Small Business Advisory Review Panel for Consumer Reporting Rulemaking: Outline of Proposals and Alternatives Under Consideration

  • Source:


Financial institutions relying on third-party entities face significant challenges in adapting to the proposed FCRA amendments outlined in the Consumer Financial Protection Bureau’s (CFPB) Small Business Regulatory Enforcement Fairness Act (SBREFA) document. Treliant offers a comprehensive suite of services to assist these institutions, including regulatory compliance assessments, third-party risk management, Regulation B/adverse action compliance, model validation, and more.


The CFPB has introduced a series of far-reaching amendments to the Fair Credit Reporting Act (FCRA). These proposals address key aspects, from redefining data broker roles to clarifying permissible purposes and bolstering data security. Below is a summary of the proposals and their potential impact on consumers, credit reporting agencies, and data brokers, offering insights into the evolving credit reporting regulation.

  1. Definition of Consumer Reporting Agency (CRA):
    • The CFPB is considering updating the definition of a consumer reporting agency (CRA) to cover newer participants in the credit reporting industry, such as data brokers.
    • Proposals include codifying that certain data brokers that collect, aggregate, and sell consumer information are deemed CRAs under FCRA.
    • Data brokers selling consumer data used for credit and employment determinations would be categorized as CRAs, regardless of their original intent or the purpose for which data is used.
  2. Data Broker Practices:
    • The CFPB aims to regulate data brokers more comprehensively, ensuring they adhere to FCRA protections.
    • Proposed changes include restrictions on data brokers selling consumer data for non-permissible purposes, requiring written consumer instructions or another permissible purpose for data sale.
    • Data brokers collecting information for permissible purposes must not sell it for non-permissible purposes, reinforcing consumer data privacy.

Proposed Changes to Permissible Purposes and Data Security:

  1. Written Instructions of the Consumer:
    • The CFPB is considering clarifications regarding permissible purposes, emphasizing the importance of written instructions from consumers.
    • Proposals explore the steps companies must take to obtain written instructions and the scope of authorization granted by consumers.
    • These changes aim to ensure that consumers have a clear understanding of how their information is used and by whom.
  1. Legitimate Business Need:
    • FCRA’s permissible purpose provision permits the use of consumer reports for legitimate business needs.
    • The CFPB is considering specifying that this provision only applies when the transaction is initiated by the consumer and restricts the use of consumer reports solely for determining eligibility for that specific business transaction.
    • This clarification seeks to prevent the misuse of consumer reports for purposes other than those directly related to consumer-initiated transactions.
  2. Data Security and Data Breaches:
    • The CFPB acknowledges concerns about data security practices among consumer reporting agencies.
    • Proposed changes focus on obligating consumer reporting agencies to protect consumer reports from unauthorized third-party access and potential data breaches.
    • Failure to safeguard consumer reports may be considered a violation of FCRA, with potential consequences for non-compliance.

Proposed Changes in Handling Disputes:

  1. Disputes Involving Legal Matters:
    • The CFPB aims to address disputes classified by consumer reporting agencies and furnishers as involving legal matters.
    • Proposals clarify that FCRA does not distinguish between legal and factual disputes, requiring reasonable investigation of all disputes, including those related to legal interpretations and contractual liability.
  1. Disputes Involving Systemic Issues:
    • The CFPB is considering changes related to disputes highlighting systemic issues affecting data completeness and accuracy.
    • These proposals seek to establish a process for addressing disputes that affect multiple consumers and ensure that furnishers and consumer reporting agencies investigate and correct such systemic issues.
    • The CFPB may introduce templates for consumers to submit disputes related to systemic issues, streamlining the resolution process and protecting consumer rights collectively.

Proposed Changes in Medical Debt Collection Information:

  1. Medical Debt Collection Tradelines:
    • The CFPB is concerned about the impact of medical debt collection tradelines on consumers’ creditworthiness and overall financial well-being.
    • Proposals may restrict creditors from obtaining or using medical debt collection information for credit eligibility determinations.
    • Additionally, consumer reporting agencies could be prohibited from including medical debt collection tradelines on consumer reports furnished to creditors, aiming to alleviate the negative consequences of medical debt on consumers’ financial lives.


