[Senate Hearing 115-361]
[From the U.S. Government Publishing Office]
S. Hrg. 115-361
AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
ON
EXAMINING THE CONSUMER REPORTING AGENCIES AND THE FAIR CREDIT REPORTING
ACT
__________
JULY 12, 2018
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.govinfo.gov /
__________
U.S. GOVERNMENT PUBLISHING OFFICE
32-483 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
MIKE CRAPO, Idaho, Chairman
RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio
BOB CORKER, Tennessee JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada JON TESTER, Montana
TIM SCOTT, South Carolina MARK R. WARNER, Virginia
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana
DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada
JERRY MORAN, Kansas DOUG JONES, Alabama
Gregg Richard, Staff Director
Mark Powden, Democratic Staff Director
Joe Carapiet, Chief Counsel
Kristine Johnson, Professional Staff Member
Elisha Tuku, Democratic Chief Counsel
Laura Swanson, Democratic Deputy Staff Director
Phil Rudd, Democratic Legislative Assistant
Dawn Ratliff, Chief Clerk
Cameron Ricker, Deputy Clerk
James Guiliano, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
THURSDAY, JULY 12, 2018
Page
Opening statement of Chairman Crapo.............................. 1
Prepared statement........................................... 30
Opening statements, comments, or prepared statements of:
Senator Brown................................................ 2
WITNESSES
Peggy L. Twohig, Assistant Director, Office of Supervision
Policy, Division of Supervision, Enforcement, and Fair Lending,
Bureau of Consumer Financial Protection........................ 5
Prepared statement........................................... 31
Maneesha Mithal, Associate Director, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal
Trade Commission............................................... 6
Prepared statement........................................... 35
Responses to written questions of:
Senator Scott............................................ 42
Additional Material Supplied for the Record
Statements and letters submitted by Chairman Crapo............... 43
Reports and letters submitted by Senator Scott................... 52
Letter submitted by Senator Reed................................. 155
Report submitted by Senator Warren............................... 157
(iii)
AN OVERVIEW OF THE CREDIT BUREAUS AND THE FAIR CREDIT REPORTING ACT
----------
THURSDAY, JULY 12, 2018
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 10:04 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Mike Crapo, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN MIKE CRAPO
Chairman Crapo. The Committee will come to order. The
Committee hearing today is entitled ``An Overview of the Credit
Bureaus and the Fair Credit Reporting Act''.
Credit bureaus play a valuable role in our financial system
by helping financial institutions assess a consumer's ability
to meet financial obligations and also facilitating access to
beneficial financial products and services.
Given this role, they have a lot of valuable personal
information on consumers and, therefore, are targets of
cyberattacks.
Last year, Equifax experienced an unprecedented
cybersecurity incident which compromised the personal data of
over 145 million people.
Following that event, the Banking Committee held two
oversight hearings on the breach and consumer data protection
at credit bureaus. The first hearing with the former Equifax
CEO examined details surrounding the breach, while the second
hearing with outside experts examined what improvements might
be made surrounding credit reporting agencies and data
security.
This Committee also recently held a hearing on
cybersecurity and risks to the financial services industry.
These hearings demonstrated bipartisan concern about the
Equifax data breach and the protection of consumers' personally
identifiable information, as well as support for specific
legislative measures to address such concerns.
Some of these were addressed in Senate bill 2155, the
``Economic Growth, Regulatory Relief, and Consumer Protection
Act'', which included meaningful consumer protections for
consumers who become victims of fraud.
For example, it provides consumers unlimited free credit
freezes and unfreezes per year. It allows parents to turn on
and off credit reporting for children under 18 and provides
important protections for veterans and seniors.
Last month a New York Times article commenting on the bill
noted that ``one helpful change . . . will allow consumers to
`freeze' their credit files at the three major credit reporting
bureaus--without charge. Consumers can also `thaw' their files,
temporarily or permanently, without a fee.''
Susan Grant, director of consumer protection and privacy at
the Consumer Federation of America, expressed support for these
measures, calling them ``a good thing.''
Paul Stephens, director of policy and advocacy at the
Privacy Rights Clearinghouse, similarly noted that the freeze
provision ``has the potential to save consumers a lot of
money.''
But there is still an opportunity to see whether more
should be done, and today's hearing will help inform this
Committee in that regard.
Today I look forward to hearing more from the witnesses
about the scope of the Fair Credit Reporting Act and other
relevant laws and regulations as they pertain to credit
bureaus; the extent to which the Bureau of Consumer Financial
Protection and the FTC, whom the two witnesses represent today,
oversee credit bureau data security and accuracy; the current
state of data security, data accuracy, data breach policy, and
dispute resolution processes at the credit bureaus; and what,
if any, improvements could be made.
States have begun to react in their own ways to various
aspects of the public debate on privacy, data security, and the
Equifax data breach.
Two weeks ago, California enacted the California Consumer
Privacy Act which will take effect on January 1, 2020. The act,
which applies to certain organizations conducting business in
California, establishes a new privacy framework by creating new
data privacy rights, imposing special rules for the collection
of minors' consumer data, and creating damages frameworks for
violations and businesses failing to implement reasonable
security procedures.
Many members are interested in learning more about what
California and other States are doing on this front.
Additionally, 2 weeks ago, eight State banking
commissioners jointly took action against Equifax in a consent
order requiring the company to take various actions regarding
risk assessment and information security.
I have long been concerned about data collection and data
privacy protections by the Government and the private sector.
Given Americans' increased reliance and use of technology
where information can be shared by the swipe of a finger, we
should be careful to ensure that companies and Government
entities who have such information use it responsibly and keep
it safe.
Senator Brown.
OPENING STATEMENT OF SENATOR SHERROD BROWN
Senator Brown. Thank you, Mr. Chairman. Thanks very much to
our witnesses. Thanks for holding this hearing today. I hope my
colleagues would excuse me to particularly welcome Ms. Twohig
to our Committee. She is from the Consumer Protection Bureau,
grew up in Fairview Park, a westside suburb of Cleveland. She
graduated from Ohio State. She worked for the Cleveland
Foundation, the preeminent community foundation in the United
States of America. She has a long career as a public servant
with the FTC, the Treasury Department, and was an early
employee of this terrific agency, the Consumer Financial
Protection Bureau. And not to leave you out, but thank you both
for joining us.
The consumer credit reporting system is stacked against
Americans. A bad credit report can keep you out of a job; it
can put you on a list where you will be targeted with expensive
credit cards or high-cost loans. You are almost powerless to do
anything about it.
Americans have basically no control over these reports that
can dictate their lives and their family's plans for the
future. They often do not know whether they are accurate or
whether they are inaccurate.
Six years ago I chaired a Subcommittee hearing where
consumer advocates in the CFPB identified problems in the
credit reporting industry. We have had several hearings in this
Committee over the last year on credit reporting companies and
on data privacy. In the meantime, breach after breach has
occurred.
Last year, as we know, 148 million Americans had their
sensitive data stolen as hackers exploited a known security
flaw that Equifax did not fix. Millions more have been affected
by breaches at banks like JPMorgan Chase, stores like Target,
Whole Foods, even Trump hotels. Congressional efforts,
including provisions included in S. 2155, have not done
anything meaningful to address accuracy of credit reports, to
fix privacy concerns, or to give consumers controls over their
own personal data.
At the same time, big tech companies continually add more
and more of our personal information to their digital
warehouses. They have financial and personal details about
hundreds of millions of Americans. They see the potential for a
big payday in selling that data to credit reporting companies.
These companies are amassing more and more of our data, but
still seem totally unprepared to deal with cyberattacks. They
are building virtual, shall we say, silver platters for
hackers.
People want and deserve a lot more control over their
personal information. Credit reporting presents a unique
problem because often Americans do not even know these
corporations collect their data in the first place. Right now
consumers cannot vote--as many of my colleagues like to say,
cannot simply vote with their feet when a company does not
treat them well, when a credit bureau fails to protect their
privacy. Congress passed the Fair Credit Reporting Act in the
first place to rein in credit bureaus that originally
functioned as unsupervised supervisory agencies collecting
personal information that we would be appalled to see in
someone's credit report today.
After scandals at Facebook, people are rightfully worried
about big companies once again compiling and selling piles of
personal data on every American without our knowledge, out of
our control or our consent. More Americans would be surprised
at how lenders are putting this data to use. Last week the
Washington Post ran a story about a company called ``Mariner
Finance'' that uses a loophole in the FCRA to look at people's
credit records without their permission and then targets them
with scams. Mariner sends checks for thousands of dollars to
struggling families that can be cashed the day they are plucked
from the mail. But the checks are really just expensive loans
waiting to trap the consumer who cashes them.
Now, Mariner will tell you they are increasing ``access to
credit''--their term. But that was exactly what we were told
about subprime loans. Some will say, including potentially your
boss at the CFPB, that the market will take care of that. Well,
the market clearly has not. The fact is Mariner is weaponizing
people's credit history to target them with an expensive loan
and making huge profits for the hedge fund that owns it. Your
credit report can be used to force you into court, rightly or
wrongly, to settle debts. But what if your credit card company
or your cable provider erroneously reports a missed payment or
defaulted account? They are protected. You cannot take them to
court at all. And that is just absolutely outrageous.
It turns out that is a big problem. A CFPB paper found last
year that credit reporting companies have not been doing enough
to ensure the information they get is accurate. They are
protected and consumers are not, in part because of the
behavior of this U.S. Senate and because of a Supreme Court
that moves more and more to protect corporate interests. What
incentive do these companies have? The people they hurt will
not be able to have their day in court.
We have heard all this before. The credit reporting system
is backward. Like so much of our economy, it works for big
corporations. It works for people with privilege. It does not
work for regular Americans.
The Fair Credit Reporting Act is 50 years old. The amount
and type of information collected today would have been
unthinkable when it was created. It is time for a serious
overhaul that puts Americans in control of their own data. I
have introduced bills and so have many of my colleagues that
would do just that. I hope the Committee will not only listen
to the advice we get today, but will also take action to give
people control over what should be their personal information.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Brown. We will now move
to our witnesses and their testimony.
First we will hear from Ms. Peggy Twohig, who currently
serves as the Assistant Director for Supervision Policy in the
Division of Supervision, Enforcement, and Fair Lending at the
Bureau of Consumer Financial Protection. The Office of
Supervision is responsible for developing strategy across bank
and nonbank markets and ensuring that policy decisions are
consistent across markets, charters, and regions.
After that we will hear from Ms. Maneesha Mithal, who
serves as the Associate Director for the Division of Privacy
and Identity Protection in the Bureau of Consumer Protection at
the Federal Trade Commission. In this capacity she supervises
the work in the area of data security, identity theft, credit
reporting, and behavioral advertising and general privacy.
We appreciate both of you joining us today, and we will
proceed in the order that you were introduced. Ms. Twohig.
STATEMENT OF PEGGY L. TWOHIG, ASSISTANT DIRECTOR, OFFICE OF
SUPERVISION POLICY, DIVISION OF SUPERVISION, ENFORCEMENT, AND
FAIR LENDING, BUREAU OF CONSUMER FINANCIAL PROTECTION
Ms. Twohig. Good morning, Chairman Crapo, Ranking Member
Brown, and thank you for that special introduction. I am very
proud of my Cleveland roots. And thank you for the opportunity
to testify today about the work of the Bureau of Consumer
Financial Protection to address consumer protections in the
credit reporting market. My name is Peggy Twohig, and I am
Assistant Director for Supervision Policy at the Bureau.
Credit reporting plays a critical role in consumer
financial services and has enormous reach and impact. Over 200
million Americans have credit files with tradelines furnished
voluntarily by over 10,000 providers. This information is used
by creditors and other types of businesses to make decisions
about individual transactions with consumers. In particular,
creditors rely on this information to decide whether to approve
loans and what terms to offer. Accurate credit reporting is
important to creditors and other businesses to make good
business decisions. For an individual consumer, an accurate
credit report can be even more important given the significant
impact that information can have on that consumer's ability to
obtain financial and other products and services.
Because of the importance of accuracy to businesses and
consumers, the structure of the Fair Credit Reporting Act
creates interrelated legal standards and requirements to
support the policy goal of accurate credit reporting. These
requirements anticipate that all reports will not be perfect;
instead, the FCRA requires that credit reporting agencies, or
CRAs, have ``reasonable procedures to assure maximum possible
accuracy'' of reports. It also imposes certain accuracy
obligations on furnishers of credit report information. And the
FCRA has a dispute and investigation framework, with
obligations on both CRAs and furnishers, to ensure that
potential errors are investigated and errors are corrected
promptly.
The written testimony of the Bureau reviews the legal
authority of the Bureau to supervise and enforce the Federal
consumer financial laws applicable to CRAs. I will focus here
on the work the Bureau has done exercising these authorities.
In both its supervision and enforcement work, the Bureau
has focused on credit reporting accuracy and dispute handling
by both CRAs and furnishers. As discussed in a special edition
of Supervisory Highlights published last year, the Bureau's
supervisory work has prioritized reviews of key elements
underpinning accuracy. As a result of these reviews, the Bureau
directed specific improvements in data accuracy and dispute
resolution at one or more CRA, including: improving oversight
of incoming data from the furnishers; instituting quality
control programs of compiled consumer reports; monitoring
furnished dispute metrics to identify and correct root causes;
improved investigations of consumer disputes, including a
review of relevant information provided by consumers; and
improving communication to consumers of dispute results.
In supervising bank and nonbank furnishers, the Bureau has
found furnishers that were not complying with their FCRA
obligations and directed them to comply, including developing
reasonable written policies and procedures regarding the
accuracy of information they furnish; taking corrective action
when they furnished information they determined to be
inaccurate; and bringing their dispute handling practices into
compliance. The Bureau has also brought enforcement actions and
entered into a number of settlements related to violations of
the FCRA's accuracy and dispute investigation requirements.
Turning to data security, CRAs hold a tremendous amount of
sensitive information about consumers. If CRAs do not protect
this data, it may lead to data breaches, creating the risk of
substantial harm to consumers, including the risk of identity
theft. Since the Equifax breach, the Bureau has increased its
attention to data security issues in our supervisory and
enforcement work.
The Bureau has the authority to conduct data security
investigations and to conduct examinations at certain nonbanks,
including larger CRAs. This authority includes assessing the
facts and circumstances to determine whether a CRA's data
security practices constitute a violation of Federal consumer
financial law, including the prohibition against unfair,
deceptive, or abusive acts and practices, or the FCRA.
Our supervisory, enforcement, and consumer education
efforts will continue in this important area. Consumers should
have confidence that their credit reports are secure and comply
with all applicable legal requirements.
Thank you again for the opportunity to testify today at
this important hearing. I would be happy to answer your
questions about the Bureau's work related to credit reporting.
Chairman Crapo. Thank you very much.
Ms. Mithal.
STATEMENT OF MANEESHA MITHAL, ASSOCIATE DIRECTOR, DIVISION OF
PRIVACY AND IDENTITY PROTECTION, BUREAU OF CONSUMER PROTECTION,
FEDERAL TRADE COMMISSION
Ms. Mithal. Thank you. Chairman Crapo, Ranking Member
Brown, and Members of the Committee, my name is Maneesha
Mithal, and I am the Associate Director of the Division of
Privacy and Identity Protection at the Federal Trade
Commission. I appreciate the opportunity to appear before you
today to discuss the Fair Credit Reporting Act, credit bureaus,
and data security.
As you know, the FCRA is intended to help consumers in
three ways.
First, it helps consumers prevent the misuse of sensitive
consumer report information by limiting recipients to those who
have a legitimate need for it.
