[Senate Hearing 115-361] [From the U.S. Government Publishing Office] S. Hrg. 115-361 AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT ======================================================================= HEARING BEFORE THE COMMITTEE ON BANKING,HOUSING,AND URBAN AFFAIRS UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION ON EXAMINING THE CONSUMER REPORTING AGENCIES AND THE FAIR CREDIT REPORTING ACT __________ JULY 12, 2018 __________ Printed for the use of the Committee on Banking, Housing, and Urban Affairs [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available at: http: //www.govinfo.gov / __________ U.S. GOVERNMENT PUBLISHING OFFICE 32-483 PDF WASHINGTON : 2018 ----------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS MIKE CRAPO, Idaho, Chairman RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio BOB CORKER, Tennessee JACK REED, Rhode Island PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey DEAN HELLER, Nevada JON TESTER, Montana TIM SCOTT, South Carolina MARK R. WARNER, Virginia BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada JERRY MORAN, Kansas DOUG JONES, Alabama Gregg Richard, Staff Director Mark Powden, Democratic Staff Director Joe Carapiet, Chief Counsel Kristine Johnson, Professional Staff Member Elisha Tuku, Democratic Chief Counsel Laura Swanson, Democratic Deputy Staff Director Phil Rudd, Democratic Legislative Assistant Dawn Ratliff, Chief Clerk Cameron Ricker, Deputy Clerk James Guiliano, Hearing Clerk Shelvin Simmons, IT Director Jim Crowell, Editor (ii) C O N T E N T S ---------- THURSDAY, JULY 12, 2018 Page Opening statement of Chairman Crapo.............................. 1 Prepared statement........................................... 30 Opening statements, comments, or prepared statements of: Senator Brown................................................ 2 WITNESSES Peggy L. Twohig, Assistant Director, Office of Supervision Policy, Division of Supervision, Enforcement, and Fair Lending, Bureau of Consumer Financial Protection........................ 5 Prepared statement........................................... 31 Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission............................................... 6 Prepared statement........................................... 35 Responses to written questions of: Senator Scott............................................ 42 Additional Material Supplied for the Record Statements and letters submitted by Chairman Crapo............... 43 Reports and letters submitted by Senator Scott................... 52 Letter submitted by Senator Reed................................. 155 Report submitted by Senator Warren............................... 157 (iii) AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT ---------- THURSDAY, JULY 12, 2018 U.S. Senate, Committee on Banking, Housing, and Urban Affairs, Washington, DC. The Committee met at 10:04 a.m., in room SD-538, Dirksen Senate Office Building, Hon. Mike Crapo, Chairman of the Committee, presiding. OPENING STATEMENT OF CHAIRMAN MIKE CRAPO Chairman Crapo. The Committee will come to order. The Committee hearing today is entitled ``An Overview of the Credit Bureaus and the Fair Credit Reporting Act''. Credit bureaus play a valuable role in our financial system by helping financial institutions assess a consumer's ability to meet financial obligations and also facilitating access to beneficial financial products and services. Given this role, they have a lot of valuable personal information on consumers and, therefore, are targets of cyberattacks. Last year, Equifax experienced an unprecedented cybersecurity incident which compromised the personal data of over 145 million people. Following that event, the Banking Committee held two oversight hearings on the breach and consumer data protection at credit bureaus. The first hearing with the former Equifax CEO examined details surrounding the breach, while the second hearing with outside experts examined what improvements might be made surrounding credit reporting agencies and data security. This Committee also recently held a hearing on cybersecurity and risks to the financial services industry. These hearings demonstrated bipartisan concern about the Equifax data breach and the protection of consumers' personally identifiable information, as well as support for specific legislative measures to address such concerns. Some of these were addressed in Senate bill 2155, the ``Economic Growth, Regulatory Relief, and Consumer Protection Act'', which included meaningful consumer protections for consumers who become victims of fraud. For example, it provides consumers unlimited free credit freezes and unfreezes per year. It allows parents to turn on and off credit reporting for children under 18 and provides important protections for veterans and seniors. Last month a New York Times article commenting on the bill noted that ``one helpful change . . . will allow consumers to `freeze' their credit files at the three major credit reporting bureaus--without charge. Consumers can also `thaw' their files, temporarily or permanently, without a fee.'' Susan Grant, director of consumer protection and privacy at the Consumer Federation of America, expressed support for these measures, calling them ``a good thing.'' Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, similarly noted that the freeze provision ``has the potential to save consumers a lot of money.'' But there is still an opportunity to see whether more should be done, and today's hearing will help inform this Committee in that regard. Today I look forward to hearing more from the witnesses about the scope of the Fair Credit Reporting Act and other relevant laws and regulations as they pertain to credit bureaus; the extent to which the Bureau of Consumer Financial Protection and the FTC, whom the two witnesses represent today, oversee credit bureau data security and accuracy; the current state of data security, data accuracy, data breach policy, and dispute resolution processes at the credit bureaus; and what, if any, improvements could be made. States have begun to react in their own ways to various aspects of the public debate on privacy, data security, and the Equifax data breach. Two weeks ago, California enacted the California Consumer Privacy Act which will take effect on January 1, 2020. The act, which applies to certain organizations conducting business in California, establishes a new privacy framework by creating new data privacy rights, imposing special rules for the collection of minors' consumer data, and creating damages frameworks for violations and businesses failing to implement reasonable security procedures. Many members are interested in learning more about what California and other States are doing on this front. Additionally, 2 weeks ago, eight State banking commissioners jointly took action against Equifax in a consent order requiring the company to take various actions regarding risk assessment and information security. I have long been concerned about data collection and data privacy protections by the Government and the private sector. Given Americans' increased reliance and use of technology where information can be shared by the swipe of a finger, we should be careful to ensure that companies and Government entities who have such information use it responsibly and keep it safe. Senator Brown. OPENING STATEMENT OF SENATOR SHERROD BROWN Senator Brown. Thank you, Mr. Chairman. Thanks very much to our witnesses. Thanks for holding this hearing today. I hope my colleagues would excuse me to particularly welcome Ms. Twohig to our Committee. She is from the Consumer Protection Bureau, grew up in Fairview Park, a westside suburb of Cleveland. She graduated from Ohio State. She worked for the Cleveland Foundation, the preeminent community foundation in the United States of America. She has a long career as a public servant with the FTC, the Treasury Department, and was an early employee of this terrific agency, the Consumer Financial Protection Bureau. And not to leave you out, but thank you both for joining us. The consumer credit reporting system is stacked against Americans. A bad credit report can keep you out of a job; it can put you on a list where you will be targeted with expensive credit cards or high-cost loans. You are almost powerless to do anything about it. Americans have basically no control over these reports that can dictate their lives and their family's plans for the future. They often do not know whether they are accurate or whether they are inaccurate. Six years ago I chaired a Subcommittee hearing where consumer advocates in the CFPB identified problems in the credit reporting industry. We have had several hearings in this Committee over the last year on credit reporting companies and on data privacy. In the meantime, breach after breach has occurred. Last year, as we know, 148 million Americans had their sensitive data stolen as hackers exploited a known security flaw that Equifax did not fix. Millions more have been affected by breaches at banks like JPMorgan Chase, stores like Target, Whole Foods, even Trump hotels. Congressional efforts, including provisions included in S. 2155, have not done anything meaningful to address accuracy of credit reports, to fix privacy concerns, or to give consumers controls over their own personal data. At the same time, big tech companies continually add more and more of our personal information to their digital warehouses. They have financial and personal details about hundreds of millions of Americans. They see the potential for a big payday in selling that data to credit reporting companies. These companies are amassing more and more of our data, but still seem totally unprepared to deal with cyberattacks. They are building virtual, shall we say, silver platters for hackers. People want and deserve a lot more control over their personal information. Credit reporting presents a unique problem because often Americans do not even know these corporations collect their data in the first place. Right now consumers cannot vote--as many of my colleagues like to say, cannot simply vote with their feet when a company does not treat them well, when a credit bureau fails to protect their privacy. Congress passed the Fair Credit Reporting Act in the first place to rein in credit bureaus that originally functioned as unsupervised supervisory agencies collecting personal information that we would be appalled to see in someone's credit report today. After scandals at Facebook, people are rightfully worried about big companies once again compiling and selling piles of personal data on every American without our knowledge, out of our control or our consent. More Americans would be surprised at how lenders are putting this data to use. Last week the Washington Post ran a story about a company called ``Mariner Finance'' that uses a loophole in the FCRA to look at people's credit records without their permission and then targets them with scams. Mariner sends checks for thousands of dollars to struggling families that can be cashed the day they are plucked from the mail. But the checks are really just expensive loans waiting to trap the consumer who cashes them. Now, Mariner will tell you they are increasing ``access to credit''--their term. But that was exactly what we were told about subprime loans. Some will say, including potentially your boss at the CFPB, that the market will take care of that. Well, the market clearly has not. The fact is Mariner is weaponizing people's credit history to target them with an expensive loan and making huge profits for the hedge fund that owns it. Your credit report can be used to force you into court, rightly or wrongly, to settle debts. But what if your credit card company or your cable provider erroneously reports a missed payment or defaulted account? They are protected. You cannot take them to court at all. And that is just absolutely outrageous. It turns out that is a big problem. A CFPB paper found last year that credit reporting companies have not been doing enough to ensure the information they get is accurate. They are protected and consumers are not, in part because of the behavior of this U.S. Senate and because of a Supreme Court that moves more and more to protect corporate interests. What incentive do these companies have? The people they hurt will not be able to have their day in court. We have heard all this before. The credit reporting system is backward. Like so much of our economy, it works for big corporations. It works for people with privilege. It does not work for regular Americans. The Fair Credit Reporting Act is 50 years old. The amount and type of information collected today would have been unthinkable when it was created. It is time for a serious overhaul that puts Americans in control of their own data. I have introduced bills and so have many of my colleagues that would do just that. I hope the Committee will not only listen to the advice we get today, but will also take action to give people control over what should be their personal information. Thank you, Mr. Chairman. Chairman Crapo. Thank you, Senator Brown. We will now move to our witnesses and their testimony. First we will hear from Ms. Peggy Twohig, who currently serves as the Assistant Director for Supervision Policy in the Division of Supervision, Enforcement, and Fair Lending at the Bureau of Consumer Financial Protection. The Office of Supervision is responsible for developing strategy across bank and nonbank markets and ensuring that policy decisions are consistent across markets, charters, and regions. After that we will hear from Ms. Maneesha Mithal, who serves as the Associate Director for the Division of Privacy and Identity Protection in the Bureau of Consumer Protection at the Federal Trade Commission. In this capacity she supervises the work in the area of data security, identity theft, credit reporting, and behavioral advertising and general privacy. We appreciate both of you joining us today, and we will proceed in the order that you were introduced. Ms. Twohig. STATEMENT OF PEGGY L. TWOHIG, ASSISTANT DIRECTOR, OFFICE OF SUPERVISION POLICY, DIVISION OF SUPERVISION, ENFORCEMENT, AND FAIR LENDING, BUREAU OF CONSUMER FINANCIAL PROTECTION Ms. Twohig. Good morning, Chairman Crapo, Ranking Member Brown, and thank you for that special introduction. I am very proud of my Cleveland roots. And thank you for the opportunity to testify today about the work of the Bureau of Consumer Financial Protection to address consumer protections in the credit reporting market. My name is Peggy Twohig, and I am Assistant Director for Supervision Policy at the Bureau. Credit reporting plays a critical role in consumer financial services and has enormous reach and impact. Over 200 million Americans have credit files with tradelines furnished voluntarily by over 10,000 providers. This information is used by creditors and other types of businesses to make decisions about individual transactions with consumers. In particular, creditors rely on this information to decide whether to approve loans and what terms to offer. Accurate credit reporting is important to creditors and other businesses to make good business decisions. For an individual consumer, an accurate credit report can be even more important given the significant impact that information can have on that consumer's ability to obtain financial and other products and services. Because of the importance of accuracy to businesses and consumers, the structure of the Fair Credit Reporting Act creates interrelated legal standards and requirements to support the policy goal of accurate credit reporting. These requirements anticipate that all reports will not be perfect; instead, the FCRA requires that credit reporting agencies, or CRAs, have ``reasonable procedures to assure maximum possible accuracy'' of reports. It also imposes certain accuracy obligations on furnishers of credit report information. And the FCRA has a dispute and investigation framework, with obligations on both CRAs and furnishers, to ensure that potential errors are investigated and errors are corrected promptly. The written testimony of the Bureau reviews the legal authority of the Bureau to supervise and enforce the Federal consumer financial laws applicable to CRAs. I will focus here on the work the Bureau has done exercising these authorities. In both its supervision and enforcement work, the Bureau has focused on credit reporting accuracy and dispute handling by both CRAs and furnishers. As discussed in a special edition of Supervisory Highlights published last year, the Bureau's supervisory work has prioritized reviews of key elements underpinning accuracy. As a result of these reviews, the Bureau directed specific improvements in data accuracy and dispute resolution at one or more CRA, including: improving oversight of incoming data from the furnishers; instituting quality control programs of compiled consumer reports; monitoring furnished dispute metrics to identify and correct root causes; improved investigations of consumer disputes, including a review of relevant information provided by consumers; and improving communication to consumers of dispute results. In supervising bank and nonbank furnishers, the Bureau has found furnishers that were not complying with their FCRA obligations and directed them to comply, including developing reasonable written policies and procedures regarding the accuracy of information they furnish; taking corrective action when they furnished information they determined to be inaccurate; and bringing their dispute handling practices into compliance. The Bureau has also brought enforcement actions and entered into a number of settlements related to violations of the FCRA's accuracy and dispute investigation requirements. Turning to data security, CRAs hold a tremendous amount of sensitive information about consumers. If CRAs do not protect this data, it may lead to data breaches, creating the risk of substantial harm to consumers, including the risk of identity theft. Since the Equifax breach, the Bureau has increased its attention to data security issues in our supervisory and enforcement work. The Bureau has the authority to conduct data security investigations and to conduct examinations at certain nonbanks, including larger CRAs. This authority includes assessing the facts and circumstances to determine whether a CRA's data security practices constitute a violation of Federal consumer financial law, including the prohibition against unfair, deceptive, or abusive acts and practices, or the FCRA. Our supervisory, enforcement, and consumer education efforts will continue in this important area. Consumers should have confidence that their credit reports are secure and comply with all applicable legal requirements. Thank you again for the opportunity to testify today at this important hearing. I would be happy to answer your