Overlooked in the fintech news cycle last week was an upcoming proposal from the CFPB that they felt was so big that they brought out Vice-President Kamala Harris for an introduction. As Director Rohit Chopra took the stage, he dropped the bombshell that the CFPB was making changes to the long-standing Fair Credit Reporting Act (FCRA), initially passed in 1970. The main bit that got headlines was the fact that the CFPB would attempt to eliminate medical debt from consumer credit reports.
In case you’re not familiar with the FCRA, it regulates the collection of consumer credit information and access to consumer credit reports - primarily by credit bureaus, medical information companies, screening services, and banks. The average consumer will see this regulation come into play quite a bit when applying for credit cards or other types of loans, especially when they receive a rejection.?
While the regulation is quite detailed, the system in place that has operated under this regulation (along with the Equal Credit Opportunity Act - known as Regulation B) is what has allowed the bureaus to form an almost monopoly of sorts, and has furthermore created a situation where 100 million Americans have medical debt.
In any case, last week Chopra announced that the CFPB was releasing a 24-page outline of proposed changes to the FCRA, with the main highlights being the aforementioned changes to reporting medical debt along with additional requirements for companies that currently are not in scope for reporting to the FCRA. It would seem the end goal of these proposals is to make sure any company that collects and sells consumer data to be covered by the FCRA (not just those that furnish data to the bureaus, the current setup). The American Banker cited that the report was “96 pages,” however this seems to be somewhat sloppy reporting as a glance at the full document reveals that the final 72 pages are simply a reprint of the FCRA’s text itself along with an extract from Regulation V.
In the first place, it’s important to set the stage a bit about how big of a problem this is that the CFPB is trying to solve (even if you don’t agree with their proposed approach). As we mentioned before, around 100 million Americans are in Medical debt. A Washington Post investigation earlier this year revealed the following in addition to this:
- Over 15% of adults in the US report past-due medical debtAs there are 333 million adults, this comes out to around 50 million people.
- 26.4 percent of Americans who are under the federal poverty level are overdue on a medical bill - overall, 15.4 percent of respondents were past due.
- 25.9 percent of Black Americans and 19.1 percent of Hispanic Americans were past due, compared to 12.8 percent White Americans.
- Almost 75% owe some or all of their medical debt to hospitals specifically.
- 72 percent of adults with medical debt owe because of a one-time incident (i.e. a visit to the ER).
Beyond this, approximately 66.5% of bankruptcies in the US are caused by medical debt (around 530,000 cases a year).
So as we can see, making any change to this would be a huge deal.
What have bureaus already done?
The good news is that this isn’t the first step in trying to tackle the medical debt problem. In April of this year, all three of the credit bureaus agreed to remove medical debt under $500 from US credit reports. This made up almost 70 percent of medical collection tradelines. Also, the year before that, the bureaus announced that all medical debt that was paid off by the consumer would not be included on US consumer credit reports, and the time before medical debt first appears on credit reports increased from six months to one year.
But this new proposal would completely eliminate medical debt altogether from showing up. On the surface, it sounds good, but this isn’t the only thing the CFPB proposed in the announcement. Let’s dive a bit more into the details.
Nitty Gritty of the Proposal
As we mentioned, the Bureau released a 24-page outline providing more detail on their thinking. Typically, the process is that after something like this, the regulator would develop a proposed draft of rulemaking, open it up for comment (to the public, impacted parties, or anyone in general), and then finalize the updated regulation and set an implementation date.
Diving into the report/outline, we noticed the following:
- The CFPB acknowledges the impact these changes could have on companies not currently subject to the FCRA, which happen to meet the criteria of “small entities.” In other words, the role of consumer reporting agencies (aka CRAs, currently played by the big 3 bureaus), furnishers (currently played mostly by lenders including banks and hospitals), and users (currently played by financial institutions) would expand to include significantly more parties. The CFPB claims that they will submit to the Small Business Regulatory Enforcement Fairness Act and convene a Small Business Review Panel of these voices - however, I’m sure those parties would counter that they will only have a chance to “submit input” and not necessarily have any veto power over whatever the CFPB decides. Indeed, the American Banker article suggests that lawsuits will be forthcoming against the CFPB to try and shut this proposal down before it goes beyond this outline stage (although it notes that technically, the CFPB can't be sued until a rule is finalized). While the CFPB highlights its channels for input to be provided even at the proposal/outline stage including other parties, and even tries to show transparency by outlining the questions it plans to ask these small entities, I doubt it will convince anyone from the small entity side at this stage that the intentions are good.
