THE PETER SWIRE HOME PAGE
Published in Electronic Banking Law and Commerce Report, Nov./Dec., 1996, Vol. I, No. 6, at page 4. For information on EBLCR, phone: (201) 890-0008, e-mail: email@example.com.
On September 30, 1996, to remarkably little public fanfare, the Congress enacted substantial reform of the Fair Credit Reporting Act (FCRA). The "Consumer Credit Reporting Reform Act of 1996" (the "Act") was buried deep within an omnibus appropriations bill, and was part of the regulatory reform package that banks and their supporters pushed throughout the last congressional session.
Understanding the new Act is important to those interested in electronic banking law and commerce for three distinct reasons. First, the Act is important in its own right, because of the large number of provisions that affect banks, consumer reporting agencies, and all those who use credit reports or furnish information that is included in credit reports. Second, the Act gives new enforcement authority to the Federal Trade Commission (FTC), and further highlights the impact that the FTC and its Bureau of Consumer Protection may have on the development of electronic commerce.
Third, and most generally, the Act is a vivid reflection of the current political balance of power on electronic commerce issues, and so provides a preview of how the politics might work in future electronic commerce legislation. The deregulatory side of the new Act strongly promotes efficiency and recognizes that information technology should be deployed to the benefit of both consumers and industry. On the other hand, numerous other provisions of the Act place requirements on industry, such as by requiring disclosure to consumers and mandating certain protections of consumer privacy. The end of this Article suggests why these privacy and disclosure issues seem likely to be recurring themes as electronic commerce law develops.
The Consumer Credit Reporting Reform Act
The new Act substantially helps banking and other organizations by allowing them to share information among affiliates and to be more flexible in offering credit and insurance to the public. The Act also places significant new duties of users of credit reports and furnishers of information to credit reporting agencies. It beefs up enforcement provisions, and contains a number of other requirements, many of which relate to disclosure to consumers and maintaining consumer privacy. The Act also changes rules with respect to consumer reporting agencies and the use of credit reports in the employment context, although these provisions are not discussed in detail here.
Affiliates. The law clarifies and expands the ability of entities within a holding company to share transactional information. Under previous law, the concern had been that an entity that released information to an affiliate might be making a "consumer report" under the FCRA. For information as to transactions or experiences between the consumer and the person making the report, the new law allows full communication of that information among persons related by common ownership or affiliated by corporate control. For instance, it appears that a bank can now share a customer's transaction records at the bank with an affiliate, without triggering the rules governing consumer reports. The new law also allows any communication of other customer information among affiliates -- such as information not arising from the bank's transactions -- but only if the consumer is given a clear opportunity to opt out of having that other information shared. Along with this expansion of the ability of companies to share information with affiliates comes a corresponding obligation: When adverse actions are based on information provided by an affiliate, the consumer must be provided notice of the source of the information. The consumer then has 60 days to request from the affiliate the nature of the information upon which the adverse action was based.
The effect of the new affiliate rules can be substantial efficiency gains. Holding companies gain the ability to place data processing operations where they wish, without the risk that sharing of information among affiliates will become regulated "consumer reports." The ability to share customer-specific information should also allow holding companies to avoid duplicative operations and streamline their cross-marketing efforts.
Firm offers of credit or insurance. Banks and other providers gained a substantial victory in the new definition of "firm offer of credit or insurance." These offers are illustrated by the common practice of sending out pre-approved credit card offers in mass mailings. Previous law had made it difficult for offerers to avoid granting credit once the application had been mailed. The new law makes clear, by contrast, that the credit card offerer in such situations is not required to issue credit cards to all those who return the applications. Firm offers of credit or insurance can now be conditioned on information in the consumer's application for the credit or insurance. The consumer's application can be rejected if he or she fails to meet specific criteria bearing on credit worthiness or insurability. Those criteria must be established before selection of the consumer for the offer, and the issuer of the firm offer can verify that the consumer continues to meet the specific criteria. The FTC is specifically authorized to issue guidelines regarding prescreening for insurance transactions.
