CFPB’s Advisory Opinion on Name-Only Matching for Consumer Reporting

On July 12, 2022, the Consumer Financial Protection Bureau (CFPB) issued an advisory opinion regarding the “permissible purpose requirement” of the Fair Credit Reporting Act (FCRA) as it applies to both a consumer reporting agency (CRA) and a user of consumer reports (e.g., employer).

The CFPB’s position is that name-only matching records in a consumer report violate the permissible purpose requirement in FCRA section 604(a)(3). The CFPB noted that consumer report users must ensure they do not violate a person’s privacy by obtaining or using a report without a permissible purpose, and that a consumer reporting agency should not provide reports with “possible matches” to users.

The CFPB further warned that including a disclaimer in the report, such as “this record was matched to the subject by First Name, Last Name ONLY and may not belong to your subject; your further review of the [source] is required in order to determine if this is your subject” does not adequately address the problem of using name-only matching procedures because the report may include information about a person other than the subject for whom the CRA has a permissible purpose. In the CFPB’s view, a disclaimer “will not change the fact that the consumer reporting company has failed to satisfy the requirements of 604(a)(3) and has provided a consumer report about a person lacking a permissible purpose with respect to that person.”

The CFPB’s advisory opinion raises the possibility that employers, as users of such consumer reports, could be held liable for FCRA permissible purpose violations resulting from a CRA’s matching procedures or mistakes. The opinion emphasized the CFPB’s position that there is strict liability for obtaining or using a consumer report without a permissible purpose and also included a reminder about criminal liability for knowing or willful violations of the FCRA provisions.

July 19th, 2022|Compliance Corner|

The CFPB issues new policy guidance on credit reporting and dispute resolution

On April 1, 2020, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a non-binding general policy statement (“Policy Statement”) regarding the Fair Credit Reporting Act (FCRA) and Regulation V in light of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The CFPB’s Policy Statement highlights furnishers’ responsibilities and informs consumer reporting agencies (“CRAs”) of the Bureau’s flexible supervisory and enforcement approach during this pandemic. The Bureau intends to consider the circumstances that entities face as a result of the COVID-19 pandemic and their good faith efforts to comply with statutory and regulatory obligations as soon as possible.

The Bureau believes that this flexibility will help furnishers and CRAs to manage the challenges of the current crisis. Below are examples of the flexibility the Bureau intends to provide in the consumer reporting system.

Furnishing consumer information impacted by COVID-19: The Bureau reiterates its prior guidance encouraging financial institutions to work constructively with borrowers and other customers affected by COVID-19 to meet their financial needs. While companies generally are not legally obligated to furnish information to CRAs, the Bureau encourages them to continue doing so despite the current crisis. Furnishers’ providing accurate information to CRAs produces substantial benefits for consumers, users of consumer reports, and the economy as a whole. The CARES Act, a section of which amends the FCRA, generally requires furnishers to report as current certain credit obligations for which furnishers make payment accommodations to consumers affected by COVID-19 who have sought such accommodations from their lenders. Many furnishers are or will be offering consumers affected by COVID-19 various forms of payment flexibility, including allowing consumers to defer or skip payments, as required by the CARES Act or voluntarily. Such payment accommodations will avoid the reporting of delinquencies resulting from the effects of COVID-19. The Bureau supports furnishers’ voluntary efforts to provide payment relief, and it does not intend to cite in examinations or take enforcement actions against those who furnish information to CRAs that accurately reflects the payment relief measures they are employing.

Disputes: The FCRA generally requires that CRAs and furnishers investigate disputes within 30 days of receipt of the consumer’s dispute. The 30-day period may be extended to 45 days if the consumer provides additional information that is relevant to the investigation during the 30-day period. The Bureau is aware that some CRAs and furnishers may face significant operational disruptions that pose challenges in the investigations. For example, some CRAs and furnishers may experience reductions in staff, difficulty in taking disputes, or lack of access to necessary information, rendering them unable to investigate the disputes within the timeframes the FCRA requires. Furnishers include a wide variety of businesses that vary in size and sophistication and can range from small retailers to very large financial services firms, each of which will face unique challenges due to the COVID-19 pandemic. In evaluating compliance with the FCRA as a result of the pandemic, the Bureau will consider a CRA’s or furnisher’s individual circumstances and does not intend to cite in an examination or bring an enforcement action against a CRA or furnisher making good faith efforts to investigate disputes as quickly as possible, even if dispute investigations take longer than the statutory timeframe. The Bureau reminds furnishers and CRAs that they may take advantage of statutory and regulatory provisions that eliminate the obligation to investigate disputes submitted by credit repair organizations and disputes they reasonably determine to be frivolous or irrelevant. The Bureau will consider the current constraints on furnishers’ and CRAs’ time, information, and other resources in assessing if such a determination is reasonable.