Second, it works to improve the accuracy and integrity of
the consumer reporting system.
And, third, it promotes the efficiency of the Nation's
banking and consumer credit systems.
Now, the Commission has played a key role in the
implementation, enforcement, and interpretation of the FCRA
since its enactment. Let me mention three key examples.
First, in 2012 the Commission published a study of credit
report accuracy. According to the study findings, one in four
consumers identified errors on their credit reports that might
affect their credit scores. Four out of five consumers who
filed disputes experienced some modification to their credit
report. And 5 percent of consumers experienced a change in
their credit score that could impact their credit risk
classification.
The second activity that the FTC engages in is enforcement.
Enforcement continues to be a top priority for the Commission.
Since 2011, the Bureau has been examining the nationwide credit
bureaus. As a result, the FTC has focused its FCRA law
enforcement efforts on other entities in the credit reporting
area and other aspects of the consumer reporting industry more
broadly. One example is enforcing a law against furnishers that
are not supervised by the Bureau. The FTC has settled cases
against data furnishers that allegedly had inadequate policies
and procedures for reporting accurate information to CRAs.
Another example is employment background screening CRAs.
For instance, in the InfoTrack case, the Commission alleged
that a background screening CRA failed to have reasonable
procedures to ensure the maximum possible accuracy of the
consumer reports it provided, and as a result, it provided
inaccurate information suggesting that job applicants may have
been registered sex offenders when they were, in fact, not.
Third, the Commission continues to educate consumers and
businesses on their consumer reporting rights and obligations
under the FCRA. One example is our publication ``Credit and
Your Consumer Rights'', which provides an overview of credit
for consumers, explains consumers' legal rights, and offers
practical tips to help solve credit problems.
Now, let me close by mentioning the importance of credit
bureaus maintaining reasonable security of the consumer
information that is entrusted to them. Since 2001, the
Commission has undertaken substantial efforts to promote data
security in this and other sectors. We enforce several laws
requiring companies to maintain reasonable security, including
the FTA Act, the Gramm-Leach-Bliley safeguards rule, and
certain provisions of the FCRA. The Commission has brought over
60 law enforcement actions against companies that allegedly
engaged in unreasonable data security practices.
Last year the Commission took the unusual step of publicly
confirming its investigation into the Equifax data breach due
to the scale of the public interest in the matter. And although
we aggressively enforce our data security laws, I believe there
are some gaps in our authority. For example, we cannot seek
civil penalties for violations of most data security laws. To
fill in these gaps, the Commission has supported Federal data
security legislation on a bipartisan basis for over a decade.
My written testimony discusses these issues in further detail,
and I am happy to answer any questions you might have.
Chairman Crapo. Thank you, Ms. Mithal. And my first
question is for you. This is primarily just sort of a
housekeeping item, but as I indicated in my opening statement,
the Economic Growth, Regulatory Relief, and Consumer Protection
Act has some significant provisions in it in this arena in
terms of protecting consumers with the ability to place
security freezes on their credit files with credit bureaus.
This provision will empower consumers to protect their credit
in the event of future data breaches or incidents of identity
theft. I am just seeking your commitment that you and the FTC
will move expeditiously to implement these credit bureau
provisions in Senate bill 2155.
Ms. Mithal. Absolutely, you have our commitment to
implement those provisions expeditiously, and we have already
begun. We issued a consumer blog post, and we have begun our
rulemaking process, so thank you.
Chairman Crapo. Thank you.
Ms. Twohig, credit bureaus--well, let me put it this way: I
have long been concerned about the ever increasing amounts of
big data that are being collected, both in the private sector
and in the public sector by the Government. And as you know,
one of the agencies that I have been worried about is the
Consumer Financial Protection Bureau.
Are credit bureaus required to provide data to the Bureau?
Ms. Twohig. So, Senator, thank you for that question. In
our supervisory work, they are required to respond to our
requests when we are conducting an examination, and the
requests that we make of the credit bureaus are similar to the
requests we make of other financial service providers that we
oversee through our examination authority. So that would be we
request information such as how they are complying with the law
and their compliance management systems, so, for example, their
board and management oversight, their policies and procedures,
their monitoring, their training, what audits they are doing.
So all the elements that go into a compliance management
system, we ask for that general information.
And then more specifically, we ask for more specific
information when we are determining particular compliance with
particular provisions of the law. So, for example, we may need
specific information about consumer files when we are doing
transaction testing to ensure, for example, that they were
complying with the law in following up on a consumer's dispute.
Chairman Crapo. My understanding is that the agency is
seeking to collect specific credit card transactional data on
hundreds of millions of accounts. Is that not correct?
Ms. Twohig. My understanding, Senator, is that a separate
part of the Bureau, its research arm, collects in a credit
panel de-identified information on consumers for research
purposes.
Chairman Crapo. But you are not in a position to describe
exactly what they are collecting?
Ms. Twohig. Correct. We would need to follow up with you
and get you the details on that.
Chairman Crapo. All right. Let me go back again to the
information that you are familiar with. Is the data that you
are requiring provided by mandate or is it purchased?
Ms. Twohig. So the area that I work in, Supervision, the
legal requirement under Dodd-Frank is that they are required to
respond to supervisory requests for the information we need to
conduct the examination.
Chairman Crapo. All right. And are there other private
sector entities that are required to provide data in addition
to the credit bureaus? And what are they? For example, credit
card companies, banks, others?
Ms. Twohig. So there are various provisions of different
kinds of law that do require reporting to the Bureau. I
believe, for example, under the CARD Act, credit card issuers
are required to provide their agreements that then the Bureau
posts on the website. I am not familiar, sitting here right
now, with all the different provisions that might require
reporting to the Bureau, but there are a number of different
requirements that would come into play.
Chairman Crapo. All right. I appreciate that. And just
quickly, I have only got about a minute left, so if you could
each give me about a 30-second answer, sort of a high-level
answer as to what have we learned from the Equifax data breach
about what we need to do from here?
Ms. Twohig. So, Senator, I can tell you that even though
the Bureau's investigations are not public, in this instance it
is a matter of public record that the Bureau is investigating
Equifax. We are coordinating with the FTC on that
investigation, so that is in process. So I think it is
premature to really answer that question.
Chairman Crapo. All right. Ms. Mithal.
Ms. Mithal. Like Ms. Twohig, I cannot comment on the
specifics, but what I can say is two things.
One is that we have learned that credit bureaus do hold the
most sensitive information about consumers available in the
marketplace, and it is incumbent on these credit bureaus to
protect that information.
And, second, I think that in terms of the big data
breaches, I think the FTC could use more authority to seek
civil penalties against companies that violate the laws that we
enforce.
Chairman Crapo. All right. Thank you.
And Senator Brown has indicated that he wants to yield his
first slot to Senator Schatz, so, Senator Schatz, please go
ahead.
Senator Schatz. Thank you, Chairman, and thank you to
Ranking Member Brown. I promise I will not make a habit out of
this. I appreciate it very much.
Thank you very much for your testimony. Ms. Twohig, I
wanted to follow up on something Ms. Mithal described. There
was an FTC report that found that 5 percent of credit reports
contain confirmed material errors. So these are confirmed
material errors. There are more errors than that. But even if
it is just 5 percent, that is the bare minimum of confirmed
material errors. You are talking about 10 million people. And
worse than that, 2 years later 84 percent of those errors
remained on the credit reports.
Can you tell me a little bit about what your supervisory
work is entailing and what you found as it relates to accuracy
and dispute resolution?
Ms. Twohig. Thank you for that question, Senator. I would
be happy to talk about that.
As I said, because of the concerns about credit report
accuracy, the Bureau did its first rule to identify what larger
participants in the marketplace it was going to establish a
nonbank supervision program for that was not already in a
statute with respect to credit bureaus, consumer reporting
agencies, because of the priority that the Bureau gave to look
into that market and to be able to apply first ever supervisory
authority on that industry. So they had never, before the
Bureau, been examined by any Federal or State regulator. We
prioritized that, and we have been conducting that work. And so
we have been very focused on looking at their compliance with
the accuracy and the dispute resolution provisions of the FCRA.
Senator Schatz. And what have you found?
Ms. Twohig. We found that, in general, as a big-picture
matter, supervision is an attempt to get companies to have a
preventive--to prevent law violations, to have a proactive
approach to compliance, to make sure that they have their
compliance house in order so that violations do not occur in
the first place. We think we have made progress in shifting
their attitude and culture toward more of a proactive
compliance posture. But we have found problems with their
compliance with the law, and we have given them directives to
improve where we have found they have fallen short, and we have
seen improvements over time. But that is not to say there is
not more work to do, Senator.
Senator Schatz. Thank you.
Ms. Mithal, Senator Kennedy and I have a bill that would
give consumers more tools to manage their credit reports, and I
think it is really important for this Committee, especially for
Republicans on this Committee, to recognize that we all know
that we cannot blow up the system, that although there are
consumers problems related to these credit bureaus, we still
need some measure of creditworthiness, and we are not intending
to be so disruptive as to create problems in lending. But there
are some basic things that we can do to empower consumers, and
I want to make sure that--they are not customers. They have not
enlisted. People generally speaking do not sign up with these
credit bureaus. But they are consumers, and our bill tries to
empower consumers to, for instance, know what the credit
bureaus know, be able to see those same lines, and to have an
online portal that is no labyrinthine that allows a person to
resolve any dispute in a straightforward manner.
Is it fair to say, Ms. Mithal, that you support the goals
of this legislation?
Ms. Mithal. Absolutely. I think credit report inaccuracy
issues continue to harm those consumers that are affected by
it. Not only is it the lack of credit in the future; it is the
time and expense it takes to clear up their credit report. So I
think the tools that you are aiming to provide consumers
through your bill, those are the types of tools that are
absolutely worth considering.
Senator Schatz. Can you talk a little bit about the
importance of an online portal?
Ms. Mithal. Sure. So I think one of the problems for
consumers is that it is very difficult to know how to navigate
the credit reporting system, and so I think the easier we can
make it for consumers, the more tools we could provide for
them, the more one-stop shops we can provide for them, I think
that is very useful, consistent with, as you said, the kind of
free flow of credit information.
Senator Schatz. One final question, which I think I will
take for the record for both of you. It is sort of twofold.
First, we should draw a distinction between breaches which
create credit score problems and credit inaccuracies, and the
endemic problem of these credit bureaus basically getting it
wrong anywhere from 5 to 15 percent of the time, but at least 5
percent of the time in a material way. So although the Equifax
breach caused us to think about these bureaus and focus on that
question, this is not a cybersecurity question exclusively. It
is also a basic consumer rights question.
So my question for the record is: What specifically are the
pain points for consumers as they go about trying to resolve
these questions?
Senator Schatz. And I have run out of time, and I
appreciate the indulgence of the Chair and the Ranking Member.
Chairman Crapo. Thank you.
Senator Scott.
Senator Scott. Thank you, Mr. Chairman. And thank you to
the witnesses for being here today.
I have worked for the last 6 or 7 years on something called
the ``opportunity agenda,'' trying to find a way to empower
those folks living in distressed communities. As you probably
both know, we have about 50 million Americans today who live in
those distressed communities, and as I think about ways to
empower those folks living in distressed communities, the
access to credit issue jumps out very clearly.
The BCFP has found that 26 million Americans are credit
invisible; another 19 million Americans are unscorable because
their information is either insufficient and/or just too old.
It should come as no surprise that there is a strong
correlation between your income and whether you have a credit
score or a credit record. Almost 30 percent of Americans living
in low-income areas are credit invisible. An additional 15
percent of Americans living in those areas are unscorable. In
South Carolina, when you combine those two numbers together,
that means about nearly one out of every four South Carolina
adults are in that category.
A solution to bring credit invisibles out of the shadows is
S. 3040, the Credit Access and Inclusion Act. Credit invisibles
regularly make payments for their rent, gas, water,
electricity, and cell phones. New credit scoring models
recognize these payments are payments that are predictive of
your actual credit risk.
Unfortunately, the FCRA ensures that missed payments and
collection are reported to the credit bureaus, but not
necessarily the ones you make on time.
The Brookings Institution states that the consideration of
this payment data will lead to a 21-percent increase to prime
credit for those earning less than $20,000 a year and a 15-
percent increase to prime credit for those earning between
$20,000 and $30,000 a year. That will make a huge difference
for creditworthy folks trying to climb the economic ladder, and
my bill helps us get there.
Ms. Twohig, what is the impact on a consumer of being
credit invisible when it comes to interest rates, applying for
a job, or finding an apartment?
Ms. Twohig. Senator, first of all, I want to say that the
Bureau shares your concern about access to credit. In fact, one
of the Bureau's strategic goals is to ensure that all consumers
have access to consumer financial services.
With respect to the particular impact, the particular
impact will vary for each consumer and what they are applying
for and what they are trying to do in the particular credit or
other markets. But I think it is fair to say that if a consumer
does not have a credit file with one of the national credit
reporting companies or if it does not have enough in that file
to score, then that consumer is basically shut out of the
mainstream credit markets.
Senator Scott. Well, that kind of leads to my second
question. The BCFP has suggested that more of this information
at the credit bureaus will help credit invisibles access
mainstream credit sources. It sounds like you would concur that
that would be accurate?
Ms. Twohig. So alternative data of the type you are
discussing is also something that the Bureau is interested in
learning more about and is monitoring. In fact, the Bureau
issued last year a Request for Information from the public to
get information about different kinds of alternative data and
the aspects of that alternative data and how it could help
consumers and access to credit. We received over 100 comments.
We are currently monitoring that information and studying that
information and learning more about it. But I think also it is
fair to say that if that information is accurate and
predictive, then that could be part of the solution to increase
access to credit.
Senator Scott. Thank you.
I will just say to my Chairman and the Ranking Member, who
I know both have a passion for finding ways to bring those
folks who are today credit invisible out of the shadows and
into a place where they can rely on a strong credit score to be
able to have lower interest rates, greater access to better
jobs, and certainly be able to find places to live in higher-
quality communities, and all that is anchored in your credit
score and not being credit invisible. So hopefully S. 3040 will
be on the top of the docket for both of you. Thank you both.
Chairman Crapo. Thank you, Senator Scott.
Senator Menendez.
Senator Menendez. Thank you.
Ms. Twohig and Ms. Mithal, let me start off by asking you
each to give me the last four digits of your Social Security
number.
Ms. Twohig. Senator, I really do not want to do that in a
public forum.
Ms. Mithal. I have the same reaction.
Senator Menendez. All right. How about telling me which
stores you opened credit cards with?
Ms. Twohig. Which stores?
Senator Menendez. Yeah.
Ms. Twohig. I do not think I have opened any credit cards
with a store lately.
Ms. Mithal. That is not something I would be willing to
share in a public forum.
Senator Menendez. Or maybe can you tell us the outstanding
balance on your home mortgage loans?
Ms. Twohig. Senator, I would prefer not to share that kind
of information either.
Ms. Mithal. Same.
Senator Menendez. I am not surprised. But that information,
which I am sure you would not want to be shared or sold without
your permission, and yet under current law consumer reporting
agencies like Equifax can share and sell your information,
where you live, where you pay your bills, and whether you pay
on time, what you filed for, whether you filed for bankruptcy,
without ever having to get your consent. Isn't that right?
Ms. Mithal. That is correct, although there are certain
limitations on how they can use the data.
Senator Menendez. Now, American consumers are at the mercy
of three megacompanies who control the security and safety of
their personal information, and that makes no sense. Consumers
should have the ability to control when, how, and to whom their
data is shared, just like you wanted to control it here in this
public forum.