questions about the Bureau's work related to credit reporting. Chairman Crapo. Thank you very much. Ms. Mithal. STATEMENT OF MANEESHA MITHAL, ASSOCIATE DIRECTOR, DIVISION OF PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION, FEDERAL TRADE COMMISSION Ms. Mithal. Thank you. Chairman Crapo, Ranking Member Brown, and Members of the Committee, my name is Maneesha Mithal, and I am the Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission. I appreciate the opportunity to appear before you today to discuss the Fair Credit Reporting Act, credit bureaus, and data security. As you know, the FCRA is intended to help consumers in three ways. First, it helps consumers prevent the misuse of sensitive consumer report information by limiting recipients to those who have a legitimate need for it. Second, it works to improve the accuracy and integrity of the consumer reporting system. And, third, it promotes the efficiency of the Nation's banking and consumer credit systems. Now, the Commission has played a key role in the implementation, enforcement, and interpretation of the FCRA since its enactment. Let me mention three key examples. First, in 2012 the Commission published a study of credit report accuracy. According to the study findings, one in four consumers identified errors on their credit reports that might affect their credit scores. Four out of five consumers who filed disputes experienced some modification to their credit report. And 5 percent of consumers experienced a change in their credit score that could impact their credit risk classification. The second activity that the FTC engages in is enforcement. Enforcement continues to be a top priority for the Commission. Since 2011, the Bureau has been examining the nationwide credit bureaus. As a result, the FTC has focused its FCRA law enforcement efforts on other entities in the credit reporting area and other aspects of the consumer reporting industry more broadly. One example is enforcing a law against furnishers that are not supervised by the Bureau. The FTC has settled cases against data furnishers that allegedly had inadequate policies and procedures for reporting accurate information to CRAs. Another example is employment background screening CRAs. For instance, in the InfoTrack case, the Commission alleged that a background screening CRA failed to have reasonable procedures to ensure the maximum possible accuracy of the consumer reports it provided, and as a result, it provided inaccurate information suggesting that job applicants may have been registered sex offenders when they were, in fact, not. Third, the Commission continues to educate consumers and businesses on their consumer reporting rights and obligations under the FCRA. One example is our publication ``Credit and Your Consumer Rights'', which provides an overview of credit for consumers, explains consumers' legal rights, and offers practical tips to help solve credit problems. Now, let me close by mentioning the importance of credit bureaus maintaining reasonable security of the consumer information that is entrusted to them. Since 2001, the Commission has undertaken substantial efforts to promote data security in this and other sectors. We enforce several laws requiring companies to maintain reasonable security, including the FTA Act, the Gramm-Leach-Bliley safeguards rule, and certain provisions of the FCRA. The Commission has brought over 60 law enforcement actions against companies that allegedly engaged in unreasonable data security practices. Last year the Commission took the unusual step of publicly confirming its investigation into the Equifax data breach due to the scale of the public interest in the matter. And although we aggressively enforce our data security laws, I believe there are some gaps in our authority. For example, we cannot seek civil penalties for violations of most data security laws. To fill in these gaps, the Commission has supported Federal data security legislation on a bipartisan basis for over a decade. My written testimony discusses these issues in further detail, and I am happy to answer any questions you might have. Chairman Crapo. Thank you, Ms. Mithal. And my first question is for you. This is primarily just sort of a housekeeping item, but as I indicated in my opening statement, the Economic Growth, Regulatory Relief, and Consumer Protection Act has some significant provisions in it in this arena in terms of protecting consumers with the ability to place security freezes on their credit files with credit bureaus. This provision will empower consumers to protect their credit in the event of future data breaches or incidents of identity theft. I am just seeking your commitment that you and the FTC will move expeditiously to implement these credit bureau provisions in Senate bill 2155. Ms. Mithal. Absolutely, you have our commitment to implement those provisions expeditiously, and we have already begun. We issued a consumer blog post, and we have begun our rulemaking process, so thank you. Chairman Crapo. Thank you. Ms. Twohig, credit bureaus--well, let me put it this way: I have long been concerned about the ever increasing amounts of big data that are being collected, both in the private sector and in the public sector by the Government. And as you know, one of the agencies that I have been worried about is the Consumer Financial Protection Bureau. Are credit bureaus required to provide data to the Bureau? Ms. Twohig. So, Senator, thank you for that question. In our supervisory work, they are required to respond to our requests when we are conducting an examination, and the requests that we make of the credit bureaus are similar to the requests we make of other financial service providers that we oversee through our examination authority. So that would be we request information such as how they are complying with the law and their compliance management systems, so, for example, their board and management oversight, their policies and procedures, their monitoring, their training, what audits they are doing. So all the elements that go into a compliance management system, we ask for that general information. And then more specifically, we ask for more specific information when we are determining particular compliance with particular provisions of the law. So, for example, we may need specific information about consumer files when we are doing transaction testing to ensure, for example, that they were complying with the law in following up on a consumer's dispute. Chairman Crapo. My understanding is that the agency is seeking to collect specific credit card transactional data on hundreds of millions of accounts. Is that not correct? Ms. Twohig. My understanding, Senator, is that a separate part of the Bureau, its research arm, collects in a credit panel de-identified information on consumers for research purposes. Chairman Crapo. But you are not in a position to describe exactly what they are collecting? Ms. Twohig. Correct. We would need to follow up with you and get you the details on that. Chairman Crapo. All right. Let me go back again to the information that you are familiar with. Is the data that you are requiring provided by mandate or is it purchased? Ms. Twohig. So the area that I work in, Supervision, the legal requirement under Dodd-Frank is that they are required to respond to supervisory requests for the information we need to conduct the examination. Chairman Crapo. All right. And are there other private sector entities that are required to provide data in addition to the credit bureaus? And what are they? For example, credit card companies, banks, others? Ms. Twohig. So there are various provisions of different kinds of law that do require reporting to the Bureau. I believe, for example, under the CARD Act, credit card issuers are required to provide their agreements that then the Bureau posts on the website. I am not familiar, sitting here right now, with all the different provisions that might require reporting to the Bureau, but there are a number of different requirements that would come into play. Chairman Crapo. All right. I appreciate that. And just quickly, I have only got about a minute left, so if you could each give me about a 30-second answer, sort of a high-level answer as to what have we learned from the Equifax data breach about what we need to do from here? Ms. Twohig. So, Senator, I can tell you that even though the Bureau's investigations are not public, in this instance it is a matter of public record that the Bureau is investigating Equifax. We are coordinating with the FTC on that investigation, so that is in process. So I think it is premature to really answer that question. Chairman Crapo. All right. Ms. Mithal. Ms. Mithal. Like Ms. Twohig, I cannot comment on the specifics, but what I can say is two things. One is that we have learned that credit bureaus do hold the most sensitive information about consumers available in the marketplace, and it is incumbent on these credit bureaus to protect that information. And, second, I think that in terms of the big data breaches, I think the FTC could use more authority to seek civil penalties against companies that violate the laws that we enforce. Chairman Crapo. All right. Thank you. And Senator Brown has indicated that he wants to yield his first slot to Senator Schatz, so, Senator Schatz, please go ahead. Senator Schatz. Thank you, Chairman, and thank you to Ranking Member Brown. I promise I will not make a habit out of this. I appreciate it very much. Thank you very much for your testimony. Ms. Twohig, I wanted to follow up on something Ms. Mithal described. There was an FTC report that found that 5 percent of credit reports contain confirmed material errors. So these are confirmed material errors. There are more errors than that. But even if it is just 5 percent, that is the bare minimum of confirmed material errors. You are talking about 10 million people. And worse than that, 2 years later 84 percent of those errors remained on the credit reports. Can you tell me a little bit about what your supervisory work is entailing and what you found as it relates to accuracy and dispute resolution? Ms. Twohig. Thank you for that question, Senator. I would be happy to talk about that. As I said, because of the concerns about credit report accuracy, the Bureau did its first rule to identify what larger participants in the marketplace it was going to establish a nonbank supervision program for that was not already in a statute with respect to credit bureaus, consumer reporting agencies, because of the priority that the Bureau gave to look into that market and to be able to apply first ever supervisory authority on that industry. So they had never, before the Bureau, been examined by any Federal or State regulator. We prioritized that, and we have been conducting that work. And so we have been very focused on looking at their compliance with the accuracy and the dispute resolution provisions of the FCRA. Senator Schatz. And what have you found? Ms. Twohig. We found that, in general, as a big-picture matter, supervision is an attempt to get companies to have a preventive--to prevent law violations, to have a proactive approach to compliance, to make sure that they have their compliance house in order so that violations do not occur in the first place. We think we have made progress in shifting their attitude and culture toward more of a proactive compliance posture. But we have found problems with their compliance with the law, and we have given them directives to improve where we have found they have fallen short, and we have seen improvements over time. But that is not to say there is not more work to do, Senator. Senator Schatz. Thank you. Ms. Mithal, Senator Kennedy and I have a bill that would give consumers more tools to manage their credit reports, and I think it is really important for this Committee, especially for Republicans on this Committee, to recognize that we all know that we cannot blow up the system, that although there are consumers problems related to these credit bureaus, we still need some measure of creditworthiness, and we are not intending to be so disruptive as to create problems in lending. But there are some basic things that we can do to empower consumers, and I want to make sure that--they are not customers. They have not enlisted. People generally speaking do not sign up with these credit bureaus. But they are consumers, and our bill tries to empower consumers to, for instance, know what the credit bureaus know, be able to see those same lines, and to have an online portal that is no labyrinthine that allows a person to resolve any dispute in a straightforward manner. Is it fair to say, Ms. Mithal, that you support the goals of this legislation? Ms. Mithal. Absolutely. I think credit report inaccuracy issues continue to harm those consumers that are affected by it. Not only is it the lack of credit in the future; it is the time and expense it takes to clear up their credit report. So I think the tools that you are aiming to provide consumers through your bill, those are the types of tools that are absolutely worth considering. Senator Schatz. Can you talk a little bit about the importance of an online portal? Ms. Mithal. Sure. So I think one of the problems for consumers is that it is very difficult to know how to navigate the credit reporting system, and so I think the easier we can make it for consumers, the more tools we could provide for them, the more one-stop shops we can provide for them, I think that is very useful, consistent with, as you said, the kind of free flow of credit information. Senator Schatz. One final question, which I think I will take for the record for both of you. It is sort of twofold. First, we should draw a distinction between breaches which create credit score problems and credit inaccuracies, and the endemic problem of these credit bureaus basically getting it wrong anywhere from 5 to 15 percent of the time, but at least 5 percent of the time in a material way. So although the Equifax breach caused us to think about these bureaus and focus on that question, this is not a cybersecurity question exclusively. It is also a basic consumer rights question. So my question for the record is: What specifically are the pain points for consumers as they go about trying to resolve these questions? Senator Schatz. And I have run out of time, and I appreciate the indulgence of the Chair and the Ranking Member. Chairman Crapo. Thank you. Senator Scott. Senator Scott. Thank you, Mr. Chairman. And thank you to the witnesses for being here today. I have worked for the last 6 or 7 years on something called the ``opportunity agenda,'' trying to find a way to empower those folks living in distressed communities. As you probably both know, we have about 50 million Americans today who live in those distressed communities, and as I think about ways to empower those folks living in distressed communities, the access to credit issue jumps out very clearly. The BCFP has found that 26 million Americans are credit invisible; another 19 million Americans are unscorable because their information is either insufficient and/or just too old. It should come as no surprise that there is a strong correlation between your income and whether you have a credit score or a credit record. Almost 30 percent of Americans living in low-income areas are credit invisible. An additional 15 percent of Americans living in those areas are unscorable. In South Carolina, when you combine those two numbers together, that means about nearly one out of every four South Carolina adults are in that category. A solution to bring credit invisibles out of the shadows is S. 3040, the Credit Access and Inclusion Act. Credit invisibles regularly make payments for their rent, gas, water, electricity, and cell phones. New credit scoring models recognize these payments are payments that are predictive of your actual credit risk. Unfortunately, the FCRA ensures that missed payments and collection are reported to the credit bureaus, but not necessarily the ones you make on time. The Brookings Institution states that the consideration of this payment data will lead to a 21-percent increase to prime credit for those earning less than $20,000 a year and a 15- percent increase to prime credit for those earning between $20,000 and $30,000 a year. That will make a huge difference for creditworthy folks trying to climb the economic ladder, and my bill helps us get there. Ms. Twohig, what is the impact on a consumer of being credit invisible when it comes to interest rates, applying for a job, or finding an apartment? Ms. Twohig. Senator, first of all, I want to say that the Bureau shares your concern about access to credit. In fact, one of the Bureau's strategic goals is to ensure that all consumers have access to consumer financial services. With respect to the particular impact, the particular impact will vary for each consumer and what they are applying for and what they are trying to do in the particular credit or other markets. But I think it is fair to say that if a consumer does not have a credit file with one of the national credit reporting companies or if it does not have enough in that file to score, then that consumer is basically shut out of the mainstream credit markets. Senator Scott. Well, that kind of leads to my second question. The BCFP has suggested that more of this information at the credit bureaus will help credit invisibles access mainstream credit sources. It sounds like you would concur that that would be accurate? Ms. Twohig. So alternative data of the type you are discussing is also something that the Bureau is interested in learning more about and is monitoring. In fact, the Bureau issued last year a Request for Information from the public to get information about different kinds of alternative data and the aspects of that alternative data and how it could help consumers and access to credit. We received over 100 comments. We are currently monitoring that information and studying that information and learning more about it. But I think also it is fair to say that if that information is accurate and predictive, then that could be part of the solution to increase access to credit. Senator Scott. Thank you. I will just say to my Chairman and the Ranking Member, who I know both have a passion for finding ways to bring those folks who are today credit invisible out of the shadows and into a place where they can rely on a strong credit score to be able to have lower interest rates, greater access to better jobs, and certainly be able to find places to live in higher- quality communities, and all that is anchored in your credit score and not being credit invisible. So hopefully S. 3040 will be on the top of the docket for both of you. Thank you both. Chairman Crapo. Thank you, Senator Scott. Senator Menendez. Senator Menendez. Thank you. Ms. Twohig and Ms. Mithal, let me start off by