Here are some risk insights into what these changes mean for financial institutions:

  1. Broader Regulatory Oversight:
    • The expanded definition of “consumer reporting agency” may include data brokers, data aggregators, and other entities that financial institutions commonly rely on for consumer data. This means that a wider range of third-party entities will be subject to regulatory scrutiny.
  2. Third-Party Oversight Enhancement:
    • Financial institutions will need to strengthen their third-party oversight mechanisms and due diligence processes to ensure that their relationships with newly covered entities align with the revised FCRA rules. This includes reviewing and potentially updating contracts and compliance processes.
  3. Adapting to New Permissible Purpose Rules:
    • The SBREFA Outline specifies requirements for “permissible purposes” under the FCRA, affecting how financial institutions use consumer data. Institutions will need to adapt their practices and documentation to ensure compliance with these new requirements, particularly in data-sharing agreements with third parties.
  4. Changes in Model Validation:
    • Institutions using credit risk assessment models will need to review and potentially adjust these models to ensure they align with the updated FCRA and Regulation V requirements. This may require substantial changes to credit evaluation processes. Special care should be taken to understand the impact on model performance and any potential bias that is raised as a result of the updates.
  5. Regulation B and Adverse Action Compliance:
    • Financial institutions will need to ensure that their processes for Regulation B compliance, including the handling of adverse action notices, align with the SBREFA Outline’s requirements related to “permissible purposes.”
  6. Data Privacy and Security Considerations:
    • With the proposed changes, data privacy and security will remain paramount. Institutions will need to continue investing in data protection measures and cybersecurity to safeguard consumer data, particularly when working with a broader range of third-party entities.
  7. Operational Impact:
    • The changes may require financial institutions to allocate additional resources for compliance, model validation, and enhanced third-party oversight. Adjusting to the new rules and ensuring ongoing adherence will necessitate operational changes. 

Treliant specializes in regulatory change implementation and partnering with financial institutions to upgrade their compliance management systems core components:

  1. Regulatory Compliance Assessments:
    • Treliant conducts comprehensive assessments of an institution’s compliance with the proposed FCRA changes.
  2. Third-Party Risk Management:
    • Treliant assists in enhancing third-party risk management programs, including due diligence and oversight of third-party vendors.
  3. Regulation B and Adverse Action Compliance:
    • Treliant provides guidance on adapting processes to comply with the SBREFA Outline’s requirements related to “permissible purposes” and Regulation B.
  4. Model Validation:
    • Treliant offers extensive model validation services, ensuring that credit risk assessment models align with the updated FCRA and Regulation V rules.
  5. Policy and Procedure Development:
    • Treliant helps institutions develop and update policies and procedures to align with the proposed rule changes.
  6. Training and Education:
    • Treliant offers training programs to educate staff about the new rules and their implications for daily operations, compliance, data handling, and dispute resolution.
  7. Regulatory Intelligence:
    • Treliant provides ongoing regulatory intelligence updates to keep financial institutions informed about evolving regulatory requirements and industry best practices.

Treliant’s comprehensive services address the multifaceted challenges financial institutions face in adapting to the proposed FCRA amendments. This includes ensuring compliance, effective third-party oversight, risk management, and adjusting processes for Regulation B and model validation, all while advocating for institutions’ specific needs within the evolving regulatory landscape.

Ready to Talk?

We work with you to understand your needs, so we can tailor our approach to your engagement. Learn more when you connect with our team.


Daniel Johnson Sr.

Daniel Johnson is a Managing Director at Treliant. He is an experienced regulatory compliance and data science professional with comprehensive financial services experience in regulatory compliance, risk management, internal audit, fair lending, statistical analysis, operations management, enterprise program administration, and compliance training.