At the same time, consumers gain detailed new privacy and disclosure rights with respect to those firm offers. The basic right is that consumers can opt out of having their names on lists that are used to generate the firm offers. Each consumer reporting agency that provides lists of names for firm offers must establish an elaborate notification system. The agency must set up a toll-free telephone number, publish notices in the area served by the agency, and respond within 5 business days to consumer requests. Companies that make firm offers of credit or insurance are now under a duty to describe the new regime in detail when the offers are made. For instance, consumers must be told of their right to opt-out of receiving unsolicited offers, and of the fact that they may be denied credit or insurance if they fail to meet pre-established criteria.
Users of credit reports. Three new rules directly affect users of credit reports, including banks. First, whereas consumers previously had a right to see only the "nature and substance" of the credit report, they now now have the right to see all information in the credit report except for credit or other risk scores. Second, if any user of a credit report takes an adverse action based in whole or in part on information contained in a consumer report, there is a new requirement that the user state that the consumer reporting agency did not make the decision to take the adverse action and is unable to provide the consumer the specific reasons why the adverse action was taken. Third, where there is an adverse action, the user of the credit report must now provide notice of the consumer's right to obtain a free copy of the consumer report and the right to dispute with a consumer reporting agency the accuracy or completeness of any information in the consumer report. The new law also expressly allows notice of the adverse action to be oral, written, or electronic, and it places explicit limits on procuring a consumer report for purposes of reselling it.
Furnishers of information for credit reports. The Act creates a new section of the FCRA establishing the responsibility of those who furnish information to consumer reporting agencies. Many banks do act as furnishers of information, and so will have new information-processing responsibilities under the law. The new law creates a standard for liability for furnishing information relating to a consumer to a consumer reporting agency if the person knows or consciously avoids knowing that the information is inaccurate. The law prohibits furnishing consumer information if the consumer has given notice that specific information is inaccurate and the information is, in fact, inaccurate.
Furnishers of information, including banks, now have an explicit duty to correct and update information. All those who regularly and in the ordinary course of business provide consumer information, and determine that the information is not complete or accurate, shall promptly notify the consumer reporting agency of that determination, shall update the information, and shall not thereafter furnish any of the information that remains not complete or accurate. Furnishers also have a duty to notify the consumer reporting agency of accounts closed by consumers or under dispute by consumers.
Upon notice of a dispute, the furnisher must investigate the disputed information, usually within 30 days. If the investigation finds that the information is incomplete or inaccurate, the furnisher is required to report the results to any nationwide consumer reporting agency to which it furnished the inaccurate data. According to Norm Magnuson of the Associated Credit Bureaus (ACB), this reporting requirement will require a departure from existing practice for a majority of furnishers of information. Mr. Magnuson noted that the ACB maintains a system to notify other credit reporting agencies, but that only about 35 percent of the market is covered by such a system.
Enforcement Provisions. The Act expands the civil liability provisions. Before, consumers could recover actual and punitive damages. Under the new law, for knowing or willful noncompliance, consumers can obtain punitive damages and the greater of $1,000 or actual damages, whichever is greater. The attorney's fees provisions are more generous. There are also expanded civil and criminal remedies against persons obtaining a consumer report under false pretenses or knowingly without a permissible purpose.
For the first time, the FTC has gained a significant, albeit limited, power to sue in federal court for violations of the FCRA. The FTC can sue for a knowing violation, which "constitutes a pattern or practice of violations." Civil penalties of up to $2,500 per violation are available, but only if the party has been enjoined from committing the violation, or ordered not to commit the violation, and has violated that injunction or order. State officials can also sue in federal court for damages and injunctive relief.
* The Act has a number of provisions specifically relating to credit reporting agencies. For instance, such agencies may not prohibit a user of a consumer report from disclosing its contents to the consumer if an adverse action is based on the report. In the event of disputes about the accuracy of a consumer report, the time for an agency to reinvestigate disputes has been reduced from 90 to 30 days. Mr. Magnuson of the ACB, however, reports that the new 30-day limit is consistent with current practice in the marketplace.
* The Act clarifies some specific points that had been in dispute. First, the Act ensures that a credit report may be issued to determine whether a consumer continues to meet the terms of the account. Second, the Act clarifies that potential investors or servicers, or current insurers, may receive a consumer's credit report.
* The Act has somewhat intricate provisions concerning preemption of state law . The Act generally preempts inconsistent state law, although a lawyer should consult both state law and the Act in each context. The preemption authority, however, sunsets in 2004, and states would be allowed at that time to enact laws that give greater protection to consumers.