Last year a massive Equifax data breach laid bare the
systemic problems with the credit reporting industry. Its
failure to guard sensitive data left 145.5 million Americans
exposed to identity theft and fraud.
Ms. Mithal, Equifax waited an inexplicable 6 weeks to
disclose a breach that had occurred. Worse, over months after
the breach, millions of consumers were still unaware of the
breach in part because there is no national requirement to
alert consumers. My bill, S. 2188, the Consumer Data Protection
Act, would require consumer reporting agencies to quickly
notify the Federal Trade Commission, the CFPB, law enforcement,
and consumers of a breach while keeping intact existing strong
State consumer protection laws.
Generally speaking, does the FTC support the idea of
requiring companies to provide notification to consumers where
there is a data security breach?
Ms. Mithal. Absolutely, and the Commission has done so for
almost--for over a decade on a bipartisan basis.
Senator Menendez. Now, let me ask you, another issue we
need to address here is the ability to hold consumer reporting
agencies accountable when there is a breach, when they have
clearly failed to protect consumers' personal data. My
legislation also provides FTC the authority to pursue fines
against a consumer reporting agency such as Equifax that
negligently, knowingly, or willingly causes a data breach.
In your view, would the institution of a monetary penalty
framework incentivize consumer reporting agencies to better
secure consumer data?
Ms. Mithal. Yes.
Senator Menendez. Let me ask another question for both
witnesses. Given the unique and varied nature of consumer harm
that results from a data breach at a consumer reporting agency,
which includes everything from identity theft to difficulty
purchasing a home or securing employment, would it be helpful
to have a comprehensive study analyzing both the immediate and
long-term costs and damages to individuals affected by data
breaches at consumer reporting agencies?
Ms. Mithal. So I think that there is no question that there
is tremendous harm to consumers from data breaches of their
sensitive information, and I think it would be worth
considering a study to quantify that harm.
Senator Menendez. Ms. Twohig.
Ms. Twohig. I would agree with Ms. Mithal, and to the
extent the Bureau can be helpful providing technical expertise
in analyzing that topic, we would be happy to do so.
Senator Menendez. Well, thank you. I really did not want to
know your Social Security numbers, by the way, or your balances
on your mortgages, which I hope is virtually nil. But this is
the very essence of what we are talking about as we deal with
this issue here today.
Thank you, Mr. Chairman.
Chairman Crapo. Senator Kennedy.
Senator Kennedy. Thank you, Mr. Chairman.
Ms. Mithal, can we agree that the work of the CRAs
facilitates commerce in America?
Ms. Mithal. Absolutely.
Senator Kennedy. Do you agree with that, too, Ms. Twohig?
Ms. Twohig. Yes.
Senator Kennedy. And I think we can also agree, can we not,
that that is a good thing in our free enterprise system?
Ms. Mithal. Yes.
Ms. Twohig. Yes.
Senator Kennedy. When the CRAs gather information about me,
do they ask my permission?
Ms. Mithal. No.
Ms. Twohig. No.
Senator Kennedy. Do they pay me for the information?
Ms. Mithal. No.
Ms. Twohig. No.
Senator Kennedy. They gather this information, and they
assign me a score basically making an evaluation, a judgment
about me, whether I am a creditworthy person or not. Is that
correct?
Ms. Mithal. Correct.
Senator Kennedy. And in 5 to 10 percent of the cases, they
get it wrong. They have some bad data. Is that correct?
Ms. Mithal. Yes.
Senator Kennedy. If they have bad data and I call them up
and I say, ``Hey, you have got bad data on me. You did not talk
to me first. I could have fixed this up front, but you did not
talk to me. But you have got some bad data on me, and it is
affecting my life and my family's life,'' and the CRA says,
``OK. We will get back to you,'' and they never get back to me,
or they get back to me and say, ``We disagree.'' What is my
recourse?
Ms. Mithal. So under the FCRA there is a dispute process
where credit reporting agency is required to respond within a
particular amount of time, and though at the end of the day,
when the credit bureau says that, ``No, you, in fact, owe this
debt,'' the consumer owes the debt.
Ms. Twohig. That is right. The consumer can put a statement
on their credit report if they are not satisfied with the
results of the dispute investigation.
Senator Kennedy. How long does that take?
Ms. Mithal. I believe under the FCRA the investigation
process is 30 to 45 days.
Ms. Twohig. That is right.
Senator Kennedy. I have to fill out a bunch of forms, do I?
Ms. Mithal. Yes.
Senator Kennedy. OK. How long do you think it takes to fill
out all those forms and make the phone calls and say, ``Hey,
you have got my information wrong''?
Ms. Mithal. So I think there is certainly some time it
takes on the part of the consumer to kind of understand the
dispute process, to go through the dispute process, and to
implement it.
Senator Kennedy. And if I have got a day job, I cannot do
that at work, right?
Ms. Mithal. Yes, it is certainly a lot of time and expense
to dispute----
Senator Kennedy. I might do it at night or on the weekends?
Can I call them up on the weekends? Do the CRAs work on the
weekends, do you know?
Ms. Twohig. I believe they have an online portal that you
can file a dispute online and submit documents. Now the
consumers can submit documents in support of their dispute
online.
Senator Kennedy. OK. And let us suppose at the end of the
process they come back to me and they say, ``No, we are not
changing anything,'' or--I know this does not happen very
often, but you get somebody having a bad day, and they say,
``Hey, we are not changing anything. And, by the way, we do not
care because we do not have to. You are not my customer.'' What
do I do?
Ms. Mithal. So I think speaking for----
Senator Kennedy. Do I file a complaint with the FTC?
Ms. Mithal. Sure, you can file a complaint with the FTC,
and we have----
Senator Kennedy. Do I need a lawyer?
Ms. Mithal. No, you do not need a lawyer.
Senator Kennedy. Does it take time? I bet it is not a one-
page form.
Ms. Mithal. Yes, it takes time.
Senator Kennedy. It is not a one-page form, is it?
Ms. Mithal. It is multiple pages.
Senator Kennedy. And how quickly would the FTC act?
Ms. Mithal. It would take a while.
Senator Kennedy. Like how long is ``a while''?
Ms. Mithal. It could take--so let me just clarify. We do
not act on behalf of individual consumers.
Senator Kennedy. I understand. How long would it take?
Ms. Mithal. It would take several months to investigate,
probably----
Senator Kennedy. It could take a year, couldn't it?
Ms. Mithal. Sure.
Senator Kennedy. It could take 2 years sometimes, doesn't
it?
Ms. Mithal. Sure.
Senator Kennedy. In the meantime, they have got bad data
about me, and they did not pay me for it. They did not even ask
me.
Now, I think the CRAs perform an important service and do
facilitate commerce. But it seems to me that we ought to be
smart enough, particularly with technology, to come up with a
system that says we are going to make it as easy as possible
for the people with respect to whom the CRAs have bad
information so those people can get it fixed and they can get
it fixed quickly and they can get it fixed efficiently and they
can get it fixed inexpensively and they can get it fixed so
they do not have to miss their kids' ball games.
Now, I think Senator Schatz and I have a bill that will do
that. What is wrong with that bill? You think it is a good
bill, don't you?
Ms. Mithal. I do think it is a good bill, and I would
support the goals of the legislation, which is, as you
articulated, to make it a lot easier for consumers to file
disputes with consumer reporting agencies.
Senator Kennedy. Ms. Twohig.
Ms. Twohig. Senator, I would say that all the issues you
have just pointed out are the reason why we have prioritized at
the Bureau supervising both the CRAs and furnishers----
Senator Kennedy. Yes, ma'am, I know you prioritized, and I
am not fussing at you, but you are still part of the
bureaucracy. And it is pretty intimidating for the average
American who did not ask to be brought into this system--it is
a good system, but it is pretty intimidating when the CRAs get
it wrong. And we ought to make it as easy as possible for them
to get it fixed. That is good for them. That is good for the
companies. That is good for the free enterprise system. And I
think we can do better.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Senator Warner.
Senator Warner. Well, thank you, Mr. Chairman. First of
all, thank you for holding this hearing. I think you are
hearing bipartisan concern. I want to thank the Ranking Member
for also yielding to us. I also want to point out, though, that
Ms. Twohig and Ms. Mithal are long-time career professionals. I
think they would lean in to being willing to try to help us fix
this problem. But they cannot fix this problem on their own
without Congress acting.
So I want to reiterate what I think a lot of Members have
said. I had no choice in Equifax having my data. Senator
Menendez raised this, Senator Kennedy has, Senator Schatz has.
To me, as a former business guy, it is remarkable that a data
breach based upon sloppy cybersecurity standards that took
place over a year ago that the public was not notified until 11
months ago, that we still--and this is not your fault at this
point, because Congress has not acted--that they have paid no
penalty to date. They took a little bit of a hit in the market,
but they have almost recovered from that because they do not
expect Congress to do its job to give the FTC the ability to
put a civil penalty process in place.
Now, Senator Warren and I have a very comprehensive bill
that I am sure she will speak to as well that would put a
liability regime in place that would particularly in the event
of negligent behavior put a real incentive to make sure that
credit reporting agencies up their game.
Let me just again, for the record, Ms. Mithal, the FTC at
this point does not have the ability to put any civil penalty
on a CRA based on performance, do they?
Ms. Mithal. Not on the basis of data security violations
generally, no.
Senator Warner. So unless the Congress acts, whether it is
Senator Warren's bill, Senator Menendez's bill, Senator
Kennedy's bill, Senator Schatz's bill, you do not have the
tools. As a matter of fact, if we go and look at the so-called
Safeguards Rule--and we have heard from Ms. Twohig's testimony
that CFPB does not have authority under the Safeguards Rule to
examine or look at the practices of the CRA. Ms. Mithal, does
the FTC have the authority under the Safeguards Rule to examine
credit reporting agencies to ensure that that rule is being
followed?
Ms. Mithal. So just to be clear, we do not have examination
authority, but we can investigate CRAs to make sure that they
are following the Gramm-Leach-Bliley Safeguards Rule. But,
significantly, as you point out, we do not have the authority
to seek civil penalties under the Safeguards Rule.
Senator Warner. Right, and if memory serves, I am sure
Senator Kennedy remembers as well, FTC indicated they had
opened an investigation into the Equifax breach, but here we
are over a year after the breach took place and 11 months after
the public was finally notified, yet we still do not have a
result. And even if you come up with a result, you do not have
the ability to impose penalties because you have no liability
regime in place.
Ms. Mithal. Not under data security, yes.
Senator Warner. Well, Mr. Chairman, I think this is an
area, because I can assure you, sitting from the intel side,
this is a problem that is not going to go away. This is a
problem that is going to only exponentially increase. And
Senator Menendez went down the path of would you be willing to
offer your personal information, you wouldn't. But if somebody
has hacked in and got that information from Equifax and
contacts you with that personalized information and you combine
that with the next realm of misinformation and disinformation,
and you suddenly have a live stream video of what appears to be
a face of somebody you recognize popping up on your social
media account asking you to do something, either invest in some
company or vote for some candidate, you put those two together,
and you have a potential crisis that goes well beyond just
financial concerns. And if we do not act, I think we are going
to be irresponsible in ensuring that kind of activity does not
take place, because I agree with Senator Kennedy, the
incentives are not there at all for any CRA to clean up its act
at all. There are no civil penalties, there is no liability
regime. And I think we can do better, and I think these career
professionals actually would want us to do better if we would
give them the tools.
Let me just say in my last 30 seconds, Senator Scott raised
a little bit of this question about some of the folks who are
unbanked. I am concerned as well, as we think through--Ms.
Mithal, this is for you. As we start looking at the use of
artificial intelligence, machine learning, you know, there are
going to be a lot of tools used particularly by nonbank
financial institutions who may provide credit lending, how we
make sure that we ensure fairness in this new regime. But at
this moment in time, again, I do not believe the FTC has the
appropriate ability to look at a nonbank financial institution
who is using AI techniques to grant a loan under FCRA. Is that
correct?
Ms. Mithal. So we did do a report on this issue a few years
ago, and we did mention that there are certain circumstances
when companies use AI technology to make decisions about credit
or housing or employment eligibility that we would have
authority to take action under the FCRA, but that is against a
limited set of entities that are third parties using the
information. So there are some gaps there.
Senator Warner. And I would only say, Mr. Chairman and
Ranking Member, that if we think what is happen with Equifax
was something, wait until you see the nonbank financials start
to use AI in the sophisticated way. And if we do not get ahead
of this in terms of we ought to be able to use good data and
good information, but if we do not put some rules in place, the
Equifax breach will pale in comparison to what the next
generation of attacks will look like.
Thank you, Mr. Chairman.
Chairman Crapo. I share your concerns, Senator Warner.
Senator Warren.
Senator Warren. Thank you very much, Mr. Chairman. Thanks
for holding this hearing. Thank you, Ranking Member Brown, for
letting us go ahead of you here.
I want to pick up on the same theme that my colleagues have
been talking about. After Equifax disclosed its massive data
breach last year, I sent letters to Equifax and the other large
credit bureaus and Federal regulators seeking information about
the breach and the options for holding Equifax accountable.
My staff compiled that information in an investigative
report that my office issued in February, and I would like to
submit a copy of that report for the record, Mr. Chairman. Mr.
Chairman?
[Laughter.]
Senator Brown. Without objection.
Senator Warren. Without objection.
Chairman Crapo. Without objection.
Senator Warren. Thank you, Mr. Chairman. Thank you.
Chairman Crapo. What did I just agree to?
[Laughter.]
Senator Warren. So we put this report together, and one of
the key findings of this report is that Federal agencies do not
have the legal tools they need to stop data breaches at credit
bureaus and hold credit bureaus accountable for compromising
sensitive personal information. As Senator Warner was just
pointing out, the FTC has some authority to oversee data
security at credit bureaus, but it currently has no authority
to seek civil penalties against the bureaus for compromising
consumer information.
So let me just ask, Ms. Mithal: Do you think the FTC should
have that authority?
Ms. Mithal. Yes.
Senator Warren. Good. Thank you. In fact, the response the
FTC sent to my letter specifically requested legislation that
would ``allow the FTC to seek civil penalties to help ensure
effective deterrence of cybersecurity breaches,'' so asking for
it.
Meanwhile, the CFPB has some supervisory authority over
large credit bureaus, but limited ability to issue rules on how
the bureaus must safeguard sensitive consumer data. Is that
right, Ms. Twohig?
Ms. Twohig. That is correct.
Senator Warren. Good. In other words, even if the CFPB
spots serious cybersecurity problems at the credit bureaus it
supervises, it cannot issue new rules to try to address these
problems. Is that right?
Ms. Twohig. So we do not have the authority under the
safeguards provisions of the Gramm-Leach-Bliley Act or the
Safeguards Rule.
Senator Warren. OK. So in response to my letter to the
CFPB, then-Director Cordray said that the agency supported new
legislation because ``Federal laws that are applicable to data
security have not kept pace with technological and
cybersecurity developments.'' In other words, want the
authority to do this.
So after receiving these responses, Senator Warner and I
spent months working with each other and with experts in the
field to develop the Data Breach Prevention and Compensation
Act. Our bill would authorize the FTC to impose large and
automatic penalties on any large credit bureau that allowed
sensitive consumer information to be accessed. The way we see
it, if credit bureaus collect our personal information without
our permission, then they should have an absolute obligation to
protect that data from hackers and thieves.
The bill would also create a new Office of Cybersecurity at
the FTC with the responsibility to establish cybersecurity
standards at credit bureaus and supervise compliance with those
standards.
Ms. Mithal, do you think the FTC would be better equipped
to oversee how credit bureaus protect sensitive information if
Senator Warner's and my bill became law?