asking you each to give me the last four digits of your Social Security number. Ms. Twohig. Senator, I really do not want to do that in a public forum. Ms. Mithal. I have the same reaction. Senator Menendez. All right. How about telling me which stores you opened credit cards with? Ms. Twohig. Which stores? Senator Menendez. Yeah. Ms. Twohig. I do not think I have opened any credit cards with a store lately. Ms. Mithal. That is not something I would be willing to share in a public forum. Senator Menendez. Or maybe can you tell us the outstanding balance on your home mortgage loans? Ms. Twohig. Senator, I would prefer not to share that kind of information either. Ms. Mithal. Same. Senator Menendez. I am not surprised. But that information, which I am sure you would not want to be shared or sold without your permission, and yet under current law consumer reporting agencies like Equifax can share and sell your information, where you live, where you pay your bills, and whether you pay on time, what you filed for, whether you filed for bankruptcy, without ever having to get your consent. Isn't that right? Ms. Mithal. That is correct, although there are certain limitations on how they can use the data. Senator Menendez. Now, American consumers are at the mercy of three megacompanies who control the security and safety of their personal information, and that makes no sense. Consumers should have the ability to control when, how, and to whom their data is shared, just like you wanted to control it here in this public forum. Last year a massive Equifax data breach laid bare the systemic problems with the credit reporting industry. Its failure to guard sensitive data left 145.5 million Americans exposed to identity theft and fraud. Ms. Mithal, Equifax waited an inexplicable 6 weeks to disclose a breach that had occurred. Worse, over months after the breach, millions of consumers were still unaware of the breach in part because there is no national requirement to alert consumers. My bill, S. 2188, the Consumer Data Protection Act, would require consumer reporting agencies to quickly notify the Federal Trade Commission, the CFPB, law enforcement, and consumers of a breach while keeping intact existing strong State consumer protection laws. Generally speaking, does the FTC support the idea of requiring companies to provide notification to consumers where there is a data security breach? Ms. Mithal. Absolutely, and the Commission has done so for almost--for over a decade on a bipartisan basis. Senator Menendez. Now, let me ask you, another issue we need to address here is the ability to hold consumer reporting agencies accountable when there is a breach, when they have clearly failed to protect consumers' personal data. My legislation also provides FTC the authority to pursue fines against a consumer reporting agency such as Equifax that negligently, knowingly, or willingly causes a data breach. In your view, would the institution of a monetary penalty framework incentivize consumer reporting agencies to better secure consumer data? Ms. Mithal. Yes. Senator Menendez. Let me ask another question for both witnesses. Given the unique and varied nature of consumer harm that results from a data breach at a consumer reporting agency, which includes everything from identity theft to difficulty purchasing a home or securing employment, would it be helpful to have a comprehensive study analyzing both the immediate and long-term costs and damages to individuals affected by data breaches at consumer reporting agencies? Ms. Mithal. So I think that there is no question that there is tremendous harm to consumers from data breaches of their sensitive information, and I think it would be worth considering a study to quantify that harm. Senator Menendez. Ms. Twohig. Ms. Twohig. I would agree with Ms. Mithal, and to the extent the Bureau can be helpful providing technical expertise in analyzing that topic, we would be happy to do so. Senator Menendez. Well, thank you. I really did not want to know your Social Security numbers, by the way, or your balances on your mortgages, which I hope is virtually nil. But this is the very essence of what we are talking about as we deal with this issue here today. Thank you, Mr. Chairman. Chairman Crapo. Senator Kennedy. Senator Kennedy. Thank you, Mr. Chairman. Ms. Mithal, can we agree that the work of the CRAs facilitates commerce in America? Ms. Mithal. Absolutely. Senator Kennedy. Do you agree with that, too, Ms. Twohig? Ms. Twohig. Yes. Senator Kennedy. And I think we can also agree, can we not, that that is a good thing in our free enterprise system? Ms. Mithal. Yes. Ms. Twohig. Yes. Senator Kennedy. When the CRAs gather information about me, do they ask my permission? Ms. Mithal. No. Ms. Twohig. No. Senator Kennedy. Do they pay me for the information? Ms. Mithal. No. Ms. Twohig. No. Senator Kennedy. They gather this information, and they assign me a score basically making an evaluation, a judgment about me, whether I am a creditworthy person or not. Is that correct? Ms. Mithal. Correct. Senator Kennedy. And in 5 to 10 percent of the cases, they get it wrong. They have some bad data. Is that correct? Ms. Mithal. Yes. Senator Kennedy. If they have bad data and I call them up and I say, ``Hey, you have got bad data on me. You did not talk to me first. I could have fixed this up front, but you did not talk to me. But you have got some bad data on me, and it is affecting my life and my family's life,'' and the CRA says, ``OK. We will get back to you,'' and they never get back to me, or they get back to me and say, ``We disagree.'' What is my recourse? Ms. Mithal. So under the FCRA there is a dispute process where credit reporting agency is required to respond within a particular amount of time, and though at the end of the day, when the credit bureau says that, ``No, you, in fact, owe this debt,'' the consumer owes the debt. Ms. Twohig. That is right. The consumer can put a statement on their credit report if they are not satisfied with the results of the dispute investigation. Senator Kennedy. How long does that take? Ms. Mithal. I believe under the FCRA the investigation process is 30 to 45 days. Ms. Twohig. That is right. Senator Kennedy. I have to fill out a bunch of forms, do I? Ms. Mithal. Yes. Senator Kennedy. OK. How long do you think it takes to fill out all those forms and make the phone calls and say, ``Hey, you have got my information wrong''? Ms. Mithal. So I think there is certainly some time it takes on the part of the consumer to kind of understand the dispute process, to go through the dispute process, and to implement it. Senator Kennedy. And if I have got a day job, I cannot do that at work, right? Ms. Mithal. Yes, it is certainly a lot of time and expense to dispute---- Senator Kennedy. I might do it at night or on the weekends? Can I call them up on the weekends? Do the CRAs work on the weekends, do you know? Ms. Twohig. I believe they have an online portal that you can file a dispute online and submit documents. Now the consumers can submit documents in support of their dispute online. Senator Kennedy. OK. And let us suppose at the end of the process they come back to me and they say, ``No, we are not changing anything,'' or--I know this does not happen very often, but you get somebody having a bad day, and they say, ``Hey, we are not changing anything. And, by the way, we do not care because we do not have to. You are not my customer.'' What do I do? Ms. Mithal. So I think speaking for---- Senator Kennedy. Do I file a complaint with the FTC? Ms. Mithal. Sure, you can file a complaint with the FTC, and we have---- Senator Kennedy. Do I need a lawyer? Ms. Mithal. No, you do not need a lawyer. Senator Kennedy. Does it take time? I bet it is not a one- page form. Ms. Mithal. Yes, it takes time. Senator Kennedy. It is not a one-page form, is it? Ms. Mithal. It is multiple pages. Senator Kennedy. And how quickly would the FTC act? Ms. Mithal. It would take a while. Senator Kennedy. Like how long is ``a while''? Ms. Mithal. It could take--so let me just clarify. We do not act on behalf of individual consumers. Senator Kennedy. I understand. How long would it take? Ms. Mithal. It would take several months to investigate, probably---- Senator Kennedy. It could take a year, couldn't it? Ms. Mithal. Sure. Senator Kennedy. It could take 2 years sometimes, doesn't it? Ms. Mithal. Sure. Senator Kennedy. In the meantime, they have got bad data about me, and they did not pay me for it. They did not even ask me. Now, I think the CRAs perform an important service and do facilitate commerce. But it seems to me that we ought to be smart enough, particularly with technology, to come up with a system that says we are going to make it as easy as possible for the people with respect to whom the CRAs have bad information so those people can get it fixed and they can get it fixed quickly and they can get it fixed efficiently and they can get it fixed inexpensively and they can get it fixed so they do not have to miss their kids' ball games. Now, I think Senator Schatz and I have a bill that will do that. What is wrong with that bill? You think it is a good bill, don't you? Ms. Mithal. I do think it is a good bill, and I would support the goals of the legislation, which is, as you articulated, to make it a lot easier for consumers to file disputes with consumer reporting agencies. Senator Kennedy. Ms. Twohig. Ms. Twohig. Senator, I would say that all the issues you have just pointed out are the reason why we have prioritized at the Bureau supervising both the CRAs and furnishers---- Senator Kennedy. Yes, ma'am, I know you prioritized, and I am not fussing at you, but you are still part of the bureaucracy. And it is pretty intimidating for the average American who did not ask to be brought into this system--it is a good system, but it is pretty intimidating when the CRAs get it wrong. And we ought to make it as easy as possible for them to get it fixed. That is good for them. That is good for the companies. That is good for the free enterprise system. And I think we can do better. Thank you, Mr. Chairman. Chairman Crapo. Thank you. Senator Warner. Senator Warner. Well, thank you, Mr. Chairman. First of all, thank you for holding this hearing. I think you are hearing bipartisan concern. I want to thank the Ranking Member for also yielding to us. I also want to point out, though, that Ms. Twohig and Ms. Mithal are long-time career professionals. I think they would lean in to being willing to try to help us fix this problem. But they cannot fix this problem on their own without Congress acting. So I want to reiterate what I think a lot of Members have said. I had no choice in Equifax having my data. Senator Menendez raised this, Senator Kennedy has, Senator Schatz has. To me, as a former business guy, it is remarkable that a data breach based upon sloppy cybersecurity standards that took place over a year ago that the public was not notified until 11 months ago, that we still--and this is not your fault at this point, because Congress has not acted--that they have paid no penalty to date. They took a little bit of a hit in the market, but they have almost recovered from that because they do not expect Congress to do its job to give the FTC the ability to put a civil penalty process in place. Now, Senator Warren and I have a very comprehensive bill that I am sure she will speak to as well that would put a liability regime in place that would particularly in the event of negligent behavior put a real incentive to make sure that credit reporting agencies up their game. Let me just again, for the record, Ms. Mithal, the FTC at this point does not have the ability to put any civil penalty on a CRA based on performance, do they? Ms. Mithal. Not on the basis of data security violations generally, no. Senator Warner. So unless the Congress acts, whether it is Senator Warren's bill, Senator Menendez's bill, Senator Kennedy's bill, Senator Schatz's bill, you do not have the tools. As a matter of fact, if we go and look at the so-called Safeguards Rule--and we have heard from Ms. Twohig's testimony that CFPB does not have authority under the Safeguards Rule to examine or look at the practices of the CRA. Ms. Mithal, does the FTC have the authority under the Safeguards Rule to examine credit reporting agencies to ensure that that rule is being followed? Ms. Mithal. So just to be clear, we do not have examination authority, but we can investigate CRAs to make sure that they are following the Gramm-Leach-Bliley Safeguards Rule. But, significantly, as you point out, we do not have the authority to seek civil penalties under the Safeguards Rule. Senator Warner. Right, and if memory serves, I am sure Senator Kennedy remembers as well, FTC indicated they had opened an investigation into the Equifax breach, but here we are over a year after the breach took place and 11 months after the public was finally notified, yet we still do not have a result. And even if you come up with a result, you do not have the ability to impose penalties because you have no liability regime in place. Ms. Mithal. Not under data security, yes. Senator Warner. Well, Mr. Chairman, I think this is an area, because I can assure you, sitting from the intel side, this is a problem that is not going to go away. This is a problem that is going to only exponentially increase. And Senator Menendez went down the path of would you be willing to offer your personal information, you wouldn't. But if somebody has hacked in and got that information from Equifax and contacts you with that personalized information and you combine that with the next realm of misinformation and disinformation, and you suddenly have a live stream video of what appears to be a face of somebody you recognize popping up on your social media account asking you to do something, either invest in some company or vote for some candidate, you put those two together, and you have a potential crisis that goes well beyond just financial concerns. And if we do not act, I think we are going to be irresponsible in ensuring that kind of activity does not take place, because I agree with Senator Kennedy, the incentives are not there at all for any CRA to clean up its act at all. There are no civil penalties, there is no liability regime. And I think we can do better, and I think these career professionals actually would want us to do better if we would give them the tools. Let me just say in my last 30 seconds, Senator Scott raised a little bit of this question about some of the folks who are unbanked. I am concerned as well, as we think through--Ms. Mithal, this is for you. As we start looking at the use of artificial intelligence, machine learning, you know, there are going to be a lot of tools used particularly by nonbank financial institutions who may provide credit lending, how we make sure that we ensure fairness in this new regime. But at this moment in time, again, I do not believe the FTC has the appropriate ability to look at a nonbank financial institution who is using AI techniques to grant a loan under FCRA. Is that correct? Ms. Mithal. So we did do a report on this issue a few years ago, and we did mention that there are certain circumstances when companies use AI technology to make decisions about credit or housing or employment eligibility that we would have authority to take action under the FCRA, but that is against a limited set of entities that are third parties using the information. So there are some gaps there. Senator Warner. And I would only say, Mr. Chairman and Ranking Member, that if we think what is happen with Equifax was something, wait until you see the nonbank financials start to use AI in the sophisticated way. And if we do not get ahead of this in terms of we ought to be able to use good data and good information, but if we do not put some rules in place, the Equifax breach will pale in comparison to what the next generation of attacks will look like. Thank you, Mr. Chairman. Chairman Crapo. I share your concerns, Senator Warner. Senator Warren. Senator Warren. Thank you very much, Mr. Chairman. Thanks for holding this hearing. Thank you, Ranking Member Brown, for letting us go ahead of you here. I want to pick up on the same theme that my colleagues have been talking about. After Equifax disclosed its massive data breach last year, I sent letters to Equifax and the other large credit bureaus and Federal regulators seeking information about the breach and the options for holding Equifax accountable. My staff compiled that information in an investigative report that my office issued in February, and I would like to submit a copy of that report for the record, Mr. Chairman. Mr. Chairman? [Laughter.] Senator Brown. Without objection. Senator Warren. Without objection. Chairman Crapo. Without objection. Senator Warren. Thank you, Mr. Chairman. Thank you. Chairman Crapo. What did I just agree to? [Laughter.] Senator Warren. So we put this report together, and one of the key findings of this report is that Federal agencies do not have the legal tools they need to stop data breaches at credit bureaus and hold credit bureaus accountable for compromising sensitive personal information. As Senator Warner was just pointing out, the FTC has some authority to oversee data security at credit bureaus, but it currently has no authority to seek civil penalties against the bureaus for compromising consumer information. So let me just ask, Ms. Mithal: Do you think the FTC should have that authority? Ms. Mithal. Yes. Senator Warren. Good. Thank you. In fact, the response the FTC sent to my letter specifically requested legislation that would ``allow the FTC to seek civil penalties to help ensure effective deterrence of cybersecurity breaches,'' so asking for it. Meanwhile, the CFPB has some supervisory authority over large credit bureaus, but limited ability to issue rules on how the bureaus must safeguard sensitive consumer data. Is that right, Ms. Twohig? Ms. Twohig. That is correct. Senator Warren. Good. In other words, even if the CFPB spots serious cybersecurity problems at the credit bureaus it supervises, it cannot issue new rules to try to address these problems. Is that right? Ms. Twohig. So we do not have the authority under the safeguards provisions of the Gramm-Leach-Bliley Act or the Safeguards Rule. Senator Warren. OK. So in response to my letter to the CFPB, then-Director Cordray said that the agency supported new legislation because ``Federal laws that are applicable to data security have not kept pace with technological and cybersecurity developments.'' In other words, want the authority to do this. So after receiving these responses, Senator Warner and I spent months working with each other and with experts in the field to develop the Data Breach Prevention and Compensation Act. Our bill would authorize the FTC to impose large and automatic penalties on any large credit bureau that