* The Act takes effect on September 30, 1997. Companies may take advantage before then of new powers, such as the rules concerning affiliates or firm offers. If they do so, however, they must also comply with the corresponding requirements, such as the privacy and disclosure rules.
* The Act also contains further provisions that highlight Congress' concern with consumer privacy issues. As a reflection of growing concerns about the privacy of medical records, a new provision says that a consumer report that contains medical information can be provided only if the consumer consents. The Federal Reserve, in consultation with the FTC and other federal banking agencies, is required to conduct a study on privacy by April, 1997, on the credit report activities of organizations that are not considered consumer reporting agencies under the FCRA, notably including insured financial institutions.
The Act and the Role of the FTC.
As the description above indicates, the new Act expands the role of the FTC in various ways, notably by giving the Commission the authority for the first time to seek civil penalties against violators of the FCRA. The same omnibus appropriations legislation in September also included a new "Credit Repair Organizations Act," which gives the Commission substantial authority to regulate credit repair organizations. The Act requires elaborate disclosures to consumers before credit repair services can be initiated. It authorizes private, state, and FTC enforcement for violation of the law, and allows compensatory and punitive damages for violations of the Act, along with attorneys' fees. These powers are in addition to the Commission's usual power to sue for deceptive trade practices, including in the area of Internet commerce.
Along with these new statutory grants of authority, the FTC has been more explicit than the banking agencies about its expectations that banking and related industries will address privacy issues. FTC Commissioner Christine Varney received publicity this fall when her statements at a conference were seen as newly supportive of privacy regulation. According to her Attorney-Advisor, J. Beckwith Burr, Commissioner Varney "has been saying consistently that we have to give self-regulation an opportunity to work." Ms. Burr adds: "There is a point where if industry doesn't self-regulate, then the FTC may be called upon to act."
The FTC has taken a number of other privacy initiatives, some of which have been reported in earlier issues of this publication, and many of which can be reviewed at the Commission's web site. Congressional leaders also requested in October that the FTC conduct a study of possible violations of consumer privacy rights by companies that operate computer data bases.
The Consumer Credit Reporting Reform Act of 1996 is important in its own right and as an indication of the continuing importance of the Federal Trade Commission in electronic commerce and privacy issues. The recent law is perhaps even more instructive about the likely balance between regulation and deregulation in the area of electronic commerce and banking.
One important theme of the law is deregulation, illustrated by industry's ability to transfer information among affiliates and postscreen credit applicants. Although regulatory reform in 1996 was not as sweeping as its sponsors had hoped, the September law did contain a significant number of reforms in addition to the FCRA amendments and the headline item of the package, the recapitalization of the savings insurance fund. The reelection of a Republican Congress suggests that deregulation will remain an important theme. The leadership in the last Congress was particularly loathe to consider regulations in the rapidly-changing area of electronic commerce.
Deregulation has also been a significant theme on the administrative side. Each federal banking agency has supported new powers in areas such as insurance and securities, and the agencies have announced a steady stream of initiatives designed to reduce red tape.
On the other hand, the new law contains numerous provisions mandating disclosure to consumers and protecting their privacy. Part of this result can be explained by the politics at the moment of passage, when the bill needed to pass for budgetary reasons and pro-consumer
changes were made. I suggest, however, that privacy and disclosure requirements are likely to be a prominent feature of electronic commerce laws, at least during the second Clinton Administration and probably beyond.
The reason is that financial privacy is not primarily a liberal or conservative issue. Entirely conservative individuals can feel uncomfortable at the prospect of their financial affairs being made public, or at their lack of notice of how a bank or credit agency will use personal transactional data. Indeed, the pro-consumer provisions in the new Act can be understood as vindicating the quintessentially conservative value of freedom of contract.
As electronic commerce develops, the political and policy challenge for industry will be to develop rules and institutions that get the contracts right -- that let customers and companies arrange for efficient use of information while maintaining some customer control over use of personal information. It is an open question politically whether the contracts for the new types of commerce will be drafted on the basis of market competition, self-regulation, or legislative enactment. But the 1996 reforms provide a strong example of how privacy and disclosure concerns are likely to be a prominent part of the evolving law of electronic commerce.
Professor Peter Swire teaches banking regulation at the Ohio State University College of Law. His e-mail address is firstname.lastname@example.org.
Back to The Peter Swire Home Page