Ms. Mithal. So I certainly do think we have the expertise.
I think it is a question of resources. And so if your law comes
with resources, that would be welcome.
Senator Warren. OK, good. Fair enough. Fair enough. But you
have got to have the authority, or you cannot do anything.
Ms. Mithal. Correct.
Senator Warren. So thank you.
Mr. Chairman, I know that you and many of your Republican
colleagues on this Committee are concerned about the lack of
adequate protection of consumer data at credit bureaus, and I
hope you will work with Senator Warner and with me to push this
legislation forward.
Our Federal agencies have made absolutely clear that they
need more legal authority to protect consumers. We cannot just
cross our fingers and hope that another breach does not happen
because another breach will happen. And if we fail to act, then
we bear some responsibility for that. More of our constituents
will be harmed unless Congress acts.
So I urge you to join with Senator Warner and me and others
on this Committee to try to push our bill forward.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Warren.
Senator Cortez Masto.
Senator Cortez Masto. Thank you. Thank you, Mr. Chair and
Ranking Member for, I agree, this important discussion. And
thank you to both of you for being here and all of the work
that you do.
I am curious. I want to talk a little bit about exclusive
contracts. Last October, right after the announcement of
Equifax's massive data breach, the New York Times ran an
article about how Equifax and Freddie Mac have an exclusive
relationship that harms both consumers and small businesses. I
am curious if either one of you are familiar with that article
or familiar with this concept that there are exclusive
contracts.
Ms. Mithal. I am not.
Ms. Twohig. I am not familiar either.
Senator Cortez Masto. So this is not something that either
one of your organizations is looking into as something that is
harmful to individual consumers or small businesses?
Ms. Mithal. I can only speak to privacy and cybersecurity
issues, and that is not something that is on our radar screen.
Senator Cortez Masto. OK.
Ms. Twohig. And for the Bureau of Consumer Financial
Protection, as I said at the outset, we can confirm that we are
investigating Equifax's data security practices in coordination
with the FTC. Beyond that, our investigations are not public.
Senator Cortez Masto. Thank you very much.
Ms. Twohig, let me jump back then to the concept of--and I
agree with my colleagues--this concern that all of this data is
being collected on all of us individually, and we have no
control over it. So, Ms. Twohig, let me start with you. As you
well know, credit systems around the world have differing
standards for consumer control of their own privacy. For
instance, the new privacy laws in the European Union provide
more privacy options than we do here in the United States. In
fact, Americans have really little say over what data can be
aggregated by these credit bureaus.
If an opt-in system for credit bureaus was established, how
would that impact people, our communities, and our economy? In
other words, also--and as you address that, what is the
reaction we are seeing to the implementation of the general
data protection regulations in the European Union? And the
reason I bring this up is because we have all been talking
about opt-in, but there is this concern that somehow it is
going to have an impact on our economy, on our businesses, and
so I am curious if you have any insight into that, either one
of you. Let me start with you, Ms. Twohig.
Ms. Twohig. So at the outset, I would say that the Economic
Growth, Regulatory Relief, and Consumer Protection Act provides
additional important consumer protections in my view to allow
consumers to get a free security freeze. And so even though
that is not exactly what----
Senator Cortez Masto. That is not an opt-in.
Ms. Twohig. That is not an opt-in, but it is one step
toward more control if consumers choose to exercise it.
Senator Cortez Masto. But it is less than what the European
Union requires?
Ms. Twohig. I believe so.
Senator Cortez Masto. Any other----
Ms. Mithal. Yes, I guess I would say that I would have a
bit of a concern about an across-the-board opt-in. I could see
people who have a bad credit history or who have criminal
records or bankruptcies not wanting that information to be
reported and thus not opting into the system, and I think that
could raise the cost of credit across the board. So I do have
some concerns about that.
I agree with the general concept that consumers should have
more control, but there are other potential means of
accomplishing that.
Senator Cortez Masto. Do you think that some of the
legislation you have heard today gives more of that control to
consumers?
Ms. Mithal. I think there are some very interesting options
worth exploring through that legislation.
Senator Cortez Masto. Thank you. I appreciate that.
And let me also then go back to this idea, I agree with my
colleague Senator Scott and the concern about too many adults
have credit invisible and unscorable credit, and I think that
is harmful in so many different ways. But I also understand,
Ms. Twohig, from what you said that you are studying the issue
or the agency is studying the issue on alternative data. Can
you talk a little bit more about that and when you are going to
anticipate completion of that study and what your intent is
after the study is completed?
Ms. Twohig. So I do not have a particular date, and I am
not sure there is a particular study. It is just something that
the Bureau is very interested in and has requested information
so we could learn more about that. I can tell you the Acting
Director has created an Office of Innovation with the goal of
seeing what the Bureau can do to spur innovation in all kinds
of ways, and that would include the use of alternative data and
avenues for increasing access to credit.
Senator Cortez Masto. OK. Thank you.
One final question. I know that a number of States just
recently announced a consent order last week with Equifax, and
I believe these States really took the lead on this and did
their necessary investigation. One of the reasons why I have
concerns that there needs to be more of this collaboration
between States and the Federal Government in this area is
because I have seen here, as we have had these hearings, that
State oversight is even more necessary now. What I have seen
from Director Mulvaney and really the CFPB nominee Kraninger
have not shown any willingness to challenge the financial
services industry.
So given what I know and what I have seen here, let me ask
you this: There is legislation in the House--it is H.R. 3626--
and it requires enhancing information sharing between the
Federal and State regulators when conducting the TSP exams.
Would that be something you would support? And I am asking both
of you.
Ms. Twohig. So I can say as a general matter that--and I
have been with the Bureau since its beginning in the
Supervision Program. We have placed a priority on developing
relationships with State regulators, and my enforcement
colleagues the same for the State Attorneys General, and so we
have close and cooperative relationships with those regulators,
and the Acting Director has said he wants to improve that even
more.
Senator Cortez Masto. That is wonderful to hear. Thank you.
Ms. Mithal. And I would echo that sentiment, and I just
want to also say that I think we have been talking a lot about
gaps in the FTC's authority, but I do want to say whatever
authority Congress gives us, we exercise very aggressively. So
we have brought over 60 data security cases, and we have looked
at a variety of sectors. So I did not want to make it sound
like we were sitting on our hands.
Senator Cortez Masto. Thank you. And I notice my time is
up. Thank you both.
Chairman Crapo. Thank you.
Senator Jones.
Senator Jones. Thank you, Mr. Chairman, and thank you to
the witnesses for coming here today.
I want to mention something about--I want to go back to
cybersecurity like so many others, but from a little bit
different angle. I appreciate all of the colleagues on this
Committee concerned with the Equifaxes of the world and the
holders of this information. But, you know, I am an old
prosecutor, and when we had a bank robbery, we just did not
focus on what happened at the bank. We focused on who got the
money and trying to catch those folks. So my question is: We
have heard a lot today about Equifax and the CRAs. Is law
enforcement involved in that investigation? If they are not, I
would like to know why. And if so, can we have an expectation
at some point when the investigation is released that there has
been an effort and we hopefully can find out who did this?
Because I agree with Senator Warner, this problem is not going
away, and we need to focus on perpetrators as much as those
holding the data. I will give that to both of you.
Ms. Mithal. So I do not think I could talk about this in
the context of a specific nonpublic investigation, but what I
can say is that we work very closely with criminal authorities.
I think it is a kind of one-two punch type situation where we
want to make sure as a civil matter that agencies and companies
that are entrusted with consumer data are doing everything they
can to protect it, and at the same time we work with criminal
law enforcement authorities to catch the bad guys and to try to
share information to accomplish that. So I agree it is a very
important part of the equation.
Senator Jones. All right.
Ms. Twohig. And that would be the same for the Bureau of
Consumer Financial Protection in terms of coordinating with
criminal law enforcement agencies.
Senator Jones. All right. When this investigation is
public, would you expect there to be some element of the report
about the culprits in this particular Equifax matter?
Ms. Mithal. I really cannot speak to that.
Senator Jones. All right. That is fair enough.
The other thing I would like to mention is that a recent
study showed that Alabama, my State, ranked third from the
bottom in terms of average credit scores, and I know there are
a lot of things that impact credit scores. But what seemed
clear is that there were also regional differences that have
remained kind of static, and one of the--CFPB and FTC both have
tools to educate customers, which I think is as important as
anything in trying to get folks to get their scores up. I see
TV ads all the time. But that is not the same--you know, trying
to get your free credit score is not the same as trying to say
get your free credit score up.
So could you both briefly describe some of the tools that
your agencies have with regard to education and what you
believe could be the most effective way to educate the public
about how to maintain a good credit score?
Ms. Mithal. So I can start with that. We have what I
believe is a world-class Office of Consumer and Business
Education, and one of the things we do is we put out financial
literacy materials, materials about credit scores and how to
check your credit reports, and I think what we recognize is
that a lot of people will not know the FTC, and so they will
feel a lot more comfortable getting this information from their
local communities, their churches, their schools, their
libraries. And so we do not copyright our information. We put
it out there for the local communities to put out in their own
communities, and we would be happy to work with your office to
get our materials out. We are also members of the Interagency
Financial Literacy Task Force. So, again, I think we are
trying--I absolutely agree that education is a very important
part of what we do, and we need to get the word out to
consumers so they can help protect themselves.
Senator Jones. Great. Do you want to address that, Ms.
Twohig?
Ms. Twohig. Same for the Bureau. Consumer education is a
very important part of what we do, and we have materials and
education materials about how to create a credit file so
consumers can have access to mainstream credit. Our Community
Affairs Office is also doing active work in certain communities
to try to help the communities understand what they can do
locally to help consumers understand how they can create and
build their credit files and positive credit history.
Senator Jones. Great. Well, thank you both, and my staff
will reach out to you so that we can do some affirmative things
in Alabama.
In the remaining moment, I would just like to follow back
up with what Senator Scott said about the bill that he and I
have introduced on the Credit Access Inclusion Act. And, Mr.
Chairman and Senator Brown, I would also urge this Committee to
get involved and try to get that bill out. A companion bill
that I think is identical passed the House unanimously, and in
an era in which the divide over Supreme Court nominations and
things like are about to get greater, I do not want a bill that
is a truly bipartisan bill to fall through the cracks like
this, and I would urge the Committee to take some action and
let us get that done. So thank you.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Jones.
Senator Van Hollen.
Senator Van Hollen. Thank you, Mr. Chairman and Ranking
Member, and thank you both for your testimony here today.
We have talked about a number of things. Two of the
categories we have talked about are: one, how do we create more
incentives to discourage or prevent or deter credit rating
agencies from becoming victims of data breaches? Obviously no
one has an interest in having a big data breach, but the cost-
benefit analysis needs to be changed, and that is what Senators
Warner and Warren have been talking about.
The other issue, which Senator Kennedy and Senator Schatz
have been talking about, is the accuracy of the information
collected by the credit rating agencies, and I want to focus on
that for a moment because, yes, I absolutely agree that we
should make it easier for consumers to try to get their
complaints submitted and processed more quickly. But it still
appears to me that when you look at the sort of incentives of
the CRAs, when they get it wrong, other than making the
consumer whole again or correcting the error, they do not seem
to have any penalty applied. So let me know if there is a
current penalty that can be applied when they get it wrong. And
we already know that in 5 percent of the cases they get it
wrong, which represents millions and millions of Americans,
which can have a devastating impact on their lives. So it seems
to me in addition to making it easier to remedy the situation
from the point of view of a consumer, we should also create
greater incentives for the CRAs to get it right in the first
place so that the burden is on them when they get it wrong,
that there is some penalty to be paid for getting it wrong.
Are there any penalties right now that either of you can
apply when you just find that they are getting it wrong a lot?
Ms. Mithal. So we do have the authority to seek civil
penalties for companies that do not have reasonable procedures
to have maximum possible accuracy. So I have been clarifying
that under the FCRA we do not have the authority to get
penalties under data security, but for accuracy we do, and we
have gotten those civil penalties. But I just want to emphasize
the statutory standard is reasonable procedures for accuracy,
so it is not that every inaccuracy in a credit report will get
a civil penalty.
Senator Van Hollen. Right. Would it make sense to think of
those--applying more of a penalty when people get it wrong? In
other words, as I understand it right now, if you are a
consumer who believes you have bad information that is
negatively affecting your credit report, you go through this
long process, right? You get on the phone. You may be put on
hold. You do what you said. It may take a couple years. At the
end of the day, what you, the FTC, determines is whether or not
the consumer's complaint was correct, right?
Ms. Mithal. So we look to see whether the company's
procedures were reasonable.
Senator Van Hollen. Oh, you just look at the reasonable
nature of that. And if you find that they were unreasonable,
what do you do to the company?
Ms. Mithal. So we have gotten civil penalties against
several companies. One was a couple of years ago against a
company. We got about a $2.6 million civil penalty. There is
another check authorization company; we got about a $3.5
million civil penalty. So, again, it depends on the facts and
circumstances, and we look at several statutory factors in
determining the appropriate penalty amount.
Senator Van Hollen. Would it be worth looking at greater
sort of deterrent mechanisms so that there is more of a burden
on the CRAs to get it right in the first place? And if so, what
kind of suggestions would you have?
Ms. Mithal. So I certainly kind of sympathize with the goal
of making it easier for consumers to dispute credit report
inaccuracy and also to make the whole process easier for
consumers. And I think that is a goal worth exploring, and I
would be happy to work with your staff and others on this
Committee to accomplish that goal.
Senator Van Hollen. All right. Anything else?
Ms. Twohig. So, Senator, similarly, the Bureau can get
penalties where there has been noncompliance with the FCRA's
reasonable procedures provisions. In fact, it brought a case
against a consumer reporting agency and got, I believe, about
$5 million in penalties for their failure to comply with that
part of the law.
More generally, I think I also sympathize with the problems
you are pointing out, and that is exactly why we have used this
new supervisory authority that has never existed before until
the Bureau was created to prioritize looking at the national
credit reporting agencies and other consumer reporting agencies
to ensure that they are looking at all aspects of accuracy.
There are various different components of really what it takes
to get a quality data control system. There is the incoming
information. There is compiling it, and there is monitoring any
indications of problems after the fact. We have broken it down
and looked at various aspects and worked through our
supervisory authority to require improvements in each part of
those pieces of the system.
Senator Van Hollen. Good, because I think until--let us say
you are CRA. Until you have to suffer--right now, a consumer
goes through this complaint process, and the CRA at the end of
the day, OK, they have got to make them whole, right? ``Oh, we
made a mistake 2 years ago that has affected your life.'' But
there is no other penalty to be applied unless they somehow
have a system that you determined has met this--that has been
shaky. And even with those systems today, as we know, 5 percent
error rate which affects tens of millions of people.
So, anyway, I look forward to working with the Chairman and
the Ranking Member and all of you. Thanks.
Senator Brown [presiding]. Thank you, Senator Van Hollen.
My questions are for both of you. I have a couple of
questions. A lot of people, as we know, work hard every day,
sometimes people are working multiple jobs to keep up with
their bills. If they are injured or if they fall ill, we do not
have--many, many, many companies in this country do not have
any kind of leave policy. Some do not have good health
insurance, so when people are injured or fall ill, huge
unexpected medical costs can haunt their credit report for
years.
Given this type of debt is generally out of a person's
control--they obviously did not choose this--should we not
pause medical debt reporting, at least until more Americans
have access to affordable insurance? We will start with you.
