Federal: AFC Comment Letter on CFPB Data Brokers Proposed Rule

April 2, 2025
The Honorable Russell Vought
Acting Director
Consumer Financial Protection Bureau
1700 G Street, NW
Washington, DC 20552

Re: Proposed Rule on “Protecting Americans from Harmful Data Broker Practices (Regulation V)—RIN 3170-AB27

Dear Acting Director Vought,

The American Fintech Council (AFC)  thanks you for the opportunity to provide comment on the Consumer Financial Protection Bureau’s (CFPB or The Bureau) Proposed Rule on “Protecting Americans from Harmful Data Broker Practices (Regulation V)” (Proposed Rule). The Fair Credit Reporting Act (FCRA) represents one of the core laws governing the financial services industry. Consumer data has become critically important to many financial products and services, ranging from lending and payments processes to marketing and advertising. When conducted responsibly, the use of consumer data to offer these financial products and services can provide significant benefits to consumers.

AFC’s mission is to promote an innovative, transparent, inclusive, and customer-centric financial system by supporting the responsible growth of lending, fostering innovation in financial technology (Fintech), and encouraging sound public policy. AFC members are at the forefront of fostering competition in consumer finance and pioneering ways to better serve underserved consumer segments and geographies. AFC has publicly supported 36 percent rate caps at state and federal levels, which is a key component of our advocacy and of addressing responsible lending. Our members are also lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable products.

AFC supports regulation that will protect consumers and ensure that they can be confident about the use and protections associated with the data found in their consumer reports. However, as discussed further below, the Proposed Rule, creates expanded definitions that far exceed the statutory language and legislative intent of the FCRA.   In addition, several provisions in the Proposed Rule would create additional operational hurdles to newly covered entities. In combination, the expanded definitions and increased requirements—both existing and new—under the FCRA would significantly harm financial institutions and fintech companies seeking to operate responsibly, as well as many other entities not previously covered under FCRA, including universities, marketing agencies, and merchants. Ultimately, this harm to these entities would flow to consumers who would face increased costs, decreased portability of their data, and cumbersome user experiences in this increasingly digital world.

I. Expanded Definitions in The Bureau’s Proposals Present Potential Harms

As written, the Proposed Rule establishes significantly expanded definitions of “consumer reporting agency” and “consumer report” that appears to go beyond the legislative intent of the FCRA and its statutory text regarding what constitutes a “consumer reporting agency”.  FCRA, as established in statute, enumerated specific parameters for determining which entities constitute a “consumer reporting agency”. Based on the statutory text, a consumer reporting agency “regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purposes of furnishing consumer reports to third parties”.  

However, as written, the Proposed Rule would capture entities broadly described as “data brokers” in the discussion of the Proposed Rule due to the expanded definitions of “consumer report” and “consumer reporting agency”. Specifically, the proposed rule would now deem “header” data—i.e. identifying information, including an individual’s name, address, Social Security number, or phone number—to be a consumer report. Further, due to the new definition of “consumer reporting agency” within the Proposed Rule expanded coverage of Regulation V would include examples of assembling or evaluating consumer information that would sweep in a wide variety of rote data processing activities, including:

1. Modifying a date field to format years with four digits, rather than two;

2. Retaining customer information in a database; and

3. Verifying or validating information from a third party against an external database, or checking whether "the consumer's date of birth...is properly formatted."

In combination, capturing the aforementioned types of data and data processing activities would vastly expand the coverage of Regulation V to “data brokers”. Importantly, the CFPB did not propose any express exceptions for use of credit header data for fraud prevention, identity verification, compliance with Bank Secrecy Act or Know-Your-Customer requirements, or law enforcement uses. This omission within the Proposed Rule would further expand Regulation V in an improper manner.  If finalized, the provisions of the Proposed Rule would define "assembles or evaluates" to include a variety of actions with respect to consumer data, including collecting, retaining, assessing, verifying, validating, contributing to, or altering such data.

The impact of the expanded definitions discussed above would likely reverberate through the broader data ecosystem. These “data broker” entities were never designed to be covered by the FCRA. Nor were FCRA’s numerous, specially designed, requirements established to encompass these entities. Thus, expanding both the “consumer report” and “consumer reporting agency definitions as is done in the Proposed Rule presents potential policy and business challenges that would ultimately harm industry participants and consumers by subjecting entities to an unnecessary application of FCRA requirements.

Many of these entities would become subject to FCRA requirements without their knowledge or the requisite infrastructure to manage the numerous statutory requirements. In response these entities would likely limit the movement of data in order to avoid violating FCRA requirements. In turn, this could limit the prudent and functional transfer of data between entities and undercut the use of data for the benefit of consumers.

