Archives for September 2023

A California Dermatologist recently filed a class action lawsuit against the three major credit reporting agencies (CRAs), alleging the CRAs’ decision to stop reporting medical debt below $500.00 has caused him and other medical professionals nationwide irreparable financial harm. Further, he claims that removing medical debt below $500.00 from credit reports will diminish access to medical care by driving providers out of certain markets.  

Background 

In March 2022, the three major CRAs announced they would be changing how medical debt is included in credit reports. As part of these changes in April 2023, the CRAs stopped including medical debt of less than $500.00 on credit reports. On July 11, 2023, in prepared remarks to kick off the CFPB’s hearing on Medical debt, CFPB Director Chopra appeared to take credit for these changes, stating, “The CFPB’s work has led to major changes in the way medical bills are reported to the three credit reporting conglomerates: Equifax, Experian, and TransUnion. Consumer credit reports should not be used as a tool to coerce patients into paying bills that they already paid or may not even owe.” 

The Lawsuit and the Harm Claimed 

On August 22, 2023, California Dermatologist Derrick Adams filed a class action lawsuit against the three CRAs, alleging that they conspired with one another and violated anti-trust laws by deciding together to stop credit reporting medical debt below $500.00. Dr. Adams claims that this change has caused him financial harm and will cause similar financial harm to doctors, optometrists, dentists, chiropractors, and other medical professionals across the country. Further, he claims that removing medical debt below $500.00 from credit reports will diminish access to medical care by driving providers out of certain markets. 

To illustrate his current and future damages, Dr. Adams states that the majority of bills he sends to patients are below $500.00. When patients do not pay their bills, he uses third-party accounts receivable services (i.e., collection agencies) to attempt to collect the unpaid balances. In Dr. Adams’ experience, the threat that an unpaid bill could end up on a credit report incentivized patients to pay their bills. Now, however, credit reporting is “rendered pointless,” since the CRAs have agreed not to include debt in these amounts in credit reports. Since he has no other feasible means of reporting unpaid bills less than $500.00, fewer of his bills will be paid, causing significant financial harm.  

The financial damage is not limited to Dr. Adams or his practice. Using figures published by the CFPB, he claims that this will affect the repayment of tens of millions of dollars of medical bills nationwide. By deciding to stop reporting medical bills below $500.00, Dr. Adams claims that the CRAs have eliminated a valuable tool that medical providers use through their third-party agencies to incentivize patients to pay their bills. Consequently, medical providers will have to resort to more costly methods, such as employing more staff and third-party companies, adding to the financial harm and causing others to leave the market. 

You can read the full lawsuit here.  

insideARM Perspective 

It’s important to look at the full picture here and recognize that the CFPB seemed to publicly take credit for this change. Though the CFPB has spent considerable time and effort touting its opinion regarding how these changes to credit reporting will help consumers, it does not seem there has been much research into how changes to medical debt credit reporting will affect those on the other side of the equation- small physician practices, like the one run by Dr. Adams. 

Small doctor’s offices are crucial to our healthcare system. Industry associations have made the points raised in Dr. Adams’s suit repeatedly, but those cautionary words yielded little to no results. It’s unfortunate that Dr. Adams and other doctors across the country may have been harmed by removing medical debt below $500.00 from credit reports, but perhaps this lawsuit will cause the CFPB to pay attention to some of the real-world consequences of its initiatives. This is especially important in light of the CFPB’s new proposed rulemaking, which makes it clear that it wants all medical debt removed from credit reports. Though the outline of the proposed rulemaking covers more than medical debt, the actual title of the press release was “CFPB Kicks Off Rulemaking to Remove Medical Bills from Credit Reports.”  

The ARM industry and the medical community should continue to be vocal with the CFPB and remind them that harm to consumers is not just limited to financial issues. Harm and collateral damage from unintended consequences can occur on many fronts- including reduced access to healthcare. Hopefully the CFPB will pay attention to warning bells sounded by Dr. Adams in this suit.

Third-party debt collectors and collection agencies have a tough balancing act to perform. They need to optimize their outbound communications and right-party contacts (RPCs) but must do so within the confines of strict regulations. Effectively reaching debtors can be difficult when facing a sea of internal and external pressures. You don’t want to expend too many resources on a wrong number, but you don’t want to give up on a good number too soon. With dedicated RPC tools, you can streamline your processes, transforming a difficult task into a manageable one. 

Phone Number ID™ by Experian helps increase RPC rates and optimize skip tracing by scoring customer phone numbers at the beginning of the debt cycle. This tool works within the confines of the Fair Debt Collection Practices Act (FDCPA) and Telephone Consumer Protection Act (TCPA), providing you with a quality scrub that’s easy to use. 