Ms. Twohig. So, Senator, I think it is correct that medical
debt is different than other kinds of debt. It can cause
special problems for consumers. They can be subject to medical
debt collection when they are just waiting for reimbursement.
So I think it is a different kind of debt than regular debt.
Senator Brown. Go ahead.
Ms. Mithal. I agree with that, and I think S. 2155 was an
excellent start in at least excluding certain medical debt for
veterans, and I think that this is an idea worth exploring.
Senator Brown. But it should be broader than that.
Ms. Mithal. I think that is an idea worth exploring, yes.
Senator Brown. Partially a follow-up to Senator Cortez
Masto, I mentioned Mariner Finance in my opening statement. It
is a company that sends cashable checks to people who might be
in financial trouble, but the check is, as we know, a high-cost
loan. The industry claims these prescreened offers that are
allowed by the FCRA help borrowers get a better deal, but it
looks like shady lenders fundamentally are taking advantage of
a loophole to target struggling families. Wouldn't consumers be
better off and less likely to face predatory lending practices
if they had to opt into these offers, had to opt in rather than
having to take steps to opt out? We will start with you.
Ms. Mithal. Sure. So I also read the article, and I was
very troubled by the practices. I cannot speak on any
particular company, but the types of practices described in the
article were very troubling. So under the FCRA, prescreened
offers are permitted if they are a firm offer of credit, and so
that is something that the statute specifically allows. If
Congress were to determine to change that, we would enforce
that requirement as well. So that is something that the law
currently requires, but, again, we would be ready to work with
Congress on any potential changes to that.
Senator Brown. Ms. Twohig.
Ms. Twohig. I would agree with that. Consumers now have a
right to opt out, but as you suggest, Senator, that is
different than having the default the other way, and we would
be happy to work with you to consider whether there is a policy
determination you think would be better for consumers.
Senator Brown. That is mostly yes?
Ms. Twohig. We would be happy to work with you to consider
the pros and cons of going that direction.
Senator Brown. So it is not quite a yes.
Ms. Twohig. Not quite a yes.
Senator Brown. OK. The Fair Credit Reporting Act protects
companies that provide information to credit bureaus. Consumers
cannot take them to court to get fixes. We know that. We have
all heard the horror stories of someone trying to fix
inaccurate data on a credit report. If consumers were allowed
to have their day in court, would providers be more careful
ensuring the data they report to credit bureaus as accurate?
Ms. Twohig.
Ms. Twohig. So there is a private right of action under the
Fair Credit Reporting Act, and there are private actions filed
by consumers if they believe that their information is
inaccurate. So I just want to make sure I understand what you
are----
Senator Brown. There is a private right of action, but that
private right of action has been, to put it mildly, diluted by
this Congress and by decisions made by Government, correct?
Ms. Twohig. I cannot speak to that. What I can say is that
we are well aware at the Bureau of our obligation to ensure
compliance with the law, which is indeed why we have
prioritized supervising and enforcing in that area.
Senator Brown. I agree with you, and I appreciate that, and
I appreciate your service over the years. But don't providers--
the credit providers fundamentally know there is not a
particularly effective private right of action. Do they not
know that?
Ms. Twohig. I cannot speak to what they know.
Senator Brown. Well, yeah, you can. The credit providers
know about forced arbitration. The credit providers know how
the laws have changed. The credit providers know where the
power in this society resides. It is not with consumers. It is
not with employees. It is with employers. It is with credit
reporting companies. You have had a string of really important
jobs. You are obviously a really bright woman. You do recognize
that, correct?
Ms. Twohig. I recognize that it can be hard for an
individual consumer, and that is actually why I have spent my
career in public service trying to do what I can do----
Senator Brown. I get all that, and thank you again for
that. But you are not willing to say that the credit providers
would be more careful ensuring the data they report to credit
bureaus is accurate if the laws were written to give consumers
more power in the marketplace?
Ms. Twohig. They probably would be more careful if the laws
were written that way.
Senator Brown. Would you like to respond to that, too?
Ms. Mithal. I agree with what Ms. Twohig said.
Senator Brown. Which part? The part of----
Ms. Mithal. That companies would be more likely to shore up
their practices if consumers had more power.
Senator Brown. I guess I do not know why a simple ``yes''
is not clear there. When credit providers know that the law is
mostly--the power of the law is mostly on their side and not on
the consumer side. You know, Anatole France said, ah, the
majesty of the law. It prohibits rich people as well as poor
people from sleeping under bridges. Yeah, it does. Well, that
tells you a lot about where the power in society is, and the
power more and more is residing with those with more and more
power and influence and privilege. And consumers have less and
less of that. It is just so clear to me that the credit
providers act worse because the law so often is on their side
and the power resides in them.
Senator Donnelly.
Senator Donnelly. Thank you, Mr. Chairman. Thank you to the
witnesses.
On May 24th, the Economic Growth, Regulatory Relief, and
Consumer Protection Act was signed into law. I negotiated and
wrote that legislation along with Chairman Crapo and several of
my colleagues here. This new law includes important new
consumer protection related to the credit bureaus to benefit
servicemembers, veterans, and all Americans. The law provides
free credit freezes, credit monitoring for servicemembers, and
protections for veterans from VA billing delays.
I would like to highlight these consumer-friendly
provisions and receive feedback and updates from you on efforts
to oversee the implementation and enforcement.
The new law includes a provision to provide free credit
monitoring for active-duty servicemembers. The FTC was provided
1 year to complete the rulemaking which will help shape the
credit monitoring services provided.
Ms. Mithal, I expect the FTC to complete its rulemaking as
soon as possible so troops can start receiving this important
service. What is the FTC's expected timeline for the
rulemaking?
Ms. Mithal. So, Senator, I can assure you we are working as
expeditiously as possible to complete the rulemaking, and I am
hoping that we would have a Notice of Proposed Rulemaking out
by hopefully at least the fall. I do not have complete control
over that, but that is what I am committing to.
Senator Donnelly. Obviously, the sooner the better.
Ms. Mithal. Absolutely.
Senator Donnelly. Section 301 of the new law includes a
section I authored with Senator Perdue to allow every American
to freeze and unfreeze their credit free of charge and set
year-long fraud alerts. Additionally, the FTC and the major
credit bureaus have to set up web pages where consumers can
easily freeze their credit, set a fraud alert, and opt out of
prescreened credit offers. These provisions allow Americans to
take control of their credit files. The law requires compliance
by September 21st. These provisions will make things easier for
consumers.
Could you please speak about the provisions generally and
your expectation for the level of communication and
collaboration that will occur between your agencies and the
credit bureaus during implementation to ensure consumers
benefit as was intended? If you could each respond.
Ms. Twohig. So I can assure you, Senator, that the Bureau
is going to work expeditiously to update--to implementation
what it needs to do in implementing the Economic Growth,
Regulatory Relief, and Consumer Protection Act. That would
include updating the summary of rights that goes to consumers
so that when they get their credit report, they have the
information about these important new protections available to
them, as well as educating consumers. We work collaboratively
with the FTC and share information about that kind of
information, as well as, of course, overseeing the compliance
with these new provisions.
Senator Donnelly. Ms. Mithal.
Ms. Mithal. And I would say, first of all, I think these
are very important rights, and they give important tools to
consumers, so thank you for your work on that.
As to our implementation, we have put out some guidance to
consumers informing them of the new updates to the law that
will take place in September, and we have already begun
discussions with the CRAs about creating an online portal to
effectuate all those tools for consumers. And so we are hoping
to be ready--or we will be ready by September when the law goes
into effect.
Senator Donnelly. OK. Section 302 of the new law is based
off the Protecting Veterans Credit Act, which I introduced with
Senator Rounds to ensure veterans are not wrongly penalized by
medical bill payment delays at the Department of Veterans
Affairs. Many veterans had their credit scores damaged when the
VA was late to pay medical bills. That will not be a problem
any longer due to this new law.
Your agencies, again, have oversight and enforcement
authority. Can you speak as to how this provision will ensure
that veterans are not wrongly penalized for medical debt that
is actually the VA's responsibility? Ms. Twohig.
Ms. Twohig. Senator, you can be sure that we will be
looking for compliance with those important new provisions.
Senator Donnelly. Ms. Mithal.
Ms. Mithal. And, again, I think the provisions provide very
important new rights for veterans. I think there have been
recent studies showing the lack of predictiveness of medical
debt, and so I think that is a very important provision, and we
will do everything we can to support it.
Senator Donnelly. All right. Thank you, Mr. Chairman.
Senator Brown. Thank you, Senator Donnelly.
I ask unanimous consent to enter into the record a letter
from several consumer advocacy groups. Without objection.
Thanks for being the last guy standing.
[Laughter.]
Senator Donnelly. Ready to help anytime.
Senator Brown. That concludes the questioning for today.
Questions for the record are due from Senators in 1 week, by
Thursday, July 19th. We ask the two of you to respond to those
questions as quickly as possible.
Thank you for joining us. This concludes the hearing.
[Whereupon, at 11:29 a.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
Today's hearing is entitled ``An Overview of the Credit Bureaus and
the Fair Credit Reporting Act''.
Credit bureaus play a valuable role in our financial system by
helping financial institutions assess a consumer's ability to meet
financial obligations, and also facilitating access to beneficial
financial products and services.
Given this role, they have a lot of valuable personal information
on consumers and therefore are targets of cyberattacks.
Last year, Equifax experienced an unprecedented cybersecurity
incident which compromised the personal data of over 145 million
Americans.
Following that event, the Banking Committee held two oversight
hearings on the breach and consumer data protection at credit bureaus.
The first hearing with the former Equifax CEO examined details
surrounding the breach, while the second hearing with outside experts
examined what improvements might be made surrounding credit reporting
agencies and data security.
This Committee also recently held a hearing on cybersecurity and
risks to the financial services industry.
These hearings demonstrated bipartisan concern about the Equifax
data breach and the protection of consumers' personally identifiable
information, as well as support for specific legislative measures to
address such concerns.
Some of these were addressed in S. 2155, the Economic Growth,
Regulatory Relief and Consumer Protection Act, which included
meaningful consumer protections for consumers who become victims of
fraud.
For example, it provides consumers unlimited free credit freezes
and unfreezes per year.
It allows parents to turn on and off credit reporting for children
under 18, and provides important protections for veterans and seniors.
Last month, a New York Times article commenting on the bill noted
that, ``one helpful change . . . will allow consumers to `freeze' their
credit files at the three major credit reporting bureaus--without
charge. Consumers can also `thaw' their files, temporarily or
permanently, without a fee.''
Susan Grant, director of consumer protection and privacy at the
Consumer Federation of America expressed support for these measures,
calling them ``a good thing.''
Paul Stephens, director of policy and advocacy at the Privacy
Rights Clearinghouse, similarly noted that the freeze provision ``has
the potential to save consumers a lot of money.''
But there is still an opportunity to see whether more should be
done, and today's hearing will help inform this Committee in this
regard.
Today, I look forward to learning more from the witnesses about:
the scope of the Fair Credit Reporting Act and other relevant laws and
regulations as they pertain to credit bureaus; the extent to which the
Bureau of Consumer Financial Protection and the FTC, whom the two
witnesses represent, oversee credit bureau data security and accuracy;
the current state of data security, data accuracy, data breach policy,
and dispute resolution processes at the credit bureaus; and what, if
any, improvements could be made.
States have begun to react in their own ways to various aspects of
the public debate on privacy, data security, and the Equifax data
breach.
Two weeks ago, California enacted the California Consumer Privacy
Act which will take effect on January 1, 2020.
The Act, which applies to certain organizations conducting business
in California, establishes a new privacy framework by creating new data
privacy rights, imposing special rules for the collection of minors'
consumer data, and creating a damages framework for violations and
businesses failing to implement reasonable security procedures.
Many Members are interested in learning more about what California
and other States are doing on this front.
Additionally, 2 weeks ago, eight State banking commissioners
jointly took action against Equifax in a consent order requiring the
company to take various actions regarding risk assessment and
information security.
I have long been concerned about data collection and data privacy
protections by the Government and private industry.
Given Americans' increased reliance and use of technology where
information can be shared by the swipe of a finger, we should ensure
that companies and Government entities who have such information use it
responsibly and keep it safe.
______
PREPARED STATEMENT OF PEGGY L. TWOHIG
Assistant Director, Office of Supervision Policy, Division of
Supervision, Enforcement, and Fair Lending, Bureau of Consumer
Financial Protection
July 12, 2018
Chairman Crapo, Ranking Member Brown, thank you for the opportunity
to testify today about the work of the Bureau of Consumer Financial
Protection (Bureau) to address consumer protections in the consumer
reporting market. My name is Peggy Twohig, and I am the Assistant
Director for Supervision Policy at the Bureau. The Office of
Supervision Policy is responsible for developing supervision strategy
across bank and nonbank markets and ensuring that policy decisions are
consistent across markets, charters, and regions.
Prior to my work at the Bureau, I was Director of the Office of
Consumer Protection at the Department of the Treasury (Treasury), where
I worked on the proposal to create a new consumer agency as part of
financial regulatory reform. Immediately before joining Treasury, I
served as Associate Director of the Division of Financial Practices at
the Federal Trade Commission (FTC). My 17-year tenure at the FTC
focused on enforcement and policy issues related to consumer financial
services. I have also worked as a litigator in private practice with
the firm of Arnold & Porter in Washington, DC.
Credit Reporting System
The consumer reporting market plays a critical role in the overall
consumer financial services market and has enormous reach and impact;
over 200 million Americans have credit files with tradelines furnished
voluntarily by over 10,000 providers. This information is used by many
different types of businesses, including creditors, insurers,
landlords, telecommunications providers, and employers, to make
decisions about individual transactions with consumers. In particular,
creditors rely on the information in consumers' credit files to make
decisions as to whether to approve a variety of credit transactions,
including mortgages, credit cards, student loans, and auto loans. And,
when extending credit, creditors use that information to determine what
terms to offer.
Accurate consumer report information is therefore important to
creditors and other consumer report users to make good business
decisions. For any individual consumer, an accurate consumer report can
be even more important, given the significant impact that information
can have on the consumer's ability to obtain or pay for financial and
other products and services. Despite the impact credit reports can have
on a consumer, consumers do not get to choose who collects and sells
consumer report information about them.
Because of the importance of consumer report accuracy to businesses
and consumers, the structure of the Fair Credit Reporting Act (FCRA)
creates interrelated legal standards and requirements to support the
policy goal of accurate credit reporting. These requirements anticipate
that all reports will not be perfect; instead the FCRA requires that
credit reporting agencies (CRAs) have ``reasonable procedures to assure
maximum possible accuracy'' of reports. \1\ It also imposes certain
accuracy obligations on furnishers. \2\ The FCRA also sets forth a
dispute and investigation framework, with obligations on both CRAs and
furnishers, to ensure potential errors are investigated and corrected
promptly, if necessary. \3\ This dispute resolution framework is
important to the efficient operation of credit markets, as it provides
a standard mechanism for identifying and resolving inaccuracies when
they occur.
---------------------------------------------------------------------------
\1\ FCRA Section 607(b), 15 U.S.C. �1681e(b).
\2\ FCRA Section 623(a). 15 U.S.C. �1681s-2(a) .
\3\ FCRA Section 611, 15 U.S.C. �1681i; FCRA Section 623(b), 15
U.S.C. �1681s-2(b).
---------------------------------------------------------------------------
Bureau Authority Over Consumer Reporting Agencies and Furnishers
Congress authorized the Bureau to assess compliance with the
requirements of Federal consumer financial laws as part of its
supervision of both depository institutions and nondepository
institutions. As defined by the Dodd-Frank Wall Street Reform and
Consumer Protection Act (Dodd-Frank Act), Federal consumer financial
laws include most provisions of the Fair Credit Reporting Act. \4\ The
FCRA is the primary statute that governs consumer reporting by CRAs,
furnishing information to CRAs, and using reports generated by CRAs.