allowed sensitive consumer information to be accessed. The way we see it, if credit bureaus collect our personal information without our permission, then they should have an absolute obligation to protect that data from hackers and thieves. The bill would also create a new Office of Cybersecurity at the FTC with the responsibility to establish cybersecurity standards at credit bureaus and supervise compliance with those standards. Ms. Mithal, do you think the FTC would be better equipped to oversee how credit bureaus protect sensitive information if Senator Warner's and my bill became law? Ms. Mithal. So I certainly do think we have the expertise. I think it is a question of resources. And so if your law comes with resources, that would be welcome. Senator Warren. OK, good. Fair enough. Fair enough. But you have got to have the authority, or you cannot do anything. Ms. Mithal. Correct. Senator Warren. So thank you. Mr. Chairman, I know that you and many of your Republican colleagues on this Committee are concerned about the lack of adequate protection of consumer data at credit bureaus, and I hope you will work with Senator Warner and with me to push this legislation forward. Our Federal agencies have made absolutely clear that they need more legal authority to protect consumers. We cannot just cross our fingers and hope that another breach does not happen because another breach will happen. And if we fail to act, then we bear some responsibility for that. More of our constituents will be harmed unless Congress acts. So I urge you to join with Senator Warner and me and others on this Committee to try to push our bill forward. Thank you, Mr. Chairman. Chairman Crapo. Thank you, Senator Warren. Senator Cortez Masto. Senator Cortez Masto. Thank you. Thank you, Mr. Chair and Ranking Member for, I agree, this important discussion. And thank you to both of you for being here and all of the work that you do. I am curious. I want to talk a little bit about exclusive contracts. Last October, right after the announcement of Equifax's massive data breach, the New York Times ran an article about how Equifax and Freddie Mac have an exclusive relationship that harms both consumers and small businesses. I am curious if either one of you are familiar with that article or familiar with this concept that there are exclusive contracts. Ms. Mithal. I am not. Ms. Twohig. I am not familiar either. Senator Cortez Masto. So this is not something that either one of your organizations is looking into as something that is harmful to individual consumers or small businesses? Ms. Mithal. I can only speak to privacy and cybersecurity issues, and that is not something that is on our radar screen. Senator Cortez Masto. OK. Ms. Twohig. And for the Bureau of Consumer Financial Protection, as I said at the outset, we can confirm that we are investigating Equifax's data security practices in coordination with the FTC. Beyond that, our investigations are not public. Senator Cortez Masto. Thank you very much. Ms. Twohig, let me jump back then to the concept of--and I agree with my colleagues--this concern that all of this data is being collected on all of us individually, and we have no control over it. So, Ms. Twohig, let me start with you. As you well know, credit systems around the world have differing standards for consumer control of their own privacy. For instance, the new privacy laws in the European Union provide more privacy options than we do here in the United States. In fact, Americans have really little say over what data can be aggregated by these credit bureaus. If an opt-in system for credit bureaus was established, how would that impact people, our communities, and our economy? In other words, also--and as you address that, what is the reaction we are seeing to the implementation of the general data protection regulations in the European Union? And the reason I bring this up is because we have all been talking about opt-in, but there is this concern that somehow it is going to have an impact on our economy, on our businesses, and so I am curious if you have any insight into that, either one of you. Let me start with you, Ms. Twohig. Ms. Twohig. So at the outset, I would say that the Economic Growth, Regulatory Relief, and Consumer Protection Act provides additional important consumer protections in my view to allow consumers to get a free security freeze. And so even though that is not exactly what---- Senator Cortez Masto. That is not an opt-in. Ms. Twohig. That is not an opt-in, but it is one step toward more control if consumers choose to exercise it. Senator Cortez Masto. But it is less than what the European Union requires? Ms. Twohig. I believe so. Senator Cortez Masto. Any other---- Ms. Mithal. Yes, I guess I would say that I would have a bit of a concern about an across-the-board opt-in. I could see people who have a bad credit history or who have criminal records or bankruptcies not wanting that information to be reported and thus not opting into the system, and I think that could raise the cost of credit across the board. So I do have some concerns about that. I agree with the general concept that consumers should have more control, but there are other potential means of accomplishing that. Senator Cortez Masto. Do you think that some of the legislation you have heard today gives more of that control to consumers? Ms. Mithal. I think there are some very interesting options worth exploring through that legislation. Senator Cortez Masto. Thank you. I appreciate that. And let me also then go back to this idea, I agree with my colleague Senator Scott and the concern about too many adults have credit invisible and unscorable credit, and I think that is harmful in so many different ways. But I also understand, Ms. Twohig, from what you said that you are studying the issue or the agency is studying the issue on alternative data. Can you talk a little bit more about that and when you are going to anticipate completion of that study and what your intent is after the study is completed? Ms. Twohig. So I do not have a particular date, and I am not sure there is a particular study. It is just something that the Bureau is very interested in and has requested information so we could learn more about that. I can tell you the Acting Director has created an Office of Innovation with the goal of seeing what the Bureau can do to spur innovation in all kinds of ways, and that would include the use of alternative data and avenues for increasing access to credit. Senator Cortez Masto. OK. Thank you. One final question. I know that a number of States just recently announced a consent order last week with Equifax, and I believe these States really took the lead on this and did their necessary investigation. One of the reasons why I have concerns that there needs to be more of this collaboration between States and the Federal Government in this area is because I have seen here, as we have had these hearings, that State oversight is even more necessary now. What I have seen from Director Mulvaney and really the CFPB nominee Kraninger have not shown any willingness to challenge the financial services industry. So given what I know and what I have seen here, let me ask you this: There is legislation in the House--it is H.R. 3626-- and it requires enhancing information sharing between the Federal and State regulators when conducting the TSP exams. Would that be something you would support? And I am asking both of you. Ms. Twohig. So I can say as a general matter that--and I have been with the Bureau since its beginning in the Supervision Program. We have placed a priority on developing relationships with State regulators, and my enforcement colleagues the same for the State Attorneys General, and so we have close and cooperative relationships with those regulators, and the Acting Director has said he wants to improve that even more. Senator Cortez Masto. That is wonderful to hear. Thank you. Ms. Mithal. And I would echo that sentiment, and I just want to also say that I think we have been talking a lot about gaps in the FTC's authority, but I do want to say whatever authority Congress gives us, we exercise very aggressively. So we have brought over 60 data security cases, and we have looked at a variety of sectors. So I did not want to make it sound like we were sitting on our hands. Senator Cortez Masto. Thank you. And I notice my time is up. Thank you both. Chairman Crapo. Thank you. Senator Jones. Senator Jones. Thank you, Mr. Chairman, and thank you to the witnesses for coming here today. I want to mention something about--I want to go back to cybersecurity like so many others, but from a little bit different angle. I appreciate all of the colleagues on this Committee concerned with the Equifaxes of the world and the holders of this information. But, you know, I am an old prosecutor, and when we had a bank robbery, we just did not focus on what happened at the bank. We focused on who got the money and trying to catch those folks. So my question is: We have heard a lot today about Equifax and the CRAs. Is law enforcement involved in that investigation? If they are not, I would like to know why. And if so, can we have an expectation at some point when the investigation is released that there has been an effort and we hopefully can find out who did this? Because I agree with Senator Warner, this problem is not going away, and we need to focus on perpetrators as much as those holding the data. I will give that to both of you. Ms. Mithal. So I do not think I could talk about this in the context of a specific nonpublic investigation, but what I can say is that we work very closely with criminal authorities. I think it is a kind of one-two punch type situation where we want to make sure as a civil matter that agencies and companies that are entrusted with consumer data are doing everything they can to protect it, and at the same time we work with criminal law enforcement authorities to catch the bad guys and to try to share information to accomplish that. So I agree it is a very important part of the equation. Senator Jones. All right. Ms. Twohig. And that would be the same for the Bureau of Consumer Financial Protection in terms of coordinating with criminal law enforcement agencies. Senator Jones. All right. When this investigation is public, would you expect there to be some element of the report about the culprits in this particular Equifax matter? Ms. Mithal. I really cannot speak to that. Senator Jones. All right. That is fair enough. The other thing I would like to mention is that a recent study showed that Alabama, my State, ranked third from the bottom in terms of average credit scores, and I know there are a lot of things that impact credit scores. But what seemed clear is that there were also regional differences that have remained kind of static, and one of the--CFPB and FTC both have tools to educate customers, which I think is as important as anything in trying to get folks to get their scores up. I see TV ads all the time. But that is not the same--you know, trying to get your free credit score is not the same as trying to say get your free credit score up. So could you both briefly describe some of the tools that your agencies have with regard to education and what you believe could be the most effective way to educate the public about how to maintain a good credit score? Ms. Mithal. So I can start with that. We have what I believe is a world-class Office of Consumer and Business Education, and one of the things we do is we put out financial literacy materials, materials about credit scores and how to check your credit reports, and I think what we recognize is that a lot of people will not know the FTC, and so they will feel a lot more comfortable getting this information from their local communities, their churches, their schools, their libraries. And so we do not copyright our information. We put it out there for the local communities to put out in their own communities, and we would be happy to work with your office to get our materials out. We are also members of the Interagency Financial Literacy Task Force. So, again, I think we are trying--I absolutely agree that education is a very important part of what we do, and we need to get the word out to consumers so they can help protect themselves. Senator Jones. Great. Do you want to address that, Ms. Twohig? Ms. Twohig. Same for the Bureau. Consumer education is a very important part of what we do, and we have materials and education materials about how to create a credit file so consumers can have access to mainstream credit. Our Community Affairs Office is also doing active work in certain communities to try to help the communities understand what they can do locally to help consumers understand how they can create and build their credit files and positive credit history. Senator Jones. Great. Well, thank you both, and my staff will reach out to you so that we can do some affirmative things in Alabama. In the remaining moment, I would just like to follow back up with what Senator Scott said about the bill that he and I have introduced on the Credit Access Inclusion Act. And, Mr. Chairman and Senator Brown, I would also urge this Committee to get involved and try to get that bill out. A companion bill that I think is identical passed the House unanimously, and in an era in which the divide over Supreme Court nominations and things like are about to get greater, I do not want a bill that is a truly bipartisan bill to fall through the cracks like this, and I would urge the Committee to take some action and let us get that done. So thank you. Thank you, Mr. Chairman. Chairman Crapo. Thank you, Senator Jones. Senator Van Hollen. Senator Van Hollen. Thank you, Mr. Chairman and Ranking Member, and thank you both for your testimony here today. We have talked about a number of things. Two of the categories we have talked about are: one, how do we create more incentives to discourage or prevent or deter credit rating agencies from becoming victims of data breaches? Obviously no one has an interest in having a big data breach, but the cost- benefit analysis needs to be changed, and that is what Senators Warner and Warren have been talking about. The other issue, which Senator Kennedy and Senator Schatz have been talking about, is the accuracy of the information collected by the credit rating agencies, and I want to focus on that for a moment because, yes, I absolutely agree that we should make it easier for consumers to try to get their complaints submitted and processed more quickly. But it still appears to me that when you look at the sort of incentives of the CRAs, when they get it wrong, other than making the consumer whole again or correcting the error, they do not seem to have any penalty applied. So let me know if there is a current penalty that can be applied when they get it wrong. And we already know that in 5 percent of the cases they get it wrong, which represents millions and millions of Americans, which can have a devastating impact on their lives. So it seems to me in addition to making it easier to remedy the situation from the point of view of a consumer, we should also create greater incentives for the CRAs to get it right in the first place so that the burden is on them when they get it wrong, that there is some penalty to be paid for getting it wrong. Are there any penalties right now that either of you can apply when you just find that they are getting it wrong a lot? Ms. Mithal. So we do have the authority to seek civil penalties for companies that do not have reasonable procedures to have maximum possible accuracy. So I have been clarifying that under the FCRA we do not have the authority to get penalties under data security, but for accuracy we do, and we have gotten those civil penalties. But I just want to emphasize the statutory standard is reasonable procedures for accuracy, so it is not that every inaccuracy in a credit report will get a civil penalty. Senator Van Hollen. Right. Would it make sense to think of those--applying more of a penalty when people get it wrong? In other words, as I understand it right now, if you are a consumer who believes you have bad information that is negatively affecting your credit report, you go through this long process, right? You get on the phone. You may be put on hold. You do what you said. It may take a couple years. At the end of the day, what you, the FTC, determines is whether or not the consumer's complaint was correct, right? Ms. Mithal. So we look to see whether the company's procedures were reasonable. Senator Van Hollen. Oh, you just look at the reasonable nature of that. And if you find that they were unreasonable, what do you do to the company? Ms. Mithal. So we have gotten civil penalties against several companies. One was a couple of years ago against a company. We got about a $2.6 million civil penalty. There is another check authorization company; we got about a $3.5 million civil penalty. So, again, it depends on the facts and circumstances, and we look at several statutory factors in determining the appropriate penalty amount. Senator Van Hollen. Would it be worth looking at greater sort of deterrent mechanisms so that there is more of a burden on the CRAs to get it right in the first place? And if so, what kind of suggestions would you have? Ms. Mithal. So I certainly kind of sympathize with the goal of making it easier for consumers to dispute credit report inaccuracy and also to make the whole process easier for consumers. And I think that is a goal worth exploring, and I would be happy to work with your staff and others on this Committee to accomplish that goal. Senator Van Hollen. All right. Anything else? Ms. Twohig. So, Senator, similarly, the Bureau can get penalties where there has been noncompliance with the FCRA's reasonable procedures provisions. In fact, it brought a case against a consumer reporting agency and got, I believe, about $5 million in penalties for their failure to comply with that part of the law. More generally, I think I also sympathize with the problems you are pointing out, and that is exactly why we have used this new supervisory authority that has never existed before until the Bureau was created to prioritize looking at the national credit reporting agencies and other consumer reporting agencies to ensure that they are looking at all aspects of accuracy. There are various different components of really what it takes to get a quality data control system. There is the incoming information. There is compiling it, and there is monitoring any indications of problems after the fact. We have broken it down and looked at various aspects and worked through our supervisory authority to require improvements in each part of those pieces of the system. Senator Van Hollen. Good, because I think until--let us say you are CRA. Until you have to suffer--right now, a consumer goes through this complaint