Collection agencies and debt collectors face unique challenges 

Collection agencies and debt collectors face a number of challenges unique to their industry. 

First, there are strict rules in place protecting consumers by restricting outbound communications. And violations can be costly. Every unsolicited call or text sent to a wireless device can lead to a fine ranging from $500 to $1,500, putting a lot of stress on debt collectors. 

However, the stress facing debt collectors goes beyond compliance. There’s extreme pressure to improve your RPC rates as quickly and efficiently as possible. Time is money and wasting it by calling a bad phone number can cost precious resources. But it can also be costly to move away from a phone number too fast because your resources erroneously indicated that it might not be a reliable contact. 

That’s where Phone Number ID can help. Improving contact management processes at the beginning of a debt cycle can help you maintain compliance while increasing your RPC rates even if your resources are constrained. 

How Phone Number ID works to improve RPC 

Phone Number ID is an industry-leading solution that helps you maximize the effectiveness of your contact management strategy while minimizing the risk of fines. Phone Number ID validates phone ownership and phone types with more than 5,000 local exchange carriers in real-time, checking categories such as: 

• Phone number ownership. 
• Line type (wireless, landline, etc.). 
• Carrier. 
• Activation date. 
• If the number moved from a landline to a wireless carrier or voice-over IP. 

Phone Number ID takes your call list and sends it to carriers for verification (while protecting consumer information). If a number doesn’t have a name linked to it, the number is sent to Experian contact databases to be located. Complete customer profiles are then returned to you from the carriers, including consumer name, line type, current carrier and activation date. 

Your records are transparent and include match scores from 0 to 99 based on the quality of the customer’s phone number. The match score represents how well a consumer record matches carrier data, helping you maximize RPC. 

A thoughtful start to your debt cycle leads to cost savings 

Phone Number ID increases efficiency by allowing you to be more thoughtful at the beginning of a debt cycle. Rather than arbitrarily calling each number in your database a specific number of times, you can fine-tune your outreach based on accurate scrubbing data. 

At the beginning of a debt cycle, run your phone numbers through Phone Number ID. If it assigns a match score of 20 or lower to a number, you’ll know that number is very risky and should be skip-traced. A score that low indicates an active mismatch, such as a typo, a fake number given to collections or a prepaid phone number that now belongs to someone else. 

In contrast, a match score of 90 or higher means you have the best phone number for that person, and there is no point in skip tracing. 

This means, that for each debt cycle, instead of assigning an arbitrary number of phone calls to every number, you can do the following: 

• Call a number 10 to 20 times if it has a match score of 90 or higher. 
• Call a number with a match score of 20 to 40 once and move to skip tracing. 
• Send a match score lower than 20 straight to skip tracing. 

Phone Number ID maximizes your calls in numerous scenarios 

Phone Number ID can maximize debt collectors’ effectiveness in numerous scenarios. Here are just three examples of use cases you might encounter, but there are many more possibilities. 

• If you’re a debt buyer, you might receive a list of phone numbers that were charged off and haven’t made payments in four to six months or longer. Because it’s been so long since they were used, the numbers could be high risk. You’ll want to scrub all of them for quality before you call any of them. 
• You have a new number that belongs to someone who signed up for a credit card years ago, and just recently started missing payments. It’s been a long time since the number was verified, so scrubbing it right away makes sense. 
• You’ve been given access to a database that tells you whether or not a number was ported. You might be tempted to dispose of all the ported numbers, but you could miss out on valuable contacts. Phone Number ID will tell you if a number was ported and if it’s still owned by the same person. 

Follow up your match scores with optimal skip tracing 

When Phone Number ID delivers low-match scores for some of your contacts, you’ll want to skip-trace the numbers to see if there’s a new number you can use instead. Luckily, we have a solution. 

TrueTrace™ is Experian’s most powerful skip tracing product, and it’s the natural follow-up to Phone Number ID. TrueTrace offers superior matching logic that ensures accurate data that’s streamlined to integrate with internal or third-party software. 

Why partner with Experian? 

Phone Number ID allows you to feel confident about your database, knowing that you’re reaching out to the right people and staying updated on any contact information changes as they occur. 

The benefits of leveraging our best-in-class solution include: 

• Providing seamless contact management integration and affordability. 
• Delivering detailed consumer contact information verification in real-time. 
• Monitoring customer phone numbers’ line type, ownership, portability and carrier. 
• Validating phone ownership and type across 5,000+ exchange carriers. 
• Delivering comprehensive coverage with up to a 97 percent hit rate. 
• Utilizing proprietary matching and scoring logic. 
• Mitigating compliance risk with the TCPA, while enhancing RPC rates and skip tracing. 