Together with its implementing regulation, Regulation V, \5\ the FCRA
imposes obligations on the compilation, maintenance, furnishing, use,
and disclosure of information associated with credit, insurance,
employment, and other decisions made about consumers.
---------------------------------------------------------------------------
\4\ Id. at �5481(14), (12)(F).
\5\ 12 CFR part 1022.
---------------------------------------------------------------------------
Federal consumer financial laws also include substantive provisions
of Title X of the Dodd-Frank Act. \6\ One of these provisions is the
prohibition on a covered person or service provider from engaging in
unfair, deceptive, or abusive acts or practices (UDAAP). \7\ Many CRAs
are ``covered persons'' under the Dodd-Frank Act because they collect,
analyze, maintain, or provide consumer report information or other
account information used or expected to be used in connection with
decisions regarding the offering or provision of consumer financial
products or services and delivered, offered, or provided in connection
with a consumer financial product or service. \8\ Depending on the
facts and circumstances of any given transaction, CRAs might also be
considered service providers. \9\
---------------------------------------------------------------------------
\6\ 12 U.S.C. �5481(14).
\7\ 12 U.S.C. ��5531, 5536(a).
\8\ Id. at �5481(5), (15)(A)(ix).
\9\ Id. at �5481(26) (defining ``service provider'' as ``any
person that provides a material service to a covered person in
connection with the offering or provision by such covered person of a
consumer financial product or service . . . '').
---------------------------------------------------------------------------
The Bureau has supervisory authority over consumer reporting
agencies that are larger participants in the consumer reporting market.
In July 2012, the Bureau promulgated the first larger participant rule
to define larger participants in the consumer reporting market because
of the importance of this function to efficient credit markets. \10\
The larger participant rule defines a larger participant of the
consumer reporting market as a nonbank covered person with more than $7
million in annual receipts resulting from relevant consumer reporting
activities. \11\ The Bureau estimated 30 companies that account for
about 94 percent of the market's annual receipts met the larger
participant threshold. \12\
---------------------------------------------------------------------------
\10\ https://www.consumerfinance.gov/policy-compliance/rulemaking/
final-rules/defining-larger-participants-consumer-reporting-market/.
\11\ 12 CFR �1090.104.
\12\ https://www.consumerfinance.gov/about-us/newsroom/consumer-
financial-protection-bureau-to-supervise-credit-reporting/.
---------------------------------------------------------------------------
Participants in this market include nationwide consumer reporting
companies, consumer report resellers, and specialty consumer reporting
companies. \13\ The Bureau reviews the operations of these larger
participants for compliance with Federal consumer financial laws,
including the FCRA and Regulation V. The Bureau also has supervisory
authority over a substantial number of entities that furnish credit
information to CRAs. As part of its exercise of this authority, the
Bureau reviews compliance with the FCRA's furnishing requirements at
other institutions subject to the Bureau's supervisory authority, such
as large banks. The Bureau also has enforcement authority over nearly
every person, regardless of status as a supervised entity, who violates
the FCRA. \14\ The Bureau is the first Federal or State agency to have
both supervisory and enforcement authority over CRAs and the other
participants in the consumer reporting market.
---------------------------------------------------------------------------
\13\ The term ``consumer reporting company'' means the same as
``consumer reporting agency,'' as defined in the Fair Credit Reporting
Act, 15 U.S.C. �1681a(f), including nationwide consumer reporting
agencies as defined in Section 1681a(p) and nationwide specialty
consumer reporting agencies as defined in Section 1681a(x).
\14\ E.g., Section 1029 of the Dodd-Frank Act excludes certain
motor vehicle dealers from the Bureau's rulemaking, enforcement, or
other authority.
---------------------------------------------------------------------------
In addition to enforcement and supervisory authority over CRAs, the
Bureau has broad authority to promulgate rules ``as are necessary to
carry out the purposes of' the FCRA. \15\ The Bureau's rules are
applicable to any person subject to the FCRA, except certain motor
vehicle dealers. \16\ The Bureau does not, however, have rulemaking
authority (or supervisory or enforcement authority) under Sections
615(e) and 628 of the FCRA. These provisions direct the Federal banking
agencies, the National Credit Union Administration, the FTC, the
Commodity Futures Trading Commission, and the Securities and Exchange
Commission to promulgate regulations relating to Red Flags, and
Disposal of Records. The FTC used its authority under these provisions
of the FCRA to promulgate its ID Theft Red Flags Rule \17\ and its
Consumer Report Records Disposal Rule. \18\ Other agencies have
promulgated comparable rules pursuant to these sections.
---------------------------------------------------------------------------
\15\ 15 U.S.C. �1681s(e)(1).
\16\ 12 CFR �1022.1(b)(2).
\17\ 16 CFR Part 681.
\18\ 16 CFR Part 682.
---------------------------------------------------------------------------
CRAs and other participants in the consumer reporting market may
also be subject to other laws within the Bureau's authority, such as
the Gramm-Leach-Bliley Act's (GLBA) notice and opt-out and privacy
provisions. GLBA gives the Bureau rulemaking and enforcement authority
over these provisions. \19\ (Since these provisions are Federal
consumer financial laws they are also within the Bureau's supervisory
authority under section 1024 of the Dodd-Frank Act.) The Bureau cannot,
however, implement GLBA section 501(b), which requires that financial
institutions develop, implement, and maintain comprehensive information
security programs that contain administrative, technical, and physical
safeguards. \20\ The Bureau has no supervisory, enforcement, or
rulemaking authority with regard to GLBA section 501 (b) or its
implementing rules; that section is excluded from the definition of
Federal consumer financial law. \21\ Section 501(b) is implemented by
rules and guidelines promulgated by the FTC and other agencies and
include the FTC's GLBA Customer Information Safeguards Rule. \22\
---------------------------------------------------------------------------
\19\ 15 U.S.C. ��6804(a)(1)(A) and 6805(a)(8). The Bureau's GLBA
authority does not extend to certain motor vehicle dealers. 12 CFR
�1016.1(b)(1).
\20\ 15 U.S.C. �6801(b).
\21\ 15 U.S.C. �5481(12), (14).
\22\ 16 CFR Part 314.
---------------------------------------------------------------------------
Bureau Credit Reporting Work
In both its supervision and enforcement work, the Bureau has
focused on credit reporting accuracy and dispute handling by both CRAs
and furnishers.
In March 2017, the Bureau issued a special edition of its
Supervisory Highlights publication in which it reported out on the
supervisory work undertaken in consumer reporting. \23\ As discussed in
the report, the Bureau has focused its supervisory work on the key
elements underpinning accuracy. As a result of these reviews, the
Bureau directed specific improvements in data accuracy and dispute
resolution at one or more CRA, including:
---------------------------------------------------------------------------
\23\ https://www.consumerfinance.gov/documents/2774/201703-cfpb-
Supervisory-Highlights-Consumer-Reporting-Special-Edition.pdf.
---------------------------------------------------------------------------
improved oversight of incoming data from furnishers;
institution of quality control programs of compiled
consumer reports;
monitoring of furnisher dispute metrics to identify and
correct root causes;
enhanced oversight of third-party public records service
providers;
adherence to independent obligation to reinvestigate
consumer disputes, including review of relevant information
provided by consumers; and
improved communication to consumers of dispute results.
In addition, the Bureau directed both bank and nonbank furnishers,
consistent with the FCRA's requirements, to develop reasonable written
policies and procedures regarding accuracy of the information they
furnish and to take corrective action when they furnished information
they determined to be inaccurate. The Bureau also found that furnishers
foiled to either conduct investigations or send results of dispute
investigations to consumers and demanded that these furnishers bring
their dispute handling practices into compliance with legal
requirements.
In addition to supervisory work, the Bureau has brought enforcement
actions and entered into settlements related to institutions' violation
of the FCRA's accuracy and dispute investigation requirements. \24\ The
Bureau will continue to examine and investigate CRAs and furnishers,
using the authority and tools provided by the Dodd-Frank Act and other
statutes.
---------------------------------------------------------------------------
\24\ See, e.g., http://files.consumerfinance.gov/f/
201510_cfpb_consent-order_general-information-serviceinc.pdf; http://
files.consumerfinance.gov/f/201512_cfpb_consent-order_clarity-services-
inc-timothy-ranney.pdf; https://files.consumerfinance.gov/f/documents/
bcfp_security-group-inc_consent-order_2018-06.pdf; https://
files.consumerfinance.gov/f/documents/201701_cfpb_CitiFinancial-
consent-order.pdf.
---------------------------------------------------------------------------
The Bureau is also focused on educating consumers by providing
consumers with tools and information to help them know what to do when
they encounter a problem, or how to avoid problems in the first place.
For example, we provide information to consumers about how they can
obtain access to their credit reports to check their accuracy and
dispute any information they believe to be incorrect. \25\
---------------------------------------------------------------------------
\25\ For information about how to access your credit reports and
how to dispute errors: https://www.consumerfinance.gov/consumer-tools/
credit-reports-and-scores/; For information about obtaining credit
reports: https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-a-copy-
of-my-credit-reports-en-5/; For information about how to dispute
errors: https://www.consumerfinance.gov/ask-cfpb/how-do-i-dispute-an-
error-on-my-credit-report-en-314/; For information about common credit
issues: https://www.consumerfinance.gov/about-us/blog/3-common-credit-
issues-and-what-you-can-do-fix-them/.
---------------------------------------------------------------------------
Data Security
CRAs hold a tremendous amount of information about consumers,
including sensitive financial information. If CRAs do not protect this
data, it may lead to data breaches and other unauthorized access to it.
Unauthorized access to data at consumer reporting agencies creates the
risk of substantial harm to consumers, including the risk of identity
theft. Because of these risks, since the Equifax breach, the Bureau has
increased its attention to data security issues in our supervisory and
enforcement activities.
The Bureau has the authority to conduct data security
investigations and examinations at nonbanks over which it has
supervisory authority, including CRAs.
Data security reviews conducted by the Bureau are comprised of
three specific inquiries, consistent with the three prongs of the
Bureau's general examination authority. \26\ First, the Bureau assesses
the facts and circumstances to determine whether a nonbank's data
security practices and policies constitute violations of Federal
consumer financial law, including violations of the Dodd-Frank Act's
prohibition against unfair, deceptive or abusive acts and practices
(UDAAP) \27\ and of the Fair Credit Reporting Act. \28\ Second, the
Bureau obtains information about compliance management systems and
procedures relating to data security practices. Third, the Bureau
detects and assesses risks posed by potential data security lapses to
consumers and to markets for consumer financial products and services.
---------------------------------------------------------------------------
\26\ Section 1024 of the Dodd-Frank Act grants the Bureau the
authority to conduct examinations of certain nonbank financial
institutions, including larger participants in the consumer reporting
market, under its risk-based supervision program for the purposes of:
(a) assessing compliance with the requirements of Federal consumer
financial law; (b) obtaining information about the activities and
compliance systems or procedures of such person; and (c) detecting and
assessing risks to consumers and to markets for consumer financial
products and services. 15 U.S.C. �5514.
\27\ Both courts and executive branch agencies have found that, in
certain circumstances, insufficient data security can constitute an
unfair or deceptive practice. FTC v. Wyndham Worldwide Corp., 799 F.3d
236 (3d Cir. 2015); FTC v. AshleyMadison.com, No. 1:16-cv-02438 (D.D.C.
filed Dec. 14, 2016); available at https://www.ftc.gov/enforcement/
cases-proceedings/152-3284/ashley-madison.
\28\ FCRA Section 607(a), 15 U.S.C. 1681e.
---------------------------------------------------------------------------
In addition to this work, the Bureau website has a list of
resources and information for consumers about data breaches to help
consumers understand what steps or actions they can take to protect
their personal information. \29\ The Bureau also provides resources to
help consumers protect themselves from identity theft, \30\ to help
military personnel and their families secure their identities, \31\ and
specific resources on the Top 10 ways to protect yourself in the wake
of the Equifax data breach. \32\ In addition, the Bureau's online tool,
Ask CFPB, has provided consumers with answers to frequently asked
questions about a variety of topics, including identity theft, credit
freezes, fraud alerts, and credit and identity monitoring. \33\
---------------------------------------------------------------------------
\29\ https://www.consumerfinance.gov/equifaxbreach.
\30\ https://www.consumerfinance.gov/about-us/blog/identity-theft-
protection-following-equifax-data-breach/.
\31\ https://www.consumerfinance.gov/about-us/blog/servicemembers-
should-secure-their-identity-after-equifax-data-breach/.
\32\ https://www.consumerfinance.gov/about-us/blog/top-10-ways-
protect-yourself-wake-equifax-data-breach/.
\33\ Available at http://www.consumerfinance.gov/askcfpb/search/
?selected-facets=tag-exact%3Aidentity+theft.
---------------------------------------------------------------------------
Conclusion
Large breaches call for a coordinated response, and the Bureau will
continue to coordinate with other Federal and State agencies. We will
also continue to exercise our authority to examine and investigate
credit reporting companies and furnishers of information, and to
educate consumers about important consumer financial issues. Consumers
should have confidence that their credit reports comply with all
applicable legal requirements.
Thank you again for the opportunity to testify today at this
important hearing. I would be happy to answer your questions about the
Bureau's work related to credit reporting.
______
PREPARED STATEMENT OF MANEESHA MITHAL
Associate Director, Division of Privacy and Identity Protection, Bureau
of Consumer Protection, Federal Trade Commission
July 12, 2018
Introduction
Chairman Crapo and Members of the Committee, my name is Maneesha
Mithal, and I am the Associate Director for the Division of Privacy and
Identity Protection at the Federal Trade Commission (Commission or
FTC). \1\ I appreciate the opportunity to appear before you today to
discuss the Fair Credit Reporting Act, credit bureaus, and data
security.
---------------------------------------------------------------------------
\1\ While the views expressed in this statement represent the
views of the Commission, my oral presentation and responses to
questions are my own and do not necessarily reflect the views of the
Commission or any individual Commissioner.
---------------------------------------------------------------------------
Congress enacted the Fair Credit Reporting Act \2\ (FCRA) in 1970,
recognizing the importance of ``fair and accurate credit reporting'' to
maintain ``the efficiency of the banking system'' and ``the public[']s
confidence'' in that system, while at the same time balancing the
``need to insure that consumer reporting agencies exercise their grave
responsibilities with fairness, impartiality, and a respect for the
consumer's right to privacy.'' \3\ The FCRA helps to (1) prevent the
misuse of sensitive consumer report information by limiting recipients
to those who have a legitimate need for it; (2) improve the accuracy
and integrity of consumer reports; and (3) promote the efficiency of
the Nation's banking and consumer credit systems. Since the FCRA's
passage, Congress has amended the statute to address developments in
the consumer reporting system and the marketplace and to increase
consumers' rights and protections with respect to the collection and
use of their data. \4\
---------------------------------------------------------------------------
\2\ 15 U.S.C. ��1681-1681x.
\3\ Id. �1681(a).