process, and the CRA at the end of the day, OK, they have got to make them whole, right? ``Oh, we made a mistake 2 years ago that has affected your life.'' But there is no other penalty to be applied unless they somehow have a system that you determined has met this--that has been shaky. And even with those systems today, as we know, 5 percent error rate which affects tens of millions of people. So, anyway, I look forward to working with the Chairman and the Ranking Member and all of you. Thanks. Senator Brown [presiding]. Thank you, Senator Van Hollen. My questions are for both of you. I have a couple of questions. A lot of people, as we know, work hard every day, sometimes people are working multiple jobs to keep up with their bills. If they are injured or if they fall ill, we do not have--many, many, many companies in this country do not have any kind of leave policy. Some do not have good health insurance, so when people are injured or fall ill, huge unexpected medical costs can haunt their credit report for years. Given this type of debt is generally out of a person's control--they obviously did not choose this--should we not pause medical debt reporting, at least until more Americans have access to affordable insurance? We will start with you. Ms. Twohig. So, Senator, I think it is correct that medical debt is different than other kinds of debt. It can cause special problems for consumers. They can be subject to medical debt collection when they are just waiting for reimbursement. So I think it is a different kind of debt than regular debt. Senator Brown. Go ahead. Ms. Mithal. I agree with that, and I think S. 2155 was an excellent start in at least excluding certain medical debt for veterans, and I think that this is an idea worth exploring. Senator Brown. But it should be broader than that. Ms. Mithal. I think that is an idea worth exploring, yes. Senator Brown. Partially a follow-up to Senator Cortez Masto, I mentioned Mariner Finance in my opening statement. It is a company that sends cashable checks to people who might be in financial trouble, but the check is, as we know, a high-cost loan. The industry claims these prescreened offers that are allowed by the FCRA help borrowers get a better deal, but it looks like shady lenders fundamentally are taking advantage of a loophole to target struggling families. Wouldn't consumers be better off and less likely to face predatory lending practices if they had to opt into these offers, had to opt in rather than having to take steps to opt out? We will start with you. Ms. Mithal. Sure. So I also read the article, and I was very troubled by the practices. I cannot speak on any particular company, but the types of practices described in the article were very troubling. So under the FCRA, prescreened offers are permitted if they are a firm offer of credit, and so that is something that the statute specifically allows. If Congress were to determine to change that, we would enforce that requirement as well. So that is something that the law currently requires, but, again, we would be ready to work with Congress on any potential changes to that. Senator Brown. Ms. Twohig. Ms. Twohig. I would agree with that. Consumers now have a right to opt out, but as you suggest, Senator, that is different than having the default the other way, and we would be happy to work with you to consider whether there is a policy determination you think would be better for consumers. Senator Brown. That is mostly yes? Ms. Twohig. We would be happy to work with you to consider the pros and cons of going that direction. Senator Brown. So it is not quite a yes. Ms. Twohig. Not quite a yes. Senator Brown. OK. The Fair Credit Reporting Act protects companies that provide information to credit bureaus. Consumers cannot take them to court to get fixes. We know that. We have all heard the horror stories of someone trying to fix inaccurate data on a credit report. If consumers were allowed to have their day in court, would providers be more careful ensuring the data they report to credit bureaus as accurate? Ms. Twohig. Ms. Twohig. So there is a private right of action under the Fair Credit Reporting Act, and there are private actions filed by consumers if they believe that their information is inaccurate. So I just want to make sure I understand what you are---- Senator Brown. There is a private right of action, but that private right of action has been, to put it mildly, diluted by this Congress and by decisions made by Government, correct? Ms. Twohig. I cannot speak to that. What I can say is that we are well aware at the Bureau of our obligation to ensure compliance with the law, which is indeed why we have prioritized supervising and enforcing in that area. Senator Brown. I agree with you, and I appreciate that, and I appreciate your service over the years. But don't providers-- the credit providers fundamentally know there is not a particularly effective private right of action. Do they not know that? Ms. Twohig. I cannot speak to what they know. Senator Brown. Well, yeah, you can. The credit providers know about forced arbitration. The credit providers know how the laws have changed. The credit providers know where the power in this society resides. It is not with consumers. It is not with employees. It is with employers. It is with credit reporting companies. You have had a string of really important jobs. You are obviously a really bright woman. You do recognize that, correct? Ms. Twohig. I recognize that it can be hard for an individual consumer, and that is actually why I have spent my career in public service trying to do what I can do---- Senator Brown. I get all that, and thank you again for that. But you are not willing to say that the credit providers would be more careful ensuring the data they report to credit bureaus is accurate if the laws were written to give consumers more power in the marketplace? Ms. Twohig. They probably would be more careful if the laws were written that way. Senator Brown. Would you like to respond to that, too? Ms. Mithal. I agree with what Ms. Twohig said. Senator Brown. Which part? The part of---- Ms. Mithal. That companies would be more likely to shore up their practices if consumers had more power. Senator Brown. I guess I do not know why a simple ``yes'' is not clear there. When credit providers know that the law is mostly--the power of the law is mostly on their side and not on the consumer side. You know, Anatole France said, ah, the majesty of the law. It prohibits rich people as well as poor people from sleeping under bridges. Yeah, it does. Well, that tells you a lot about where the power in society is, and the power more and more is residing with those with more and more power and influence and privilege. And consumers have less and less of that. It is just so clear to me that the credit providers act worse because the law so often is on their side and the power resides in them. Senator Donnelly. Senator Donnelly. Thank you, Mr. Chairman. Thank you to the witnesses. On May 24th, the Economic Growth, Regulatory Relief, and Consumer Protection Act was signed into law. I negotiated and wrote that legislation along with Chairman Crapo and several of my colleagues here. This new law includes important new consumer protection related to the credit bureaus to benefit servicemembers, veterans, and all Americans. The law provides free credit freezes, credit monitoring for servicemembers, and protections for veterans from VA billing delays. I would like to highlight these consumer-friendly provisions and receive feedback and updates from you on efforts to oversee the implementation and enforcement. The new law includes a provision to provide free credit monitoring for active-duty servicemembers. The FTC was provided 1 year to complete the rulemaking which will help shape the credit monitoring services provided. Ms. Mithal, I expect the FTC to complete its rulemaking as soon as possible so troops can start receiving this important service. What is the FTC's expected timeline for the rulemaking? Ms. Mithal. So, Senator, I can assure you we are working as expeditiously as possible to complete the rulemaking, and I am hoping that we would have a Notice of Proposed Rulemaking out by hopefully at least the fall. I do not have complete control over that, but that is what I am committing to. Senator Donnelly. Obviously, the sooner the better. Ms. Mithal. Absolutely. Senator Donnelly. Section 301 of the new law includes a section I authored with Senator Perdue to allow every American to freeze and unfreeze their credit free of charge and set year-long fraud alerts. Additionally, the FTC and the major credit bureaus have to set up web pages where consumers can easily freeze their credit, set a fraud alert, and opt out of prescreened credit offers. These provisions allow Americans to take control of their credit files. The law requires compliance by September 21st. These provisions will make things easier for consumers. Could you please speak about the provisions generally and your expectation for the level of communication and collaboration that will occur between your agencies and the credit bureaus during implementation to ensure consumers benefit as was intended? If you could each respond. Ms. Twohig. So I can assure you, Senator, that the Bureau is going to work expeditiously to update--to implementation what it needs to do in implementing the Economic Growth, Regulatory Relief, and Consumer Protection Act. That would include updating the summary of rights that goes to consumers so that when they get their credit report, they have the information about these important new protections available to them, as well as educating consumers. We work collaboratively with the FTC and share information about that kind of information, as well as, of course, overseeing the compliance with these new provisions. Senator Donnelly. Ms. Mithal. Ms. Mithal. And I would say, first of all, I think these are very important rights, and they give important tools to consumers, so thank you for your work on that. As to our implementation, we have put out some guidance to consumers informing them of the new updates to the law that will take place in September, and we have already begun discussions with the CRAs about creating an online portal to effectuate all those tools for consumers. And so we are hoping to be ready--or we will be ready by September when the law goes into effect. Senator Donnelly. OK. Section 302 of the new law is based off the Protecting Veterans Credit Act, which I introduced with Senator Rounds to ensure veterans are not wrongly penalized by medical bill payment delays at the Department of Veterans Affairs. Many veterans had their credit scores damaged when the VA was late to pay medical bills. That will not be a problem any longer due to this new law. Your agencies, again, have oversight and enforcement authority. Can you speak as to how this provision will ensure that veterans are not wrongly penalized for medical debt that is actually the VA's responsibility? Ms. Twohig. Ms. Twohig. Senator, you can be sure that we will be looking for compliance with those important new provisions. Senator Donnelly. Ms. Mithal. Ms. Mithal. And, again, I think the provisions provide very important new rights for veterans. I think there have been recent studies showing the lack of predictiveness of medical debt, and so I think that is a very important provision, and we will do everything we can to support it. Senator Donnelly. All right. Thank you, Mr. Chairman. Senator Brown. Thank you, Senator Donnelly. I ask unanimous consent to enter into the record a letter from several consumer advocacy groups. Without objection. Thanks for being the last guy standing. [Laughter.] Senator Donnelly. Ready to help anytime. Senator Brown. That concludes the questioning for today. Questions for the record are due from Senators in 1 week, by Thursday, July 19th. We ask the two of you to respond to those questions as quickly as possible. Thank you for joining us. This concludes the hearing. [Whereupon, at 11:29 a.m., the hearing was adjourned.] [Prepared statements, responses to written questions, and additional material supplied for the record follow:] PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO Today's hearing is entitled ``An Overview of the Credit Bureaus and the Fair Credit Reporting Act''. Credit bureaus play a valuable role in our financial system by helping financial institutions assess a consumer's ability to meet financial obligations, and also facilitating access to beneficial financial products and services. Given this role, they have a lot of valuable personal information on consumers and therefore are targets of cyberattacks. Last year, Equifax experienced an unprecedented cybersecurity incident which compromised the personal data of over 145 million Americans. Following that event, the Banking Committee held two oversight hearings on the breach and consumer data protection at credit bureaus. The first hearing with the former Equifax CEO examined details surrounding the breach, while the second hearing with outside experts examined what improvements might be made surrounding credit reporting agencies and data security. This Committee also recently held a hearing on cybersecurity and risks to the financial services industry. These hearings demonstrated bipartisan concern about the Equifax data breach and the protection of consumers' personally identifiable information, as well as support for specific legislative measures to address such concerns. Some of these were addressed in S. 2155, the Economic Growth, Regulatory Relief and Consumer Protection Act, which included meaningful consumer protections for consumers who become victims of fraud. For example, it provides consumers unlimited free credit freezes and unfreezes per year. It allows parents to turn on and off credit reporting for children under 18, and provides important protections for veterans and seniors. Last month, a New York Times article commenting on the bill noted that, ``one helpful change . . . will allow consumers to `freeze' their credit files at the three major credit reporting bureaus--without charge. Consumers can also `thaw' their files, temporarily or permanently, without a fee.'' Susan Grant, director of consumer protection and privacy at the Consumer Federation of America expressed support for these measures, calling them ``a good thing.'' Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, similarly noted that the freeze provision ``has the potential to save consumers a lot of money.'' But there is still an opportunity to see whether more should be done, and today's hearing will help inform this Committee in this regard. Today, I look forward to learning more from the witnesses about: the scope of the Fair Credit Reporting Act and other relevant laws and regulations as they pertain to credit bureaus; the extent to which the Bureau of Consumer Financial Protection and the FTC, whom the two witnesses represent, oversee credit bureau data security and accuracy; the current state of data security, data accuracy, data breach policy, and dispute resolution processes at the credit bureaus; and what, if any, improvements could be made. States have begun to react in their own ways to various aspects of the public debate on privacy, data security, and the Equifax data breach. Two weeks ago, California enacted the California Consumer Privacy Act which will take effect on January 1, 2020. The Act, which applies to certain organizations conducting business in California, establishes a new privacy framework by creating new data privacy rights, imposing special rules for the collection of minors' consumer data, and creating a damages framework for violations and businesses failing to implement reasonable security procedures. Many Members are interested in learning more about what California and other States are doing on this front. Additionally, 2 weeks ago, eight State banking commissioners jointly took action against Equifax in a consent order requiring the company to take various actions regarding risk assessment and information security. I have long been concerned about data collection and data privacy protections by the Government and private industry. Given Americans' increased reliance and use of technology where information can be shared by the swipe of a finger, we should ensure that companies and Government entities who have such information use it responsibly and keep it safe. ______ PREPARED STATEMENT OF PEGGY L. TWOHIG Assistant Director, Office of Supervision Policy, Division of Supervision, Enforcement, and Fair Lending, Bureau of Consumer Financial Protection July 12, 2018 Chairman Crapo, Ranking Member Brown, thank you for the opportunity to testify today about the work of the Bureau of Consumer Financial Protection (Bureau) to address consumer protections in the consumer reporting market. My name is Peggy Twohig, and I am the Assistant Director for Supervision Policy at the Bureau. The Office of Supervision Policy is responsible for developing supervision strategy across bank and nonbank markets and ensuring that policy decisions are consistent across markets, charters, and regions. Prior to my work at the Bureau, I was Director of the Office of Consumer Protection at the Department of the Treasury (Treasury), where I worked on the proposal to create a new consumer agency as part of financial regulatory reform. Immediately before joining Treasury, I served as Associate Director of the Division of Financial Practices at the Federal Trade Commission (FTC). My 17-year tenure at the FTC focused on enforcement and policy issues related to consumer financial services. I have also worked as a litigator in private practice with the firm of Arnold & Porter in Washington, DC. Credit Reporting System The consumer reporting market plays a critical role in the overall consumer financial services market and has enormous reach and impact; over 200 million Americans have credit files with tradelines furnished voluntarily by over 10,000 providers. This information is used by many different types of businesses, including creditors, insurers, landlords, telecommunications providers, and employers, to make decisions about individual transactions with consumers. In particular, creditors rely on the information in consumers' credit files to make decisions as to whether to approve a variety of credit transactions, including mortgages, credit cards, student loans, and auto loans. And, when extending credit, creditors use that information to determine what terms to offer. Accurate consumer report information is therefore important to creditors and other consumer report users to make good business decisions. For any individual consumer, an accurate consumer report can be even more important, given the significant impact that information can have on the consumer's ability to obtain or pay for financial and other products and services. Despite the impact credit reports can have on a consumer, consumers do not get to choose who collects and sells consumer report information about them. Because of the importance of consumer report accuracy to businesses and consumers, the structure of the Fair Credit Reporting Act (FCRA) creates interrelated legal standards and requirements to support the policy goal of accurate credit reporting. These requirements anticipate that all reports will not be perfect; instead the FCRA requires that credit reporting agencies (CRAs) have ``reasonable procedures to assure maximum possible accuracy'' of reports. \1\ It also imposes certain accuracy obligations on furnishers. \2\ The FCRA also sets forth a dispute and investigation framework, with obligations on both CRAs and furnishers, to ensure potential errors are investigated and corrected promptly, if necessary. \3\ This dispute resolution framework is important to the efficient operation of credit markets, as it provides a standard mechanism for identifying and resolving inaccuracies when they occur. --------------------------------------------------------------------------- \1\ FCRA Section 607(b), 15 U.S.C. 1681e(b). \2\ FCRA Section 623(a). 