Experian is committed to helping you optimize your outbound communications. 

Contact us today to learn how Phone Number ID can help you. 

NEW YORK, NY — Skit.ai,
the leading provider of conversational Voice AI solutions, announced today its
new partnership with Pro Com Services of Illinois, Inc., a century-old
financial services company offering first and third-party debt recovery
services. After deploying Skit.ai’s solution in less than 24 hours, Pro Com
Services saw its account penetration skyrocket with an additional 20,000
outbound calls performed by the solution every day.

The
adoption of Skit.ai’s cutting-edge conversational AI technology marks a pivotal
step in the digital transformation process of a collection agency approaching
its 100th anniversary in the coming year. Headquartered in Springfield,
Illinois, Pro Com Services works with major healthcare organizations.

Skit.ai’s
Automated Voice Intelligence platform is rapidly transforming the recovery
strategy of Pro Com Services, which is now able to scale its business by
acquiring and servicing a significantly higher number of accounts for its
clients. In its search for a software solution, Pro Com Services was seeking a
proven and compliant software solution to automate high volumes of outbound
calls to consumers and increase the number of inbound calls from consumers
looking to resolve their debt. The solution’s ability to negotiate with
consumers persuaded the agency to adopt the Skit.ai platform. 

“We
were eager to find a new AI solution to automate some of our processes, grow
our business, and offer consumers the possibility to solve their debt on their
own without the need to speak with an agent. When I learned about Skit.ai, I
was positively impressed with their track record of working with companies of
all sizes, including small-to-medium businesses,” stated Ryan Matrisch, Director of Business Development at Pro Com Services of
Illinois. “Skit.ai’s platform is very consistent; it never has a bad day.” 

While
the agency previously adopted an IVR solution for inbound calls, its leadership
was well aware of the technology’s limitations; as opposed to IVR systems,
Voice AI can handle a natural-sounding, back-and-forth conversation, delivering
a superior customer experience. 

“Skit.ai
implemented its Voice AI solution at Pro Com Services in under 24 hours,
delivering immediate and promising results, notably achieving a 47.91%
engagement rate during connected calls with consumers. Many collection agencies
have been benefitting from our solution, which can establish right-party
contact, collect promise to pay, collect payments, and negotiate payment plans
without any human intervention, all while remaining fully compliant with
regulations,” said Sourabh Gupta,
Founder and CEO of Skit.ai. 

Skit.ai
has had remarkable success in the account receivables industry across the U.S.,
with dozens of organizations already using its technology to streamline and
automate their recovery strategy. 

Schedule a meeting
to learn more about Voice AI driven debt collections and how Skit.ai can help you
accelerate revenue recovery with higher efficiency and at an infinite scale. 

About Pro Com Services of Illinois: 

Pro Com Services of Illinois, Inc. is a full-service
accounts receivable management company founded in 1924. Family-owned and
operated, Pro Com Services is one of the most experienced and respected
collection agencies in Illinois, offering pre-collection services, bad debt
recovery, third-party collections, and collection litigation. The agency prides
itself in adhering to the highest level of ethical standards and ensuring its
staff goes through continuous training to maintain the highest level of industry
certifications. Visit https://www.pro-comservices.com/

About Skit.ai:

Skit.ai is the accounts and receivables industry’s leading conversational Voice AI company, enabling collection agencies to streamline and accelerate revenue recovery. Skit.ai’s compliant, configurable, and easy-to-deploy solution enables enterprises to automate nearly one million weekly consumer conversations. Skit.ai has been awarded several awards and recognitions, including Stevie Gold Winner 2023 for Most Innovative Company by The International Business Awards, Disruptive Technology of the Year 2022 by CCW, and Gold Globee CEO Awards 2022. Skit.ai is headquartered in New York City, NY. Visit https://skit.ai/

If your business and collection partners aren’t utilizing email in your debt recovery strategy, you’re leaving vital engagement opportunities (and potential collections) on the table. There are plenty of reasons why digital communications are the way to go, but reaching out through email is especially important in collections.

Surveys show that 59.5% of consumers prefer email as their first choice for communication, and 14% of bill-payers prioritize payments that offer lower-friction payment experiences, which increases to 23% for millennials specifically. Considering this, it shouldn’t come as a surprise that courts have actually ruled that “an email is less intrusive than a phone call” for debt collection.