- The CFPB is considering expanding the definition of CRA to go beyond just what is currently the big 3 credit bureaus, to also include data brokers. The CFPB defines them as “firms that collect, aggregate, sell, resell, license, or otherwise share personal information about consumers with other parties. This includes first-party data brokers that interact with consumers directly and third party brokers with whom the consumer does not have a direct relationship.” This is probably the biggest proposed change, as it could in theory include firms like LexisNexis (identity verification/protection companies), ADP (employment screening companies), RealPage (tenant screening companies), Oracle (marketing data brokers (along with the other tech influence they have)), Zoominfo (People Search websites), Healthcare.com (Health data), and so on. This industry is a big one - there are as many as 4,000 “data brokers” globally according to reports, and these companies are valued at over $200 billion with the possibility of exceeding $300 billion by 2026.
- The CFPB also comments on how these companies interact with data and whether these interactions would bring them in scope for being classified as CRAs - specifically assembling/evaluating (i.e. acting as intermediaries or vendors between transmitting information from record databases to users), providing credit-adjacent data (i.e. name, addresses, SSN, phone numbers), and providing any data for marketing purposes to third parties (i.e. as Acxiom does it in its targeting business which is used by companies for acquisition marketing purposes).
- After essentially prohibiting consumer reporting agencies from furnishing reports to third parties, it outlines the exceptions which it would expect these potential “new CRAs” to also abide by:* Written instructions from the consumer, including very specific guidelines around what would actually constitute written instructions and how it could be revoked.* A legitimate business need, most commonly connected with a business transaction initiated by the consumer or reviewing an account to determine if the consumer continues to meet conditions for the account (i.e. a credit card account or loan).* Protecting consumer reports from data breaches and unauthorized access.
- While credit reporting-related disputes are already classified by the FCRA as either being direct (filed directly with the institution that reported to a CRA) or indirect (filed with the CRA regarding an incorrectly furnished tradeline), the CFPB is proposing delineating these disputes further. Specifically, they would propose classifying disputes as “legal” (i.e. having to do with interpretations of law or contractual liability) or “systemic” (i.e. issues caused by outdated software, deficiencies in furnisher policies and procedures). The CFPB says this is in response to a common complaint from CRAs and furnishers that consumers don’t have the right to file disputes that aren’t related to the law, when a significant amount of them are in fact related to the furnisher or CRAs own issues.
- The CFPB saves the big one for last, noting that it proposes to eliminate medical debt reporting altogether.
- In a moment of self-awareness, the CFPB notes a number of potential issues that could arise for the aforementioned “small entities” that end up falling under the criteria of the potential revisions to the FCRA:* There are over 500,000 small entities identified that fall into 34 different NAICS codes.* There are also notable costs that would be borne by these small entities, as well as even existing CRAs.* Revenues would also be impacted of all CRAs across the board (old and new).
What is the takeaway from this?
As we mentioned, lawsuits are in the cards over just this proposal. The CFPB is certainly aware that implementing such a wide scale change would have significant impact on companies across the board including those that provide genuine services for consumers and businesses alike. However, the medical debt situation has become unsustainable. At the same time, the definition of “consumer reporting agency” was established over fifty years ago and probably deserves a second look. Hopefully as the conversation begins, there’s some sort of middle ground that can be found and the consumer data landscape continues to evolve in a positive direction, where innovation and consumer-friendly practices keep thriving in a profitable way while no one ends up having their life destroyed (due to privacy reasons or medical debt reasons). We will be keeping an eye on this development for sure.