In addition, the general expansion of FCRA requirements could negatively impact the speed and convenience of innovative, consumer protected financial services. For example, in an effort to expand financial inclusion to historically underserved communities, innovative banks and fintech companies leverage available demographic data. Based on the discussion within the Bureau’s Proposed Rule, it seems likely that marketing agencies and users of their services will face additional operational and financial costs due to additional disclosures and requirements, such as consumer permissions related to loan offerings, marketing, and advertising information. In practice, this issue would result in less actual extension of credit to those traditionally underserved communities, due to an increase in the burden. Ultimately, this would lead to a situation where the Bureau misaligns the consumer protection aims of the proposed reforms with the actual consumer demand for fast and affordable financial services, causing harm to consumers.

Also, innovative banks and fintech companies use information that would be captured as “header data” to comply with various Bank Secrecy Act (BSA) requirements. Verifying customer information to protect against fraud, money laundering, and other activities that harm consumers and the safety of the financial system is crucially important to ensure a sound, consumer protected financial services industry. Without proper exemptions, which remain absent from the Proposed Rule, financial institutions and fintech companies performing these BSA activities could face additional challenges the Proposed Rule’s requirements. Therefore, it seems prudent for CFPB to consider exempting BSA activities that leverage consumer data from the provisions of the Proposed Rule.

II. The Proposed Rule Establishes New Burdensome Requirements for Covered Entities, Impacting Consumers

As noted above, the expanded definitions of “consumer reporting agency” and “consumer report” would sweep in numerous entities who were never originally intended to be covered by FCRA, and subjecting them to existing requirements under Regulation V. However, as written, the Proposed Rule would also subject these new entities and those traditionally covered under FCRA to additional requirements that could have a significant impact on the movement of data and users’ experiences with innovative financial products and services that rely on the streamlined interfaces and portability of data.

Specifically, for companies that use consumer credit reports, the Proposed Rule would impose new data usage, disclosure, and consent requirements for personal data.  For example, the Proposed Rule states that once a company obtains a consumer report, it can only be used as is "reasonably necessary" to offer the product or service identified in the disclosure, which excludes targeted advertising, cross-selling or the sale of consumer report information.  However, a CFPB discussion accompanying the proposed rule indicates a company may conduct these activities with a consumer's written authorization.

While AFC supports clear and conspicuous disclosures, as well as consumers’ rights to their data, as written, the Proposed Rule’s requirements could cause significant impacts on the movement of data and interfere with important user experiences. For example, due to the imposition of a one-year renewal requirement established in the Proposed Rule, financial institutions and fintech companies who use this data for fraud detection purposes may be forced to delete the very data that is instrumental in rooting out fraud and training fraud models if the company does not receive affirmative consent by consumers each year to use their data for that purpose. Thus, fraud detection capabilities across the financial services industry would be greatly harmed. On the consumer side, consumers demand efficient and easy to use digital financial products and services. Due to the new requirements enumerated in the Proposed Rule, consumers may be required to complete multiple authorization forms in order to complete a simple transaction. These, and other potential negative impacts should give the Bureau pause and push them to fully consider the impact that the Proposed Rule, as written, will have on both the financial services industry and the consumers they serve.

* * *

AFC appreciates the opportunity to provide comment on the CFPB’s Proposed Rule on “Protecting Americans from Harmful Data Broker Practices (Regulation V)”. AFC and its members continue to support regulations that will protect consumers and ensure that they can be confident about the use and protections associated with the data found in their consumer reports. However, given our concerns with the Proposed Rule presented above, we believe that, before moving forward in its rulemaking process, the CFPB should carefully consider the provision of the Proposed Rule and pursue the necessary amendments to avoid harming industry participants and the consumers they serve. If the Bureau does not pursue our recommendations, then we respectfully request that it withdraw the Proposed Rule.

Sincerely,

Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council

‍

[1] AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] 15 U.S.C. § 1681 and 15 U.S.C. § 1681(a).
[3]15 U.S.C. §§ 1681(a) and 15 U.S.C. § 1681a(e).
[4] See, Consumer Financial Protection Bureau, “Protecting Americans From Harmful Data Broker Practices (Regulation V)”, Fed. Reg. 89 no. 240 (Dec. 13, 2024): 101402 and 15 U.S.C. 1681a(e).
[5]Ibid, Fed. Reg. 89.
[6] Ibid.
[7] Ibid.

‍