\4\ The Consumer Credit Reporting Reform Act of 1996, Title II,
Subtitle D, Chapter 1, of the Omnibus Consolidated Appropriations Act
for Fiscal Year 1997 (Public Law No. 104-208, Sept. 30, 1996), made
extensive revisions to the FCRA, including expanding the duties of
consumer reporting agencies, increasing obligations on users of
consumer reports, and adding furnishers of information to consumer
reporting agencies as a category of entities with statutory
obligations. There were a number of more modest revisions over the next
7 years, the most significant of which was a 1999 amendment that
specifically authorized the Federal financial agencies to promulgate
regulations for the banks and other entities subject to their
jurisdiction. The Fair and Accurate Credit Transactions Act of 2003,
Public Law No. 108-159 (Dec. 4, 2003) (FACT Act), added several
sections to assist consumers and businesses in combating identity theft
and reduce the damage to consumers. The Commission, often in
conjunction with the Federal financial agencies, issued numerous rules
to implement the various FACT Act provisions.
---------------------------------------------------------------------------
The Commission has played a key role in the implementation,
enforcement, and interpretation of the FCRA since its enactment. \5\ In
the last decade, the Commission has brought over 30 actions to enforce
the FCRA against consumer reporting agencies (CRAs), users of consumer
reports, and furnishers of information to CRAs. As the consumer
reporting system evolves and new technologies and business practices
emerge, vigorous enforcement of the FCRA continues to be a top priority
for the Commission, as well as consumer and business education
concerning applicable rights and responsibilities under the statute.
---------------------------------------------------------------------------
\5\ As enacted, the FCRA established the Commission as the primary
Federal enforcement agency, with wide jurisdiction over entities
involved in the consumer reporting system; the primary exceptions to
the Commission's jurisdiction are federally regulated financial
institutions. See 15 U.S.C. �1681s(a)-(b). Pursuant to the Consumer
Financial Protection Act of 2010 (CFPA), Title X of Public Law 111-203,
124 Stat. 1955 (July 21, 2010) (The Dodd-Frank Wall Street Reform and
Consumer Protection Act), the Commission shares its FCRA enforcement
role with the Bureau of Consumer Financial Protection (Bureau) in many
respects.
---------------------------------------------------------------------------
This testimony first provides background on the FCRA. Next, it
discusses marketplace developments related to credit report accuracy.
It then discusses the Commission's work to enforce the accuracy
provisions of the FCRA and educate consumers and businesses about their
respective rights and responsibilities under the statute. Finally, it
discusses the data security requirements applicable to credit bureaus
and the FTC's efforts to promote data security in this sector.
Background on the FCRA
CRAs assemble or evaluate consumer data for third parties to use to
make critical decisions about the availability and cost of various
consumer products and services, including credit, insurance,
employment, and housing. \6\ These consumer reports are often used to
evaluate the risk of future nonpayment, default, or other adverse
events. For example, complete and accurate consumer reports enable
creditors to make informed lending decisions, benefiting both creditors
and consumers. Errors in consumer reports, however, can cause consumers
to be denied credit or other benefits or pay a higher price for them.
Errors in consumer reports can also cause credit issuers to make
inaccurate decisions that result in declining credit to a potentially
valuable customer or issuing credit to a riskier customer than
intended.
---------------------------------------------------------------------------
\6\ 15 U.S.C. �1681a(d) and (f).
---------------------------------------------------------------------------
The FCRA imposes a number of obligations on CRAs. For example, to
protect the privacy of sensitive consumer report information, CRAs must
take reasonable measures to ensure that they provide such information
only to those who have a statutorily specified ``permissible purpose''
to receive it. \7\ CRAs must also comply with requirements to help
ensure the accuracy of consumer reports, including requirements that
CRAs (1) maintain reasonable procedures to ensure the ``maximum
possible accuracy'' of consumer reports \8\ and (2) maintain procedures
through which consumers can dispute and correct inaccurate information
in their consumer reports. \9\
---------------------------------------------------------------------------
\7\ Id. �1681b(a), (c). Permissible purposes under the FCRA
include, but are not limited to, the use of a consumer report in
connection with a determination of eligibility for credit, insurance,
or a license; in connection with the review of an existing account; and
for certain employment purposes.
\8\ Id. �1681e(b).
\9\ Id. �1681i(a)-(d)(1).
---------------------------------------------------------------------------
Under the FCRA, if a consumer disputes the completeness or accuracy
of information contained in his or her file, the CRA must complete a
reasonable investigation within 30 days. The CRA must notify the
furnisher of the disputed information within five business days. If a
disputed item is found to be inaccurate or incomplete or cannot be
verified, the CRA must delete or modify the information and notify the
furnisher. In general, the CRA must provide the consumer with written
notice of the results of the investigation in accordance with the
procedures set forth in the statute within 5 business days after the
completion of the investigation.
In addition, the FCRA imposes obligations on those who furnish
information about consumers to CRAs, such as entities extending credit.
For example, furnishers have a duty to report accurate information and
investigate consumer disputes of inaccurate information. \10\
---------------------------------------------------------------------------
\10\ Id. �1681s-2(a)-(b).
---------------------------------------------------------------------------
Users of consumer reports have obligations under the statute as
well. For example, if a user of a consumer report takes an adverse
action against a consumer--such as a denial of credit or employment--
based on information in a consumer report, the user must provide an
adverse action notice to the consumer, which explains how the consumer
can obtain a free copy of the report and dispute any inaccurate
information in the report. \11\
---------------------------------------------------------------------------
\11\ Id. �1681m(a). The adverse action notice also must include a
statement that the CRA that supplied the consumer report did not make
the decision to take the adverse action and cannot give the consumer
any specific reasons for the decision. Id. �1681m(a)(2)(B).
---------------------------------------------------------------------------
Credit Report Accuracy
In 2012, the Commission published a study of credit report accuracy
mandated by the FACT Act, which amended the FCRA. \12\ It was the first
major study that looked at all of the primary groups that participate
in the credit reporting and scoring process--consumers, furnishers
(e.g., creditors, lenders, debt collection agencies), the Fair Isaac
Corporation (which develops FICO credit scores), and the national
credit bureaus. \13\ To implement the study, researchers worked with
approximately 1,000 consumers to review their free credit reports from
the three major credit bureaus. The researchers helped consumers
identify and dispute possible errors on their credit reports. According
to the study findings, 25 percent of consumers identified errors on
their credit reports that might affect their credit scores and 80
percent of these consumers who filed disputes experienced some
modification to their credit reports. Overall, 13 percent of consumers
experienced a change in their credit scores after a dispute and 5
percent of consumers experienced an increase in their credit scores
such that their credit risk tier decreased and the consumer may be more
likely to be offered a lower loan interest rate.
---------------------------------------------------------------------------
\12\ Public Law No. 108-159 (Dec. 4, 2003).
\13\ Section 319 of the Fair and Accurate Credit Transactions Act
of 2003: Fifth Interim Federal Trade Commission Report to Congress
Concerning the Accuracy of Information in Credit Reports (Dec. 2012),
available at https://www.ftc.gov/reports/section-319-fair-accurate-
credit-transactions-act-2003-fifth-interim-federal-trade.
---------------------------------------------------------------------------
There have been significant changes in the marketplace aimed at
increasing credit report accuracy since the Commission published its
study. For example, the Bureau has been exercising its supervisory
authority over the nationwide credit bureaus and it periodically
publishes Supervisory Highlights describing its findings. Last year, it
published an edition focused on accuracy issues in credit reporting and
the handling and resolution of consumer disputes, and it pointed to
several specific improvements it directed in these areas. \14\
---------------------------------------------------------------------------
\14\ See Supervisory Highlights Consumer Reporting Special Edition
(Mar. 2, 2017), available at https://www.consumerfinance.gov/data-
research/research-reports/supervisory-highlights-consumer-reporting-
special-edition/.
---------------------------------------------------------------------------
In addition, in 2015, the nationwide credit bureaus announced a
Nationwide Consumer Assistance Plan (NCAP) as a result of a settlement
with over 30 State attorneys general, with a number of provisions
designed to improve the accuracy of credit reports. \15\ These
provisions include requiring all data furnishers to use the most
current reporting format; removing any previously reported medical
collections that have been paid or are being paid by insurance;
requiring debt collectors to regularly update the status of unpaid
debts and remove debts no longer being pursued for collection; and
implementing an enhanced dispute resolution process for consumers that
are victims of fraud or identity theft or are involved in mixed files
(where two consumer files are mistakenly mixed together). NCAP
contained a phased implementation plan scheduled to be completed this
year.
---------------------------------------------------------------------------
\15\ See, e.g., National Consumer Assistance Plan, News Release
(Jun. 9, 2016), available at http://
www.nationalconsumerassistanceplan.com/news/news-release/.
---------------------------------------------------------------------------
FTC Activities To Promote Credit Report Accuracy
Law Enforcement
FCRA enforcement continues to be a top priority for the Commission.
With the advent in 2011 of the Bureau's supervisory authority over the
nationwide credit bureaus and the coordination efforts between the
agencies, the FTC has focused its FCRA law enforcement efforts on other
entities in the credit reporting area and other aspects of the consumer
reporting industry more broadly.
For example, the FTC settled cases against furnishers that
allegedly had inadequate policies and procedures for reporting accurate
credit information to CRAs. In Credit Protection Association, LP, the
Commission alleged that a debt collector failed to have adequate
policies and procedures to handle consumer disputes, did not have a
policy requiring notice to consumers of the outcomes of investigations
about disputed information, and in numerous instances failed to inform
consumers of the outcome of disputes. \16\ The settlement included
$72,000 in civil penalties. \17\ And, in Tricolor Auto Acceptance, LLC,
the Commission alleged that the loan-servicing department of an auto
dealer failed to have written policies and procedures designed to
ensure that the credit information it reported to CRAs was accurate and
failed to properly investigate consumer disputes regarding the accuracy
of credit information. \18\ The settlement included $82,000 in civil
penalties.
---------------------------------------------------------------------------
\16\ U.S. v. Credit Protection Association, LP, No. 3:16-cv-01255-
D (N.D.Tex. filed May 9, 2016), available at https://www.ftc.gov/
enforcement/cases-proceedings/142-3142/credit-protection-association.
\17\ As specified by the Federal Civil Penalty Inflation
Adjustment Act of 1990, 28 U.S.C. �2861, as amended by the Debt
Collection Improvements Act of 1996, Public Law 104-134, �31001(s)(1),
110 Stat. 1321-373, in relevant part, civil penalties under the FCRA
are capped at $3,500 per violation for violations occurring before
August 1, 2016, $3,756 per violation for violations occurring between
that date and January 23, 2017, and $3,817 for violations occurring on
or after January 24, 2017.
\18\ U.S. v. Tricolor Auto Acceptance, LLC, No. 3:15-cv-3002
(N.D.Tex. filed Sept. 16, 2015), available at https://www.ftc.gov/
enforcement/cases-proceedings/142-3073/tricolor-auto-acceptance-llc.
---------------------------------------------------------------------------
In addition, the FTC has settled cases against background screening
CRAs that compile background reports on consumers that may include
driving records, employment and education history, eviction records,
and criminal records for use in making employment and housing
decisions. These settlements include allegations relating to
inaccuracies in consumer reports, as well as failures to protect the
privacy of consumer reports by ensuring permissible use. For example,
in InfoTrack Information Services, Inc., the Commission alleged that a
background screening CRA failed to have reasonable procedures to ensure
the maximum possible accuracy of consumer report information and, as a
result, provided inaccurate information suggesting that job applicants
potentially were registered sex offenders. \19\ The settlement included
$1 million in civil penalties, which was suspended upon payment of
$60,000 based on inability to pay. In Instant Checkmate, Inc., the
Commission alleged that the CRA compiled public record information into
background reports and marketed its services to landlords and employers
but failed to comply with several FCRA provisions, including failing to
maintain reasonable procedures to ensure the accuracy of its reports,
failing to have reasonable procedures to ensure that those using its
reports had permissible purposes for accessing them, and providing
reports to users that it did not have reason to believe had a
permissible purpose to receive them. \20\ The settlement included
$525,000 in civil penalties.
---------------------------------------------------------------------------
\19\ U.S. v. Infotrack Information Services, Inc., No. 1:14-cv-
02054 (N.D.Ill. filed Apr. 9, 2014), available at https://www.ftc.gov/
enforcement/cases-proceedings/122-3092/infotrack-information-services-
inc-et-al.
\20\ U.S. v. Instant Checkmate, Inc., No. 3:14-cv-00675-H-JMA
(S.D.Cal. filed Apr. 9, 2014), available at https://www.ftc.gov/
enforcement/cases-proceedings/122-3221/instant-checkmate-inc.
---------------------------------------------------------------------------
The FTC has also brought cases against check authorization CRAs for
failing to comply with their accuracy obligations. Check authorization
companies compile consumers' personal information and use it to help
retail merchants throughout the United States determine whether to
accept consumers' checks. In its settlements with Telecheck \21\ and
Certegy, \22\ two of the Nation's largest check authorization
companies, the Commission charged these companies with failing to
follow FCRA accuracy procedures, failing to follow proper procedures
for consumer disputes, and failing to establish and implement
reasonable written policies regarding the accuracy of information the
companies furnish to other CRAs. The FTC obtained $3.5 million in civil
penalties against each company.
---------------------------------------------------------------------------
\21\ U.S. v. TeleCheck Services, Inc., No. 1:14-cv-00062 (D.D.C.
filed Jan. 16, 2014), available at https://www.ftc.gov/enforcement/
cases-proceedings/112-3183/telecheck-services-inc.
\22\ U.S. v. Certegy Services, Inc., No. 1:13-cv-01247 (D.D.C.
filed Aug. 15, 2013), available at https://www.ftc.gov/enforcement/
cases-proceedings/112-3183/telecheck-services-inc.
---------------------------------------------------------------------------
Business Guidance and Consumer Education
The Commission also continues to educate consumers and businesses
on their consumer reporting rights and obligations under the FCRA. The
FTC has published guidance for employment and tenant background
screening companies regarding their obligations under the FCRA,
including with respect to accuracy and consumer disputes. \23\ For
furnishers, the FTC publication Consumer Reports: What Information
Furnishers Need To Know provides an overview of obligations under the
FCRA. \24\ Similarly, for users of consumer reports, FTC guidance
includes publications for employers, landlords, insurers, and
creditors, as well as guidance on secure disposal of consumer
information for all businesses. \25\
---------------------------------------------------------------------------
\23\ See ``What Employment Background Screening Companies Need To
Know About the Fair Credit Reporting Act'' (Apr. 2016), available at
https://www.ftc.gov/tips-advice/business-center/guidance/what-
employment-background-screening-companies-need-know-about; ``What
Tenant Background Screening Companies Need To Know About the Fair
Credit Reporting Act'' (Oct. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/what-tenant-background-screening-
companies-need-know-about-fair.
\24\ See Consumer Reports: ``What Information Furnishers Need To
Know'' (Nov. 2016), available at https://www.ftc.gov/tips-advice/
business-center/guidance/consumer-reports-what-information-furnishers-
need-know.
\25\ See Consumer Reports: ``What Employers Need To Know'' (Oct.
2016), available at https://www.ftc.gov/tips-advice/business-center/
guidance/using-consumer-reports-what-employers-need-know; Consumer
Reports: ``What Landlords Need To Know'' (Oct. 2016), available at
https://www.ftc.gov/tips-advice/business-center/guidance/using-
consumer-reports-what-landlords-need-know; Consumer Reports: ``What
Insurers Need To Know'' (Nov. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/consumer-reports-what-insurers-
need-know; ``Using Consumer Reports for Credit Decisions: What To Know
About Adverse Action and Risk-Based Pricing Notices'' (Nov. 2016),
available at https://www.ftc.gov/tips-advice/business-center/guidance/
using-consumer-reports-credit-decisions-what-know-about-adverse;
``Disposing of Consumer Report Information? Rule Tells How'' (Jun.
