches. If the CRA then includes any type of consumer report information (i.e., …that bears on the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living…) on an individual who was not the intended subject of a request, the CRA ultimately provides it to someone who does not have a permissible purpose for that information. Under the FCRA, …consumer report users are strictly prohibited from using or obtaining consumer reports without a permissible purpose.
The CFPB’s opinion goes on to further clarify that a CRA cannot fix inadequate matching procedures by including a “disclaimer” explaining that information may not belong to the specific subject of the request.
Hopefully, your team already knows under what circumstances they can obtain a consumer report and what constitutes permissible use. If not, we can help! Be sure to check out our webinar FCRA/FACT Act which is available. This Opinion is a good reminder that you also need to look beyond your team and ensure the CRAs you use are not putting you at risk of violating the FCRA. You may want to check your contracts for any references to matching procedures and/or check consumer reports you’ve received to determine whether there are references to only possible or potential matches.
Published
2022/07/13