15 U.S.C. 1681s-2(a) . \3\ FCRA Section 611, 15 U.S.C. 1681i; FCRA Section 623(b), 15 U.S.C. 1681s-2(b). --------------------------------------------------------------------------- Bureau Authority Over Consumer Reporting Agencies and Furnishers Congress authorized the Bureau to assess compliance with the requirements of Federal consumer financial laws as part of its supervision of both depository institutions and nondepository institutions. As defined by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), Federal consumer financial laws include most provisions of the Fair Credit Reporting Act. \4\ The FCRA is the primary statute that governs consumer reporting by CRAs, furnishing information to CRAs, and using reports generated by CRAs. Together with its implementing regulation, Regulation V, \5\ the FCRA imposes obligations on the compilation, maintenance, furnishing, use, and disclosure of information associated with credit, insurance, employment, and other decisions made about consumers. --------------------------------------------------------------------------- \4\ Id. at 5481(14), (12)(F). \5\ 12 CFR part 1022. --------------------------------------------------------------------------- Federal consumer financial laws also include substantive provisions of Title X of the Dodd-Frank Act. \6\ One of these provisions is the prohibition on a covered person or service provider from engaging in unfair, deceptive, or abusive acts or practices (UDAAP). \7\ Many CRAs are ``covered persons'' under the Dodd-Frank Act because they collect, analyze, maintain, or provide consumer report information or other account information used or expected to be used in connection with decisions regarding the offering or provision of consumer financial products or services and delivered, offered, or provided in connection with a consumer financial product or service. \8\ Depending on the facts and circumstances of any given transaction, CRAs might also be considered service providers. \9\ --------------------------------------------------------------------------- \6\ 12 U.S.C. 5481(14). \7\ 12 U.S.C. 5531, 5536(a). \8\ Id. at 5481(5), (15)(A)(ix). \9\ Id. at 5481(26) (defining ``service provider'' as ``any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service . . . ''). --------------------------------------------------------------------------- The Bureau has supervisory authority over consumer reporting agencies that are larger participants in the consumer reporting market. In July 2012, the Bureau promulgated the first larger participant rule to define larger participants in the consumer reporting market because of the importance of this function to efficient credit markets. \10\ The larger participant rule defines a larger participant of the consumer reporting market as a nonbank covered person with more than $7 million in annual receipts resulting from relevant consumer reporting activities. \11\ The Bureau estimated 30 companies that account for about 94 percent of the market's annual receipts met the larger participant threshold. \12\ --------------------------------------------------------------------------- \10\ https://www.consumerfinance.gov/policy-compliance/rulemaking/ final-rules/defining-larger-participants-consumer-reporting-market/. \11\ 12 CFR 1090.104. \12\ https://www.consumerfinance.gov/about-us/newsroom/consumer- financial-protection-bureau-to-supervise-credit-reporting/. --------------------------------------------------------------------------- Participants in this market include nationwide consumer reporting companies, consumer report resellers, and specialty consumer reporting companies. \13\ The Bureau reviews the operations of these larger participants for compliance with Federal consumer financial laws, including the FCRA and Regulation V. The Bureau also has supervisory authority over a substantial number of entities that furnish credit information to CRAs. As part of its exercise of this authority, the Bureau reviews compliance with the FCRA's furnishing requirements at other institutions subject to the Bureau's supervisory authority, such as large banks. The Bureau also has enforcement authority over nearly every person, regardless of status as a supervised entity, who violates the FCRA. \14\ The Bureau is the first Federal or State agency to have both supervisory and enforcement authority over CRAs and the other participants in the consumer reporting market. --------------------------------------------------------------------------- \13\ The term ``consumer reporting company'' means the same as ``consumer reporting agency,'' as defined in the Fair Credit Reporting Act, 15 U.S.C. 1681a(f), including nationwide consumer reporting agencies as defined in Section 1681a(p) and nationwide specialty consumer reporting agencies as defined in Section 1681a(x). \14\ E.g., Section 1029 of the Dodd-Frank Act excludes certain motor vehicle dealers from the Bureau's rulemaking, enforcement, or other authority. --------------------------------------------------------------------------- In addition to enforcement and supervisory authority over CRAs, the Bureau has broad authority to promulgate rules ``as are necessary to carry out the purposes of' the FCRA. \15\ The Bureau's rules are applicable to any person subject to the FCRA, except certain motor vehicle dealers. \16\ The Bureau does not, however, have rulemaking authority (or supervisory or enforcement authority) under Sections 615(e) and 628 of the FCRA. These provisions direct the Federal banking agencies, the National Credit Union Administration, the FTC, the Commodity Futures Trading Commission, and the Securities and Exchange Commission to promulgate regulations relating to Red Flags, and Disposal of Records. The FTC used its authority under these provisions of the FCRA to promulgate its ID Theft Red Flags Rule \17\ and its Consumer Report Records Disposal Rule. \18\ Other agencies have promulgated comparable rules pursuant to these sections. --------------------------------------------------------------------------- \15\ 15 U.S.C. 1681s(e)(1). \16\ 12 CFR 1022.1(b)(2). \17\ 16 CFR Part 681. \18\ 16 CFR Part 682. --------------------------------------------------------------------------- CRAs and other participants in the consumer reporting market may also be subject to other laws within the Bureau's authority, such as the Gramm-Leach-Bliley Act's (GLBA) notice and opt-out and privacy provisions. GLBA gives the Bureau rulemaking and enforcement authority over these provisions. \19\ (Since these provisions are Federal consumer financial laws they are also within the Bureau's supervisory authority under section 1024 of the Dodd-Frank Act.) The Bureau cannot, however, implement GLBA section 501(b), which requires that financial institutions develop, implement, and maintain comprehensive information security programs that contain administrative, technical, and physical safeguards. \20\ The Bureau has no supervisory, enforcement, or rulemaking authority with regard to GLBA section 501 (b) or its implementing rules; that section is excluded from the definition of Federal consumer financial law. \21\ Section 501(b) is implemented by rules and guidelines promulgated by the FTC and other agencies and include the FTC's GLBA Customer Information Safeguards Rule. \22\ --------------------------------------------------------------------------- \19\ 15 U.S.C. 6804(a)(1)(A) and 6805(a)(8). The Bureau's GLBA authority does not extend to certain motor vehicle dealers. 12 CFR 1016.1(b)(1). \20\ 15 U.S.C. 6801(b). \21\ 15 U.S.C. 5481(12), (14). \22\ 16 CFR Part 314. --------------------------------------------------------------------------- Bureau Credit Reporting Work In both its supervision and enforcement work, the Bureau has focused on credit reporting accuracy and dispute handling by both CRAs and furnishers. In March 2017, the Bureau issued a special edition of its Supervisory Highlights publication in which it reported out on the supervisory work undertaken in consumer reporting. \23\ As discussed in the report, the Bureau has focused its supervisory work on the key elements underpinning accuracy. As a result of these reviews, the Bureau directed specific improvements in data accuracy and dispute resolution at one or more CRA, including: --------------------------------------------------------------------------- \23\ https://www.consumerfinance.gov/documents/2774/201703-cfpb- Supervisory-Highlights-Consumer-Reporting-Special-Edition.pdf. ---------------------------------------------------------------------------improved oversight of incoming data from furnishers; institution of quality control programs of compiled consumer reports; monitoring of furnisher dispute metrics to identify and correct root causes; enhanced oversight of third-party public records service providers; adherence to independent obligation to reinvestigate consumer disputes, including review of relevant information provided by consumers; and improved communication to consumers of dispute results. In addition, the Bureau directed both bank and nonbank furnishers, consistent with the FCRA's requirements, to develop reasonable written policies and procedures regarding accuracy of the information they furnish and to take corrective action when they furnished information they determined to be inaccurate. The Bureau also found that furnishers foiled to either conduct investigations or send results of dispute investigations to consumers and demanded that these furnishers bring their dispute handling practices into compliance with legal requirements. In addition to supervisory work, the Bureau has brought enforcement actions and entered into settlements related to institutions' violation of the FCRA's accuracy and dispute investigation requirements. \24\ The Bureau will continue to examine and investigate CRAs and furnishers, using the authority and tools provided by the Dodd-Frank Act and other statutes. --------------------------------------------------------------------------- \24\ See, e.g., http://files.consumerfinance.gov/f/ 201510_cfpb_consent-order_general-information-serviceinc.pdf; http:// files.consumerfinance.gov/f/201512_cfpb_consent-order_clarity-services- inc-timothy-ranney.pdf; https://files.consumerfinance.gov/f/documents/ bcfp_security-group-inc_consent-order_2018-06.pdf; https:// files.consumerfinance.gov/f/documents/201701_cfpb_CitiFinancial- consent-order.pdf. --------------------------------------------------------------------------- The Bureau is also focused on educating consumers by providing consumers with tools and information to help them know what to do when they encounter a problem, or how to avoid problems in the first place. For example, we provide information to consumers about how they can obtain access to their credit reports to check their accuracy and dispute any information they believe to be incorrect. \25\ --------------------------------------------------------------------------- \25\ For information about how to access your credit reports and how to dispute errors: https://www.consumerfinance.gov/consumer-tools/ credit-reports-and-scores/; For information about obtaining credit reports: https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-a-copy- of-my-credit-reports-en-5/; For information about how to dispute errors: https://www.consumerfinance.gov/ask-cfpb/how-do-i-dispute-an- error-on-my-credit-report-en-314/; For information about common credit issues: https://www.consumerfinance.gov/about-us/blog/3-common-credit- issues-and-what-you-can-do-fix-them/. --------------------------------------------------------------------------- Data Security CRAs hold a tremendous amount of information about consumers, including sensitive financial information. If CRAs do not protect this data, it may lead to data breaches and other unauthorized access to it. Unauthorized access to data at consumer reporting agencies creates the risk of substantial harm to consumers, including the risk of identity theft. Because of these risks, since the Equifax breach, the Bureau has increased its attention to data security issues in our supervisory and enforcement activities. The Bureau has the authority to conduct data security investigations and examinations at nonbanks over which it has supervisory authority, including CRAs. Data security reviews conducted by the Bureau are comprised of three specific inquiries, consistent with the three prongs of the Bureau's general examination authority. \26\ First, the Bureau assesses the facts and circumstances to determine whether a nonbank's data security practices and policies constitute violations of Federal consumer financial law, including violations of the Dodd-Frank Act's prohibition against unfair, deceptive or abusive acts and practices (UDAAP) \27\ and of the Fair Credit Reporting Act. \28\ Second, the Bureau obtains information about compliance management systems and procedures relating to data security practices. Third, the Bureau detects and assesses risks posed by potential data security lapses to consumers and to markets for consumer financial products and services. --------------------------------------------------------------------------- \26\ Section 1024 of the Dodd-Frank Act grants the Bureau the authority to conduct examinations of certain nonbank financial institutions, including larger participants in the consumer reporting market, under its risk-based supervision program for the purposes of: (a) assessing compliance with the requirements of Federal consumer financial law; (b) obtaining information about the activities and compliance systems or procedures of such person; and (c) detecting and assessing risks to consumers and to markets for consumer financial products and services. 15 U.S.C. 5514. \27\ Both courts and executive branch agencies have found that, in certain circumstances, insufficient data security can constitute an unfair or deceptive practice. FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015); FTC v. AshleyMadison.com, No. 1:16-cv-02438 (D.D.C. filed Dec. 14, 2016); available at https://www.ftc.gov/enforcement/ cases-proceedings/152-3284/ashley-madison. \28\ FCRA Section 607(a), 15 U.S.C. 1681e. --------------------------------------------------------------------------- In addition to this work, the Bureau website has a list of resources and information for consumers about data breaches to help consumers understand what steps or actions they can take to protect their personal information. \29\ The Bureau also provides resources to help consumers protect themselves from identity theft, \30\ to help military personnel and their families secure their identities, \31\ and specific resources on the Top 10 ways to protect yourself in the wake of the Equifax data breach. \32\ In addition, the Bureau's online tool, Ask CFPB, has provided consumers with answers to frequently asked questions about a variety of topics, including identity theft, credit freezes, fraud alerts, and credit and identity monitoring. \33\ --------------------------------------------------------------------------- \29\ https://www.consumerfinance.gov/equifaxbreach. \30\ https://www.consumerfinance.gov/about-us/blog/identity-theft- protection-following-equifax-data-breach/. \31\ https://www.consumerfinance.gov/about-us/blog/servicemembers- should-secure-their-identity-after-equifax-data-breach/. \32\ https://www.consumerfinance.gov/about-us/blog/top-10-ways- protect-yourself-wake-equifax-data-breach/. \33\ Available at http://www.consumerfinance.gov/askcfpb/search/ ?selected-facets=tag-exact%3Aidentity+theft. --------------------------------------------------------------------------- Conclusion Large breaches call for a coordinated response, and the Bureau will continue to coordinate with other Federal and State agencies. We will also continue to exercise our authority to examine and investigate credit reporting companies and furnishers of information, and to educate consumers about important consumer financial issues. Consumers should have confidence that their credit reports comply with all applicable legal requirements. Thank you again for the opportunity to testify today at this important hearing. I would be happy to answer your questions about the Bureau's work related to credit reporting. ______ PREPARED STATEMENT OF MANEESHA MITHAL Associate Director, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission July 12, 2018 Introduction Chairman Crapo and Members of the Committee, my name is Maneesha Mithal, and I am the Associate Director for the Division of Privacy and Identity Protection at the Federal Trade Commission (Commission or FTC). \1\ I appreciate the opportunity to appear before you today to discuss the Fair Credit Reporting Act, credit bureaus, and data security. --------------------------------------------------------------------------- \1\ While the views expressed in this statement represent the views of the Commission, my oral presentation and responses to questions are my own and do not necessarily reflect the views of the Commission or any individual Commissioner. --------------------------------------------------------------------------- Congress enacted the Fair Credit Reporting Act \2\ (FCRA) in 1970, recognizing the importance of ``fair and accurate credit reporting'' to maintain ``the efficiency of the banking system'' and ``the public[']s confidence'' in that system, while at the same time balancing the ``need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.'' \3\ The FCRA helps to (1) prevent the misuse of sensitive consumer report information by limiting recipients to those who have a legitimate need for it; (2) improve the accuracy and integrity of consumer reports; and (3) promote the efficiency