2005), available at https://www.ftc.gov/tips-advice/business-center/
guidance/disposing-consumer-report-information-rule-tells-how.
---------------------------------------------------------------------------
The FTC also has a number of user-friendly resources for consumers
designed to inform them of their rights under the FCRA and assist them
with navigating the consumer reporting system. The publication Credit
and Your Consumer Rights provides an overview of credit, explains
consumers' legal rights, and offers practical tips to help solve credit
problems. \26\ The FTC also has publications that explain how consumers
can obtain their free annual credit reports from each of the nationwide
consumer reporting agencies \27\ and use the FCRA's dispute procedures
to ensure that information in their consumer reports is accurate. \28\
For consumers seeking employment or housing, the FTC has materials on
employment background checks \29\ and tenant background checks. \30\
The Commission continues to update and expand its materials as new
issues arise.
---------------------------------------------------------------------------
\26\ ``Credit and Your Consumer Rights'' (June 2017), available at
https://www.consumer.ftc.gov/articles/pdf-0070-credit-and-your-
consumer-rights.
\27\ ``Free Credit Reports'' (Mar. 2013), available at https://
www.consumer.ftc.gov/articles/0155-free-credit-reports.
\28\ See ``Disputing Errors on Credit Reports'' (Feb. 2017),
available at https://www.consumer.ftc.gov/articles/0151-disputing-
errors-credit-reports.
\29\ See ``Background Checks'' (Mar. 2018), available at https://
www.consumer.ftc.gov/articles/0157-background-checks.
\30\ See FTC Consumer Blog, ``Renting an Apartment? Be Prepared
for a Background Check'' (Nov. 2016), available at https://www.ftc.gov/
tips-advice/business-center/guidance/disposing-consumer-report-
information-rule-tells-how.
---------------------------------------------------------------------------
Data Security
The FTC is committed to protecting consumer privacy and promoting
data security in the private sector. The Commission is the Nation's
primary data security regulator and enforces several statutes and rules
that impose data security requirements on companies across a wide
spectrum of industries, including credit bureaus. Since 2001, the
Commission has undertaken substantial efforts to promote data security
in the private sector through enforcement of Section 5 of the FTC Act,
which prohibits unfair or deceptive acts or practices, such as
businesses making false or misleading claims about their data security
procedures, or failing to employ reasonable security measures. \31\ The
Commission is also the Federal enforcement agency for the Children's
Online Privacy Protection Act (COPPA), which requires reasonable
security for children's information collected online. \32\
---------------------------------------------------------------------------
\31\ 15 U.S.C. �45(a). If a company makes materially misleading
statements or omissions about a matter, including data security, and
such statements or omissions are likely to mislead reasonable
consumers, they can be found to be deceptive in violation of Section 5.
Further, if a company's data security practices cause or are likely to
cause substantial injury to consumers that is neither reasonably
avoidable by consumers nor outweighed by countervailing benefits to
consumers or to competition, those practices can be found to be unfair
and violate Section 5.
\32\ 15 U.S.C. ��6501-6506; see also 16 CFR Part 312 (COPPA Rule).
---------------------------------------------------------------------------
Further, the Commission's Safeguards Rule, which implements the
Gramm-Leach-Bliley Act (GLB Act), sets forth data security requirements
for financial institutions within the Commission's jurisdiction, which
includes credit bureaus. \33\ The Safeguards Rule requires financial
institutions, or companies that are significantly engaged in offering
consumer financial products or services, to develop, implement, and
maintain a comprehensive information security program for handling
customer information. The plan must be appropriate to the company's
size and complexity, the nature and scope of its activities, and the
sensitivity of the customer information it handles. The FTC has
exclusive enforcement authority with respect to nonbank consumer
financial services providers.
---------------------------------------------------------------------------
\33\ 16 CFR Part 314, implementing 15 U.S.C. �6801(b).
---------------------------------------------------------------------------
Finally, the FCRA requires consumer reporting agencies to use
reasonable procedures to ensure that the entities to which they provide
consumer reports have a permissible purpose for receiving that
information \34\ and also requires the secure disposal of consumer
report information. \35\ This section describes the FTC's efforts to
enforce these laws, educate consumers and businesses, and develop
policies in this area.
---------------------------------------------------------------------------
\34\ 15 U.S.C. �1681e.
\35\ Id. �1681w. The FTC's implementing rule is at 16 CFR Part
682.
---------------------------------------------------------------------------
Law Enforcement
The Commission has brought over 60 law enforcement actions against
companies that allegedly engaged in unreasonable data security
practices. Last year, the Commission took the unusual step of publicly
confirming its investigation into the Equifax data breach due to the
scale of public interest in the matter.
The FTC has significant experience with enforcing data security
laws against CRAs. In 2006, the FTC brought the seminal Choicepoint
case against a CRA that sold consumer reports to identity thieves who
did not have a permissible purpose to obtain the information under the
FCRA, as well as failed to employ reasonable measures to secure the
personal information it collected and misrepresented its security
practices under Section 5 of the FTC Act. \36\ The complaint alleged
that ChoicePoint failed to monitor subscribers even after receiving
subpoenas from law enforcement authorities alerting it to fraudulent
activity. The settlement included injunctive relief, as well as $10
million in civil penalties--the largest FCRA civil penalty in FTC
history--and $5 million in consumer redress. A few years later, the FTC
settled another action against the company when it suffered a data
breach because it turned off a key electronic security tool used to
monitor access to one of its databases, in violation of the
Commission's order. \37\
---------------------------------------------------------------------------
\36\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-GET (N.D.Ga.
filed Jan. 30, 2006), available at https://www.ftc.gov/enforcement/
cases-proceedings/052-3069/choicepoint-inc.
\37\ U.S. v. Choicepoint, Inc., No. 1:06-cv-00198-JTC (N.D.Ga.
filed Oct. 19, 2009), available at https://www.ftc.gov/enforcement/
cases-proceedings/052-3069/choicepoint-inc.
---------------------------------------------------------------------------
The Commission has also brought actions against companies for
failing to dispose of consumer report information securely. For
example, in the PLS Financial Services, Inc. case, the FTC alleged that
the company violated the FCRA Disposal Rule by failing to take
reasonable steps to protect against unauthorized access to credit
reports in the improper disposal of the consumer information, violated
the Safeguards Rule requirements for financial institutions to develop
and use safeguards to protect consumer information, and violated the
FTC Act by misrepresenting that it had implemented reasonable measures
to protect sensitive consumer information. \38\ The settlement included
injunctive relief and $101,500 in civil penalties.
---------------------------------------------------------------------------
\38\ U.S. v. PLS Financial Services, Inc., No. 112-cv-08334
(N.D.Ill. filed Oct. 17, 2012), available at https://www.ftc.gov/
enforcement/cases-proceedings/1023172/pls-financial-services-inc-et-al.
---------------------------------------------------------------------------
Business Guidance and Consumer Education
In addition to law enforcement, the FTC provides extensive business
guidance on data security. The agency's goal is to provide information
to help businesses protect the data in their care and understand what
practices may violate the laws the FTC enforces. The FTC provides
general business education about data security issues, as well as
specific guidance on emerging threats.
In 2015, the FTC launched its Start with Security initiative, which
includes a guide for businesses, \39\ as well as 11 short videos, \40\
that discuss 10 important security topics and give advice about
specific security practices for each. In 2016, the FTC published a
business advisory on how the National Institute of Standards and
Technology Cybersecurity Framework applies to the FTC's data security
work \41\ and released an update to ``Protecting Personal Information:
A Guide for Business'', which was first published in 2007. \42\ Last
year, the FTC published its Stick with Security blog series offering
additional insights into the Start with Security principles, based on
the lessons of recent law enforcement actions, closed investigations,
and experiences companies have shared about data security in their
business. \43\
---------------------------------------------------------------------------
\39\ ``Start With Security: A Guide for Business'' (June 2015),
available at https://www.ftc.gov/tips-advice/business-center/guidance/
start-security-guide-business.
\40\ ``Start With Security: Free Resources for Any Business''
(Feb. 19, 2016), available at https://www.ftc.gov/news-events/audio-
video/business.
\41\ FTC Business Blog, ``The NIST Cybersecurity Framework and the
FTC'' (Aug. 31, 2016), available at https://www.ftc.gov/news-events/
blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc.
\42\ ``Protecting Personal Information: A Guide for Business''
(Oct. 2016), available at https://www.ftc.gov/tips-advice/business-
center/guidance/protecting-personal-information-guide-business.
\43\ FTC Business Blog, ``Stick With Security: A Business Blog
Series'' (Oct. 2017), available at https://www.ftc.gov/tips-advice/
business-center/guidance/stick-security-business-blog-series.
---------------------------------------------------------------------------
In addition to data security guidance, the FTC provides business
guidance related to data breaches. In September 2016, the FTC released
Data Breach Response: A Guide for Business, \44\ and a related video,
which describes immediate steps companies should take when they
experience a data breach, such as taking breached systems offline,
securing physical areas to eliminate the risk of further harm from the
breach, and notifying consumers, affected businesses, and law
enforcement. The guide also includes a model data breach notification
letter businesses can use to get started.
---------------------------------------------------------------------------
\44\ ``Data Breach Response: A Guide for Business'' (Oct. 2016),
available at https://www.ftc.gov/tips-advice/business-center/guidance/
data-breach-response-guide-business.
---------------------------------------------------------------------------
The FTC also provides businesses with specific guidance on emerging
threats. For example, most recently the FTC released a staff
perspective and related blog post to help businesses prevent phishing
scams. \45\ Following a workshop, \46\ the FTC published a blog post
describing ransomware, \47\ how to defend against it, and essential
steps to take if businesses become victims. \48\ Further, the FTC
develops targeted guidance for companies in specific industries. For
example, staff developed specific security guidance for debt buyers and
sellers. \49\
---------------------------------------------------------------------------
\45\ FTC Staff Perspective, ``Businesses Can Help Stop Phishing
and Protect Their Brands Using Email Authentication'' (Mar. 2017),
available at https://www.ftc.gov/reports/businesses-can-help-stop-
phishing-protect-their-brands-using-email-authentication-ftc-staff; FTC
Business Blog, ``Want To Stop Phishers? Use Email Authentication'',
Mar. 3, 2017, available at https://www.ftc.gov/news-events/blogs/
business-blog/2017/03/want-stop-phishers-use-email-authentication.
\46\ Fall Technology Series: ``Ransomware'' (Sept. 7, 2016),
available at https://www.ftc.gov/news-events/events-calendar/2016/09/
fall-technology-series-ransomware.
\47\ Ransomware is malicious software that infiltrates computer
systems or networks and uses tools like encryption to deny access or
hold data ``hostage'' until the victim pays a ransom.
\48\ FTC Business Blog, ``Ransomware--A Closer Look'' (Nov. 10,
2016), available at https://www.ftc.gov/news-events/blogs/business-
blog/2016/11/ransomware-closer-look.
\49\ ``Buying or Selling Debts? Steps for Keeping Data Secure''
(Apr. 2015), available at https://www.ftc.gov/tips-advice/business-
center/guidance/buying-or-selling-debts-steps-keeping-data-secure.
---------------------------------------------------------------------------
The Commission also educates consumers on security. For example,
the FTC has provided guidance for consumers on securing their home
wireless networks, a critical security step for protecting devices and
personal information from compromise. These resources are accessible on
the FTC's consumer guidance website, consumer.ftc.gov. The FTC also
assists consumers affected by data breaches through its
identitytheft.gov website that allows consumers who are victims of
identity theft to quickly file a complaint with the FTC and get a free,
personalized guide to recovery that helps streamline many of the steps
involved. In the wake of the announcement of the Equifax data breach
last year, the agency published numerous materials and created a
dedicated page on its website, ftc.gov/Equifax, with resources to
educate consumers about fraud alerts, active duty alerts, credit
freezes and locks, credit monitoring, and how to reduce the risk of
identity theft.
Policy Initiatives
The FTC engages in a variety of policy initiatives to enhance data
security. The FTC has hosted workshops and issued reports to highlight
the privacy and security implications of new technologies. For example,
last year the FTC hosted a workshop to examine consumer injury in the
context of privacy and data security and various issues related to the
injuries consumers suffer when information about them is misused. \50\
Most recently, the Commission announced plans to hold a series of
public hearings on the impact of market developments on competition and
consumer protection enforcement, including the Commission's remedial
authority to deter unfair and deceptive conduct in privacy and data
security matters. \51\
---------------------------------------------------------------------------
\50\ Informational Injury Workshop (Dec. 12, 2017), available at
https://www.ftc.gov/news-events/events-calendar/2017/12/informational-
injury-workshop.
\51\ Press Release, ``FTC Announces Hearings on Competition and
Consumer Protection in the 21st Century'' (June 20, 2018), available at
https://www.ftc.gov/news-events/press-releases/2018/06/ftc-announces-
hearings-competition-consumer-protection-21st.
---------------------------------------------------------------------------
Conclusion
Thank you for the opportunity to provide the Commission's testimony
on credit report accuracy and security. We look forward to continuing
to work with Congress and this Committee on these important issues.
RESPONSES TO WRITTEN QUESTIONS OF SENATOR SCOTT
FROM MANEESHA MITHAL
Q.1. I greatly appreciated the FTC's guidance and technical
assistance as I authored legislation, the Protecting Children
From Identity Theft Act (S. 2498), to stamp out synthetic ID
fraud. Your team has long been a leading voice on this issue.
Thanks to Chairman Crapo, the legislation was included in the
Economic Growth, Regulatory Relief, and Consumer Protection Act
(Section 215 of S. 2155) and enacted into law this May.
Please answer the following with specificity:
For the benefit of this Committee, could you explain what
synthetic ID fraud is and who predominantly falls victim to
this crime?
A.1. Synthetic identify theft is a technique used by some
identity thieves in which they apply for credit using a mixture
of real, verifiable information of an existing person with
fictitious information, thus creating a ``synthetic'' identity.
Often these identity thieves use real Social Security numbers
(SSNs) of people they know are unlikely to have existing credit
files, such as children or recent immigrants. Using a
consumer's SSN to apply for loans, utility accounts, property
accounts, driver's licenses, and vehicle registrations can have
long-term consequences that can leave victims burdened with
unauthorized debt and a flawed credit history. This type of
identity theft has been on the rise in recent years and was a
topic of discussion at the Federal Trade Commission's 2017
Identity Theft conference.
Q.2. How exactly will the Protecting Children From Identity
Theft Act cut down on synthetic ID fraud?
A.2. Synthetic identity theft often happens because there is no
convenient mechanism to ensure that an SSN matches with other
information provided by an applicant for credit or other
services. Currently, the SSA's Consent-Based Social Security
Number Verification system--while created to fight synthetic
identity theft and other fraud--requires financial institutions
to obtain a physical written signature from a consumer before
making a request to verify an SSN with the SSA. This
requirement has been time consuming and has undermined the
effectiveness of the verification system. In an era where many
consumers expect instant access to credit, financial
institutions will be more likely to take verification measures
when the process is quick and efficient.
The Protecting Children From Identity Theft Act, which was
incorporated into Section 215 of the Economic Growth,
Regulatory Relief, and Consumer Protection Act, allows certain
financial institutions, including credit reporting agencies
(CRAs), to receive customers' consent by electronic signature
to verify their name, date of birth, and Social Security number
with the Social Security Administration (SSA). It also directs
SSA to modify their databases to allow for the financial
institutions, including CRAs, to electronically and quickly
request and receive accurate verification of consumer data.
These measures will result in a quicker and more efficient
verification process that will help reduce synthetic identity
fraud.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]