Regulatory requirements: The Policy Statement is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authorities. It is therefore exempt from the notice and comment rulemaking requirements under the Administrative Procedure Act pursuant to 5 USC 553(b).

Resources for consumers and small businesses facing the impacts of the COVID-19 pandemic are available on the Bureau’s website at

April 3rd, 2020|Guidance|

CFPB publishes annual guide about consumer reporting agencies

Every year, the Consumer Financial Protection Bureau (the “CFPB”) updates and publishes a guide to consumer reporting companies, The guide includes information in connection with requesting a consumer report from the three largest nationwide consumer reporting companies and dozens of specialty reporting companies, tips regarding specialty reports, updated information about authentication of identity when requesting a consumer report, information on companies that provide free credit scores, and rights with respect to consumer reports.

The CFPB notes that in prior years, its guide referred to consumer reporting businesses as “agencies” or “bureaus,” and that these terms can be confusing because they may imply these businesses are government entities. They are not—these companies are private-sector, for-profit entities, and in this year’s guide, the CFPB refers to them as “companies” for better clarity.

February 23rd, 2016|Educational Series|

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

February 23rd, 2015|Legislation|

Accuracy issues top credit reporting complaints

The Consumer Financial Protection Bureau (CFPB) last month released its report regarding approximately 31,000 complaints filed between October 22, 2012 and February 1, 2014, by consumers frustrated with credit reporting companies. The majority of the complaints pertained to accuracy and completeness of credit reports.

March 28th, 2014|Educational Series, Fraud|

CFPB issues long-awaited rule on supervising non-banks that pose risks to consumers

On June 26, 2013, the Consumer Financial Protection Bureau (the “CFPB”) issued a final rule that establishes procedures to bring under its supervisory authority certain nonbanks whose activities pose risks to consumers. Non-banks subject to the rule are companies that offer or provide consumer financial products or services but do not have a bank, thrift, or credit union charter, and include a nonbank’s affiliate service providers. The final rule will be effective 30 days after its publication in the Federal Register.

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the CFPB is authorized to supervise any nonbank, regardless of its size, that the CFPB has reasonable cause to determine “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.”

The CFPB has already finalized “larger participant” rules for the credit reporting and debt collection markets and has proposed such a rule for the federal and private student loan servicing market.

July 2nd, 2013|Dodd-Frank|

CFPB’s database is now searchable by state and includes complaints about credit reporting

On May 31, 2013 the Consumer Financial Protection Bureau (“CFPB”) announced that its Consumer Complaint Database, now searchable by state, has been expanded to include credit reporting and money transfer complaints. In addition to these two new categories, the database, which can be accessed at, includes complaints relating to credit cards, mortgages, student loans, bank accounts and services, and consumer loans.

When submitting a complaint about credit reporting, consumers can select from five common issues, which are all searchable on the updated database: incorrect information on a credit report; problems with a credit reporting agency’s investigation; improper use of a credit report; not being able to get a credit report or credit score; and problems with credit monitoring or identity protection services.

June 20th, 2013|Educational Series|

CFPB’s expanded complaint database goes live

The Consumer Financial Protection Bureau (the “CFPB”) announced that the nation’s largest database of federal consumer financial complaints is live and open for public viewing.

The CFPB’s recent launch significantly expands the Consumer Complaint Database from about 19,000 credit card complaints in 2012 to more than 90,000 complaints on mortgages, student loans, bank accounts and services, other consumer loans, and credit cards. It also includes product sub-categories, such as reverse mortgages, conventional fixed mortgages and adjustable mortgages, and home equity loans or lines of credit. Complaints are entered only after the company provides a response or after it has had the complaint for 15 days, whichever comes first. The CFPB states that while the allegations in the complaints are not verified, a commercial relationship between the consumer and the company is substantiated before the complaint is added to the database.