of the Nation's banking and consumer credit systems. Since the FCRA's passage, Congress has amended the statute to address developments in the consumer reporting system and the marketplace and to increase consumers' rights and protections with respect to the collection and use of their data. \4\ --------------------------------------------------------------------------- \2\ 15 U.S.C. 1681-1681x. \3\ Id. 1681(a). \4\ The Consumer Credit Reporting Reform Act of 1996, Title II, Subtitle D, Chapter 1, of the Omnibus Consolidated Appropriations Act for Fiscal Year 1997 (Public Law No. 104-208, Sept. 30, 1996), made extensive revisions to the FCRA, including expanding the duties of consumer reporting agencies, increasing obligations on users of consumer reports, and adding furnishers of information to consumer reporting agencies as a category of entities with statutory obligations. There were a number of more modest revisions over the next 7 years, the most significant of which was a 1999 amendment that specifically authorized the Federal financial agencies to promulgate regulations for the banks and other entities subject to their jurisdiction. The Fair and Accurate Credit Transactions Act of 2003, Public Law No. 108-159 (Dec. 4, 2003) (FACT Act), added several sections to assist consumers and businesses in combating identity theft and reduce the damage to consumers. The Commission, often in conjunction with the Federal financial agencies, issued numerous rules to implement the various FACT Act provisions. --------------------------------------------------------------------------- The Commission has played a key role in the implementation, enforcement, and interpretation of the FCRA since its enactment. \5\ In the last decade, the Commission has brought over 30 actions to enforce the FCRA against consumer reporting agencies (CRAs), users of consumer reports, and furnishers of information to CRAs. As the consumer reporting system evolves and new technologies and business practices emerge, vigorous enforcement of the FCRA continues to be a top priority for the Commission, as well as consumer and business education concerning applicable rights and responsibilities under the statute. --------------------------------------------------------------------------- \5\ As enacted, the FCRA established the Commission as the primary Federal enforcement agency, with wide jurisdiction over entities involved in the consumer reporting system; the primary exceptions to the Commission's jurisdiction are federally regulated financial institutions. See 15 U.S.C. 1681s(a)-(b). Pursuant to the Consumer Financial Protection Act of 2010 (CFPA), Title X of Public Law 111-203, 124 Stat. 1955 (July 21, 2010) (The Dodd-Frank Wall Street Reform and Consumer Protection Act), the Commission shares its FCRA enforcement role with the Bureau of Consumer Financial Protection (Bureau) in many respects. --------------------------------------------------------------------------- This testimony first provides background on the FCRA. Next, it discusses marketplace developments related to credit report accuracy. It then discusses the Commission's work to enforce the accuracy provisions of the FCRA and educate consumers and businesses about their respective rights and responsibilities under the statute. Finally, it discusses the data security requirements applicable to credit bureaus and the FTC's efforts to promote data security in this sector. Background on the FCRA CRAs assemble or evaluate consumer data for third parties to use to make critical decisions about the availability and cost of various consumer products and services, including credit, insurance, employment, and housing. \6\ These consumer reports are often used to evaluate the risk of future nonpayment, default, or other adverse events. For example, complete and accurate consumer reports enable creditors to make informed lending decisions, benefiting both creditors and consumers. Errors in consumer reports, however, can cause consumers to be denied credit or other benefits or pay a higher price for them. Errors in consumer reports can also cause credit issuers to make inaccurate decisions that result in declining credit to a potentially valuable customer or issuing credit to a riskier customer than intended. --------------------------------------------------------------------------- \6\ 15 U.S.C. 1681a(d) and (f). --------------------------------------------------------------------------- The FCRA imposes a number of obligations on CRAs. For example, to protect the privacy of sensitive consumer report information, CRAs must take reasonable measures to ensure that they provide such information only to those who have a statutorily specified ``permissible purpose'' to receive it. \7\ CRAs must also comply with requirements to help ensure the accuracy of consumer reports, including requirements that CRAs (1) maintain reasonable procedures to ensure the ``maximum possible accuracy'' of consumer reports \8\ and (2) maintain procedures through which consumers can dispute and correct inaccurate information in their consumer reports. \9\ --------------------------------------------------------------------------- \7\ Id. 1681b(a), (c). Permissible purposes under the FCRA include, but are not limited to, the use of a consumer report in connection with a determination of eligibility for credit, insurance, or a license; in connection with the review of an existing account; and for certain employment purposes. \8\ Id. 1681e(b). \9\ Id. 1681i(a)-(d)(1). --------------------------------------------------------------------------- Under the FCRA, if a consumer disputes the completeness or accuracy of information contained in his or her file, the CRA must complete a reasonable investigation within 30 days. The CRA must notify the furnisher of the disputed information within five business days. If a disputed item is found to be inaccurate or incomplete or cannot be verified, the CRA must delete or modify the information and notify the furnisher. In general, the CRA must provide the consumer with written notice of the results of the investigation in accordance with the procedures set forth in the statute within 5 business days after the completion of the investigation. In addition, the FCRA imposes obligations on those who furnish information about consumers to CRAs, such as entities extending credit. For example, furnishers have a duty to report accurate information and investigate consumer disputes of inaccurate information. \10\ --------------------------------------------------------------------------- \10\ Id. 1681s-2(a)-(b). --------------------------------------------------------------------------- Users of consumer reports have obligations under the statute as well. For example, if a user of a consumer report takes an adverse action against a consumer--such as a denial of credit or employment-- based on information in a consumer report, the user must provide an adverse action notice to the consumer, which explains how the consumer can obtain a free copy of the report and dispute any inaccurate information in the report. \11\ --------------------------------------------------------------------------- \11\ Id. 1681m(a). The adverse action notice also must include a statement that the CRA that supplied the consumer report did not make the decision to take the adverse action and cannot give the consumer any specific reasons for the decision. Id. 1681m(a)(2)(B). --------------------------------------------------------------------------- Credit Report Accuracy In 2012, the Commission published a study of credit report accuracy mandated by the FACT Act, which amended the FCRA. \12\ It was the first major study that looked at all of the primary groups that participate in the credit reporting and scoring process--consumers, furnishers (e.g., creditors, lenders, debt collection agencies), the Fair Isaac Corporation (which develops FICO credit scores), and the national credit bureaus. \13\ To implement the study, researchers worked with approximately 1,000 consumers to review their free credit reports from the three major credit bureaus. The researchers helped consumers identify and dispute possible errors on their credit reports. According to the study findings, 25 percent of consumers identified errors on their credit reports that might affect their credit scores and 80 percent of these consumers who filed disputes experienced some modification to their credit reports. Overall, 13 percent of consumers experienced a change in their credit scores after a dispute and 5 percent of consumers experienced an increase in their credit scores such that their credit risk tier decreased and the consumer may be more likely to be offered a lower loan interest rate. --------------------------------------------------------------------------- \12\ Public Law No. 108-159 (Dec. 4, 2003). \13\ Section 319 of the Fair and Accurate Credit Transactions Act of 2003: Fifth Interim Federal Trade Commission Report to Congress Concerning the Accuracy of Information in Credit Reports (Dec. 2012), available at https://www.ftc.gov/reports/section-319-fair-accurate- credit-transactions-act-2003-fifth-interim-federal-trade. --------------------------------------------------------------------------- There have been significant changes in the marketplace aimed at increasing credit report accuracy since the Commission published its study. For example, the Bureau has been exercising its supervisory authority over the nationwide credit bureaus and it periodically publishes Supervisory Highlights describing its findings. Last year, it published an edition focused on accuracy issues in credit reporting and the handling and resolution of consumer disputes, and it pointed to several specific improvements it directed in these areas. \14\ --------------------------------------------------------------------------- \14\ See Supervisory Highlights Consumer Reporting Special Edition (Mar. 2, 2017), available at https://www.consumerfinance.gov/data- research/research-reports/supervisory-highlights-consumer-reporting- special-edition/. --------------------------------------------------------------------------- In addition, in 2015, the nationwide credit bureaus announced a Nationwide Consumer Assistance Plan (NCAP) as a result of a settlement with over 30 State attorneys general, with a number of provisions designed to improve the accuracy of credit reports. \15\ These provisions include requiring all data furnishers to use the most current reporting format; removing any previously reported medical collections that have been paid or are being paid by insurance; requiring debt collectors to regularly update the status of unpaid debts and remove debts no longer being pursued for collection; and implementing an enhanced dispute resolution process for consumers that are victims of fraud or identity theft or are involved in mixed files (where two consumer files are mistakenly mixed together). NCAP contained a phased implementation plan scheduled to be completed this year. --------------------------------------------------------------------------- \15\ See, e.g., National Consumer Assistance Plan, News Release (Jun. 9, 2016), available at http:// www.nationalconsumerassistanceplan.com/news/news-release/. --------------------------------------------------------------------------- FTC Activities To Promote Credit Report Accuracy Law Enforcement FCRA enforcement continues to be a top priority for the Commission. With the advent in 2011 of the Bureau's supervisory authority over the nationwide credit bureaus and the coordination efforts between the agencies, the FTC has focused its FCRA law enforcement efforts on other entities in the credit reporting area and other aspects of the consumer reporting industry more broadly. For example, the FTC settled cases against furnishers that allegedly had inadequate policies and procedures for reporting accurate credit information to CRAs. In Credit Protection Association, LP, the Commission alleged that a debt collector failed to have adequate policies and procedures to handle consumer disputes, did not have a policy requiring notice to consumers of the outcomes of investigations about disputed information, and in numerous instances failed to inform consumers of the outcome of disputes. \16\ The settlement included $72,000 in civil penalties. \17\ And, in Tricolor Auto Acceptance, LLC, the Commission alleged that the loan-servicing department of an auto dealer failed to have written policies and procedures designed to ensure that the credit information it reported to CRAs was accurate and failed to properly investigate consumer disputes regarding the accuracy of credit information. \18\ The settlement included $82,000 in civil penalties. --------------------------------------------------------------------------- \16\ U.S. v. Credit Protection Association, LP, No. 3:16-cv-01255- D (N.D.Tex. filed May 9, 2016), available at https://www.ftc.gov/ enforcement/cases-proceedings/142-3142/credit-protection-association. \17\ As specified by the Federal Civil Penalty Inflation Adjustment Act of 1990, 28 U.S.C. 2861, as amended by the Debt Collection Improvements Act of 1996, Public Law 104-134, 31001(s)(1), 110 Stat. 1321-373, in relevant part, civil penalties under the FCRA are capped at $3,500 per violation for violations occurring before August 1, 2016, $3,756 per violation for violations occurring between that date and January 23, 2017, and $3,817 for violations occurring on or after January 24, 2017. \18\ U.S. v. Tricolor Auto Acceptance, LLC, No. 3:15-cv-3002 (N.D.Tex. filed Sept. 16, 2015), available at https://www.ftc.gov/ enforcement/cases-proceedings/142-3073/tricolor-auto-acceptance-llc. --------------------------------------------------------------------------- In addition, the FTC has settled cases against background screening CRAs that compile background reports on consumers that may include driving records, employment and education history, eviction records, and criminal records for use in making employment and housing decisions. These settlements include allegations relating to inaccuracies in consumer reports, as well as failures to protect the privacy of consumer reports by ensuring permissible use. For example, in InfoTrack Information Services, Inc., the Commission alleged that a background screening CRA failed to have reasonable procedures to ensure the maximum possible accuracy of consumer report information and, as a result, provided inaccurate information suggesting that job applicants potentially were registered sex offenders. \19\ The settlement included $1 million in civil penalties, which was suspended upon payment of $60,000 based on inability to pay. In Instant Checkmate, Inc., the Commission alleged that the CRA compiled public record information into background reports and marketed its services to landlords and employers but failed to comply with several FCRA provisions, including failing to maintain reasonable procedures to ensure the accuracy of its reports, failing to have reasonable procedures to ensure that those using its reports had permissible purposes for accessing them, and providing reports to users that it did not have reason to believe had a permissible purpose to receive them. \20\ The settlement included $525,000 in civil penalties. --------------------------------------------------------------------------- \19\ U.S. v. Infotrack Information Services, Inc., No. 1:14-cv- 02054 (N.D.Ill. filed Apr. 9, 2014), available at https://www.ftc.gov/ enforcement/cases-proceedings/122-3092/infotrack-information-services- inc-et-al. \20\ U.S. v. Instant Checkmate, Inc., No. 3:14-cv-00675-H-JMA (S.D.Cal. filed Apr. 9, 2014), available at https://www.ftc.gov/ enforcement/cases-proceedings/122-3221/instant-checkmate-inc. --------------------------------------------------------------------------- The FTC has also brought cases against check authorization CRAs for failing to comply with their accuracy obligations. Check authorization companies compile consumers' personal information and use it to help retail merchants throughout the United States determine whether to accept consumers' checks. In its settlements with Telecheck \21\ and Certegy, \22\ two of the Nation's largest check authorization companies, the Commission charged these companies with failing to follow FCRA accuracy procedures, failing to follow proper procedures for consumer disputes, and failing to establish and implement reasonable written policies regarding the accuracy of information the companies furnish to other CRAs. The FTC obtained $3.5 million in civil penalties against each company. --------------------------------------------------------------------------- \21\ U.S. v. TeleCheck Services, Inc., No. 1:14-cv-00062 (D.D.C. filed Jan. 16, 2014), available at https://www.ftc.gov/enforcement/ cases-proceedings/112-3183/telecheck-services-inc. \22\ U.S. v. Certegy Services, Inc., No. 1:13-cv-01247 (D.D.C. filed Aug. 15, 2013), available at https://www.ftc.gov/enforcement/ cases-proceedings/112-3183/telecheck-services-inc. --------------------------------------------------------------------------- Business Guidance and Consumer Education The Commission also continues to educate consumers and businesses on their consumer reporting rights and obligations under the FCRA. The FTC has published guidance for employment and tenant background screening companies regarding their obligations under the FCRA, including with respect to accuracy and consumer disputes. \23\ For furnishers, the FTC publication Consumer Reports: What Information Furnishers Need To Know provides an overview of obligations under the FCRA. \24\ Similarly, for users of consumer reports, FTC guidance includes publications for employers, landlords, insurers, and creditors, as well as guidance on secure disposal of consumer information for all businesses. \25\ --------------------------------------------------------------------------- \23\ See ``What Employment Background Screening Companies Need To Know About the Fair Credit Reporting Act'' (Apr. 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/what- employment-background-screening-companies-need-know-about; ``What Tenant Background Screening Companies Need To Know About the Fair Credit Reporting Act'' (Oct. 2016), available at https://www.ftc.gov/ tips-advice/business-center/guidance/what-tenant-background-screening- companies-need-know-about-fair. \24\ See Consumer Reports: ``What Information Furnishers Need To Know'' (Nov. 2016), available at https://www.ftc.gov/tips-advice/ business-center/guidance/consumer-reports-what-information-furnishers- need-know. \25\ See Consumer Reports: ``What Employers Need To Know'' (Oct. 2016), available at https://www.ftc.gov/tips-advice/business-center/ guidance/using-consumer-reports-what-employers-need-know; Consumer Reports: ``What Landlords Need To Know'' (Oct. 