According to the CFPB, the database now has more than one million data points covering approximately 450 companies, and includes information such as the type of complaint, date of submission, consumer’s ZIP code, and the company’s name. The database also provides information about the actions taken on the complaint, i.e., whether the company’s response was timely, how the company responded, and whether the consumer disputed the response.

To file a complaint with the CFPB, consumers can:>

  • File online at;
  • Call 1-855-411-CFPB (2372) or TTY/TDD phone number at 1-855-729-CFPB (2372);
  • Fax to: (855) 237-2392; or
  • Mail to: Consumer Financial Protection Bureau, P.O. Box 4503, Iowa City, IA 52244.
  • May 9th, 2013|Educational Series|

    Agencies jointly support that FCRA Section 1681c does not violate first amendment

    On May 3, 2012, the Federal Trade Commission (FTC) joined the Department of Justice (DOJ) and the Consumer Financial Protection Bureau (CFPB) in filing a memorandum brief in support of the constitutionality of the Fair Credit Reporting Act (FCRA), established in 1970 to protect credit report information privacy and to ensure that the information supplied by consumer reporting agencies (CRAs) is as accurate as possible.

    In the case of Shamara T. King vs. General Information Services, Inc. (GIS), the CRAs address a provision of the FCRA that balances the Act’s dual purposes, i.e., to protect consumers from privacy invasions caused by the disclosure of sensitive information and to ensure a sufficient flow of information to allow the CRAs to fulfill their vital role.) The provision, Section 1681c, bars CRAs from disclosing arrest records or other adverse information that is more than seven years old, in most cases.

    The agencies brief refutes GIS’s argument that this FCRA protection is an unconstitutional restriction of free speech, pointing out that the recent U.S. Supreme Court case law that GIS cites to support its argument, Sorrell v. IMS Health Inc., “does not change the settled First Amendment standards that apply to commercial speech, nor does it suggest that restrictions on the dissemination of data for commercial purposes

    [such as those by CRAs] must satisfy stricter standards.” Therefore, the brief concludes, the court should not invalidate the FCRA provision, as it “directly advances the government’s substantial interest in protecting individuals’ privacy” while also accommodating the interest of businesses. The case is pending.

    May 21st, 2012|Judgment|

    CFPB proposal would put larger debt collectors and credit reporting agencies under the same supervision process as banks

    The Consumer Financial Protection Bureau (CFPB) on February 16, 2011 announced a
    proposed rule to include debt collectors and consumer reporting agencies under its nonbank
    supervision program.

    Created by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is
    authorized to supervise nonbanks in the specific markets of residential mortgage, payday
    lending, and private education lending. For other nonbank markets of consumer financial
    products or services, the CFPB must define “larger participants” by rule, which is due on
    July 21, 2012.

    Three types of debt collection agencies dominate the market: firms that collect debt owned
    by another company for a fee, firms that buy debt and collect the proceeds for themselves,
    and attorneys and law firms that collect debt through litigation. A single company may be
    collecting through any or all of these activities. Under the proposed rule, debt collectors
    with more than $10 million in annual receipts from collection activities would be subject to
    supervision. The CFPB estimates that the proposed rule would cover approximately 175 debt
    collection firms (or 4% of debt collection firms) which account for 63% of annual receipts
    from the debt collection market.

    The CFPB’s proposal also takes aim at the largest credit bureaus selling comprehensive
    consumer reports, consumer report resellers, and specialty consumer reporting agencies.
    Defined as companies that make more than $7 million annually from their consumer
    business, the rule would affect 30 companies, and firms like Experian, TransUnion and
    Equifax, that account for 94% of the industry’s business.

    This is the CFPB’s first in a series of rulemakings to define larger participants. The CFPB
    chose annual receipts as the criterion for both debt collection and consumer reporting
    because it approximates participation in these two markets.

    The proposed rule is open for comment for 60 days after the rule is published in the Federal

    February 18th, 2012|Dodd-Frank|
    Go to Top