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/using- consumer-reports-what-landlords-need-know; Consumer Reports: ``What Insurers Need To Know'' (Nov. 2016), available at https://www.ftc.gov/ tips-advice/business-center/guidance/consumer-reports-what-insurers- need-know; ``Using Consumer Reports for Credit Decisions: What To Know About Adverse Action and Risk-Based Pricing Notices'' (Nov. 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/ using-consumer-reports-credit-decisions-what-know-about-adverse; ``Disposing of Consumer Report Information? Rule Tells How'' (Jun. 2005), available at https://www.ftc.gov/tips-advice/business-center/ guidance/disposing-consumer-report-information-rule-tells-how. --------------------------------------------------------------------------- The FTC also has a number of user-friendly resources for consumers designed to inform them of their rights under the FCRA and assist them with navigating the consumer reporting system. The publication Credit and Your Consumer Rights provides an overview of credit, explains consumers' legal rights, and offers practical tips to help solve credit problems. \26\ The FTC also has publications that explain how consumers can obtain their free annual credit reports from each of the nationwide consumer reporting agencies \27\ and use the FCRA's dispute procedures to ensure that information in their consumer reports is accurate. \28\ For consumers seeking employment or housing, the FTC has materials on employment background checks \29\ and tenant background checks. \30\ The Commission continues to update and expand its materials as new issues arise. --------------------------------------------------------------------------- \26\ ``Credit and Your Consumer Rights'' (June 2017), available at https://www.consumer.ftc.gov/articles/pdf-0070-credit-and-your- consumer-rights. \27\ ``Free Credit Reports'' (Mar. 2013), available at https:// www.consumer.ftc.gov/articles/0155-free-credit-reports. \28\ See ``Disputing Errors on Credit Reports'' (Feb. 2017), available at https://www.consumer.ftc.gov/articles/0151-disputing- errors-credit-reports. \29\ See ``Background Checks'' (Mar. 2018), available at https:// www.consumer.ftc.gov/articles/0157-background-checks. \30\ See FTC Consumer Blog, ``Renting an Apartment? Be Prepared for a Background Check'' (Nov. 2016), available at https://www.ftc.gov/ tips-advice/business-center/guidance/disposing-consumer-report- information-rule-tells-how. --------------------------------------------------------------------------- Data Security The FTC is committed to protecting consumer privacy and promoting data security in the private sector. The Commission is the Nation's primary data security regulator and enforces several statutes and rules that impose data security requirements on companies across a wide spectrum of industries, including credit bureaus. Since 2001, the Commission has undertaken substantial efforts to promote data security in the private sector through enforcement of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices, such as businesses making false or misleading claims about their data security procedures, or failing to employ reasonable security measures. \31\ The Commission is also the Federal enforcement agency for the Children's Online Privacy Protection Act (COPPA), which requires reasonable security for children's information collected online. \32\ --------------------------------------------------------------------------- \31\ 15 U.S.C. 45(a). If a company makes materially misleading statements or omissions about a matter, including data security, and such statements or omissions are likely to mislead reasonable consumers, they can be found to be deceptive in violation of Section 5. Further, if a company's data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition, those practices can be found to be unfair and violate Section 5. \32\ 15 U.S.C. 6501-6506; see also 16 CFR Part 312 (COPPA Rule). --------------------------------------------------------------------------- Further, the Commission's Safeguards Rule, which implements the Gramm-Leach-Bliley Act (GLB Act), sets forth data security requirements for financial institutions within the Commission's jurisdiction, which includes credit bureaus. \33\ The Safeguards Rule requires financial institutions, or companies that are significantly engaged in offering consumer financial products or services, to develop, implement, and maintain a comprehensive information security program for handling customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. The FTC has exclusive enforcement authority with respect to nonbank consumer financial services providers. --------------------------------------------------------------------------- \33\ 16 CFR Part 314, implementing 15 U.S.C. 6801(b). --------------------------------------------------------------------------- Finally, the FCRA requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they provide consumer reports have a permissible purpose for receiving that information \34\ and also requires the secure disposal of consumer report information. \35\ This section describes the FTC's efforts to enforce these laws, educate consumers and businesses, and develop policies in this area. --------------------------------------------------------------------------- \34\ 15 U.S.C. 1681e. \35\ Id. 1681w. The FTC's implementing rule is at 16 CFR Part 682. --------------------------------------------------------------------------- Law Enforcement The Commission has brought over 60 law enforcement actions against companies that allegedly engaged in unreasonable data security practices. Last year, the Commission took the unusual step of publicly confirming its investigation into the Equifax data breach due to the scale of public interest in the matter. The FTC has significant experience with enforcing data security laws against CRAs. In 2006, the FTC brought the seminal Choicepoint case against a CRA that sold consumer reports to identity thieves who did not have a permissible purpose to obtain the information under the FCRA, as well as failed to employ reasonable measures to secure the personal information it collected and misrepresented its security practices under Section 5 of the FTC Act. \36\ The complaint alleged that ChoicePoint failed to monitor subscribers even after receiving subpoenas from law enforcement authorities alerting it to fraudulent activity. The settlement included injunctive relief, as well as $10 million in civil penalties--the largest FCRA civil penalty in FTC history--and $5 million in consumer redress. A few years later, the FTC settled another action against the company when it suffered a data breach because it turned off a key electronic security tool used to monitor access to one of its databases, in violation of the Commission's order. \37\ --------------------------------------------------------------------------- \36\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-GET (N.D.Ga. filed Jan. 30, 2006), available at https://www.ftc.gov/enforcement/ cases-proceedings/052-3069/choicepoint-inc. \37\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-JTC (N.D.Ga. filed Oct. 19, 2009), available at https://www.ftc.gov/enforcement/ cases-proceedings/052-3069/choicepoint-inc. --------------------------------------------------------------------------- The Commission has also brought actions against companies for failing to dispose of consumer report information securely. For example, in the PLS Financial Services, Inc. case, the FTC alleged that the company violated the FCRA Disposal Rule by failing to take reasonable steps to protect against unauthorized access to credit reports in the improper disposal of the consumer information, violated the Safeguards Rule requirements for financial institutions to develop and use safeguards to protect consumer information, and violated the FTC Act by misrepresenting that it had implemented reasonable measures to protect sensitive consumer information. \38\ The settlement included injunctive relief and $101,500 in civil penalties. --------------------------------------------------------------------------- \38\ U.S. v. PLS Financial Services, Inc., No. 112-cv-08334 (N.D.Ill. filed Oct. 17, 2012), available at https://www.ftc.gov/ enforcement/cases-proceedings/1023172/pls-financial-services-inc-et-al. --------------------------------------------------------------------------- Business Guidance and Consumer Education In addition to law enforcement, the FTC provides extensive business guidance on data security. The agency's goal is to provide information to help businesses protect the data in their care and understand what practices may violate the laws the FTC enforces. The FTC provides general business education about data security issues, as well as specific guidance on emerging threats. In 2015, the FTC launched its Start with Security initiative, which includes a guide for businesses, \39\ as well as 11 short videos, \40\ that discuss 10 important security topics and give advice about specific security practices for each. In 2016, the FTC published a business advisory on how the National Institute of Standards and Technology Cybersecurity Framework applies to the FTC's data security work \41\ and released an update to ``Protecting Personal Information: A Guide for Business'', which was first published in 2007. \42\ Last year, the FTC published its Stick with Security blog series offering additional insights into the Start with Security principles, based on the lessons of recent law enforcement actions, closed investigations, and experiences companies have shared about data security in their business. \43\ --------------------------------------------------------------------------- \39\ ``Start With Security: A Guide for Business'' (June 2015), available at https://www.ftc.gov/tips-advice/business-center/guidance/ start-security-guide-business. \40\ ``Start With Security: Free Resources for Any Business'' (Feb. 19, 2016), available at https://www.ftc.gov/news-events/audio- video/business. \41\ FTC Business Blog, ``The NIST Cybersecurity Framework and the FTC'' (Aug. 31, 2016), available at https://www.ftc.gov/news-events/ blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc. \42\ ``Protecting Personal Information: A Guide for Business'' (Oct. 2016), available at https://www.ftc.gov/tips-advice/business- center/guidance/protecting-personal-information-guide-business. \43\ FTC Business Blog, ``Stick With Security: A Business Blog Series'' (Oct. 2017), available at https://www.ftc.gov/tips-advice/ business-center/guidance/stick-security-business-blog-series. --------------------------------------------------------------------------- In addition to data security guidance, the FTC provides business guidance related to data breaches. In September 2016, the FTC released Data Breach Response: A Guide for Business, \44\ and a related video, which describes immediate steps companies should take when they experience a data breach, such as taking breached systems offline, securing physical areas to eliminate the risk of further harm from the breach, and notifying consumers, affected businesses, and law enforcement. The guide also includes a model data breach notification letter businesses can use to get started. --------------------------------------------------------------------------- \44\ ``Data Breach Response: A Guide for Business'' (Oct. 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/ data-breach-response-guide-business. --------------------------------------------------------------------------- The FTC also provides businesses with specific guidance on emerging threats. For example, most recently the FTC released a staff perspective and related blog post to help businesses prevent phishing scams. \45\ Following a workshop, \46\ the FTC published a blog post describing ransomware, \47\ how to defend against it, and essential steps to take if businesses become victims. \48\ Further, the FTC develops targeted guidance for companies in specific industries. For example, staff developed specific security guidance for debt buyers and sellers. \49\ --------------------------------------------------------------------------- \45\ FTC Staff Perspective, ``Businesses Can Help Stop Phishing and Protect Their Brands Using Email Authentication'' (Mar. 2017), available at https://www.ftc.gov/reports/businesses-can-help-stop- phishing-protect-their-brands-using-email-authentication-ftc-staff; FTC Business Blog, ``Want To Stop Phishers? Use Email Authentication'', Mar. 3, 2017, available at https://www.ftc.gov/news-events/blogs/ business-blog/2017/03/want-stop-phishers-use-email-authentication. \46\ Fall Technology Series: ``Ransomware'' (Sept. 7, 2016), available at https://www.ftc.gov/news-events/events-calendar/2016/09/ fall-technology-series-ransomware. \47\ Ransomware is malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data ``hostage'' until the victim pays a ransom. \48\ FTC Business Blog, ``Ransomware--A Closer Look'' (Nov. 10, 2016), available at https://www.ftc.gov/news-events/blogs/business- blog/2016/11/ransomware-closer-look. \49\ ``Buying or Selling Debts? Steps for Keeping Data Secure'' (Apr. 2015), available at https://www.ftc.gov/tips-advice/business- center/guidance/buying-or-selling-debts-steps-keeping-data-secure. --------------------------------------------------------------------------- The Commission also educates consumers on security. For example, the FTC has provided guidance for consumers on securing their home wireless networks, a critical security step for protecting devices and personal information from compromise. These resources are accessible on the FTC's consumer guidance website, consumer.ftc.gov. The FTC also assists consumers affected by data breaches through its identitytheft.gov website that allows consumers who are victims of identity theft to quickly file a complaint with the FTC and get a free, personalized guide to recovery that helps streamline many of the steps involved. In the wake of the announcement of the Equifax data breach last year, the agency published numerous materials and created a dedicated page on its website, ftc.gov/Equifax, with resources to educate consumers about fraud alerts, active duty alerts, credit freezes and locks, credit monitoring, and how to reduce the risk of identity theft. Policy Initiatives The FTC engages in a variety of policy initiatives to enhance data security. The FTC has hosted workshops and issued reports to highlight the privacy and security implications of new technologies. For example, last year the FTC hosted a workshop to examine consumer injury in the context of privacy and data security and various issues related to the injuries consumers suffer when information about them is misused. \50\ Most recently, the Commission announced plans to hold a series of public hearings on the impact of market developments on competition and consumer protection enforcement, including the Commission's remedial authority to deter unfair and deceptive conduct in privacy and data security matters. \51\ --------------------------------------------------------------------------- \50\ Informational Injury Workshop (Dec. 12, 2017), available at https://www.ftc.gov/news-events/events-calendar/2017/12/informational- injury-workshop. \51\ Press Release, ``FTC Announces Hearings on Competition and Consumer Protection in the 21st Century'' (June 20, 2018), available at https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces- hearings-competition-consumer-protection-21st. --------------------------------------------------------------------------- Conclusion Thank you for the opportunity to provide the Commission's testimony on credit report accuracy and security. We look forward to continuing to work with Congress and this Committee on these important issues. RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCOTT FROM MANEESHA MITHAL Q.1. I greatly appreciated the FTC's guidance and technical assistance as I authored legislation, the Protecting Children From Identity Theft Act (S. 2498), to stamp out synthetic ID fraud. Your team has long been a leading voice on this issue. Thanks to Chairman Crapo, the legislation was included in the Economic Growth, Regulatory Relief, and Consumer Protection Act (Section 215 of S. 2155) and enacted into law this May. Please answer the following with specificity: For the benefit of this Committee, could you explain what synthetic ID fraud is and who predominantly falls victim to this crime? A.1. Synthetic identify theft is a technique used by some identity thieves in which they apply for credit using a mixture of real, verifiable information of an existing person with fictitious information, thus creating a ``synthetic'' identity. Often these identity thieves use real Social Security numbers (SSNs) of people they know are unlikely to have existing credit files, such as children or recent immigrants. Using a consumer's SSN to apply for loans, utility accounts, property accounts, driver's licenses, and vehicle registrations can have long-term consequences that can leave victims burdened with unauthorized debt and a flawed credit history. This type of identity theft has been on the rise in recent years and was a topic of discussion at the Federal Trade Commission's 2017 Identity Theft conference. Q.2. How exactly will the Protecting Children From Identity Theft Act cut down on synthetic ID fraud? A.2. Synthetic identity theft often happens because there is no convenient mechanism to ensure that an SSN matches with other information provided by an applicant for credit or other services. Currently, the SSA's Consent-Based Social Security Number Verification system--while created to fight synthetic identity theft and other fraud--requires financial institutions to obtain a physical written signature from a consumer before making a request to verify an SSN with the SSA. This requirement has been time consuming and has undermined the effectiveness of the verification system. In an era where many consumers expect instant access to credit, financial institutions will be more likely to take verification measures when the process is quick and efficient. The Protecting Children From Identity Theft Act, which was incorporated into Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, allows certain financial institutions, including credit reporting agencies (CRAs), to receive customers' consent by electronic signature to verify their name, date of birth, and Social Security number with the Social Security Administration (SSA). It also directs SSA to modify their databases to allow for the financial institutions, including CRAs, to electronically and quickly request and receive accurate verification of consumer data. These measures will result in a quicker and more efficient verification process that will help reduce synthetic identity fraud. [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]