But what makes a successful email program when it comes to connecting with delinquent accounts? Whether your business is handling collections in-house or are looking at working with a third party, your operations should be confident that you have these core components covered.

Core Components for a Successful Email Program

While adding email into the communication channel mix is critical, it is the set up, execution, and continued optimization of that email program that can actually make a difference when it comes to consumer engagement. There are many elements to a successful email strategy, but here are three of the core components that we’ll focus on:

Infrastructure, Data, and Content

All 3 are required for a successful email program—each one relies on the other two to create a high performing program.

Let’s take a look at why each of these is important and the risks that can occur without each component in place.

Infrastructure

The infrastructure an email program is built on has many components itself: Mail Servers, Mailbox Providers, Internet Service Providers (ISPs), Email service providers (ESPs), and more. How these components are set up and work together influences sender reputation, which in turn influences email delivery rates. You can learn more about these different pieces in our blog focusing on the The (Hidden) Anatomy of Email.

While infrastructure can admittedly be complex, the risks your operation runs without a sound infrastructure are clear and quite consequential, including having your emails blocked, deferred or delayed delivery, or winding up lost in the recipient’s spam folder.

Data

In today’s digital world, data is everywhere—but how you harness that data can make or break your email program (and even get you into hot water if you or your collections partner are not following all the necessary compliance regulations around data privacy and protection). Understanding data helps intelligently influence an email program, especially when focusing on email engagement metrics such as:

• Opens
• Clicks
• Unsubscribes
• Spam complaints
• Hard Bounces
• Spam traps

But without quality data analyzed appropriately, your emails could result in consumer complaints, hard bounces, falling into spam traps, not to mention negatively impacting all the engagement metrics listed above.

Content

Solid infrastructure and reliable data are essential in any email program, but when it comes to debt collection, content can be the tipping point between a consumer committing to repayment or ignoring the outreach altogether—or even reporting your communications as spam or harassment.

From subject lines to your call-to-action (CTAs), sending the right message to your customers is crucial. Without compelling content you miss opportunities to capture consumers attention resulting in fewer opens, fewer clicks, or even pushing consumer perception in the wrong direction. If you lose your customers’ trust, you’re most likely going to lose the chance to recover their debt.

Successful Email Engagement Can Boost Debt Recovery

Studies have shown that engaging consumers through digital methods can increase resolution rates by as much as 25%. But if your digital efforts are missing any of the core components we just covered above, it doesn’t matter if your collection strategy includes email—your operations are going to be missing recovery opportunities.

SACRAMENTO, Calif. – Receivables Management Association International (RMAI) announced today that Executive Director, Jan Stieger, who has served in the role since January 2011, plans to retire in March 2024. “Under Jan’s transformational and inspirational leadership, RMAI has become a respected leading voice for the receivables management industry and its members tirelessly promoting the important role the industry plays in the credit ecosystem. Whether advocating for the industry or mentoring individual members, Jan has taken RMAI to a new level,” said RMAI President, Anne Thomas.

The RMAI Board of Directors has formed a Search Committee Co-Chaired by RMAI Past President James Mastriani and RMAI President-Elect Brett Soldevila. “In addition to overseeing the creation of the RMAI Certification Program, the growth of the membership, and cultivating a successful association, Jan has been instrumental in forming and strengthening coalitions not only among industry participants, but among state, federal, and legislative bodies,” said Soldevila.

“While Jan has left footsteps that will be tough to follow, the search committee will work diligently to find a replacement who can continue to advance the goals of the association and build upon Jan’s focus on advocacy and coalition building within the broader financial services industry,” added Mastriani.

“Leading RMAI has been a privilege and I will be forever grateful for the opportunity for both personal and professional growth during my tenure,” Stieger said. “I am absolutely committed to ensuring a seamless transition as RMAI reaches new heights protecting and promoting the industry.”

To work with the Search Committee, RMAI has retained the nationally recognized firm, Heidrick & Struggles, to launch a national search. The description of the position has been created. Those wishing to express interest in the position are encouraged to contact Heidrick & Struggles at RMAIexecutiveDirector@heidrick.com.

About RMAI

Receivables Management Association International (RMAI) is a nonprofit trade association representing more than 600 companies that purchase or support the purchase of performing and nonperforming receivables on the secondary market. The RMAI Receivables Management Certification Program is celebrating its 10th anniversary in 2023. Together with RMAI’s Code of Ethics, the Certification Program sets the global standard within the receivables industry due to the rigorous uniform standards of best practice which focus on protecting consumers. More information about RMAI is available at www.rmaintl.org.

American Bankers Association (ABA), Association of Credit and Collection Professionals (ACA International), U.S. Chamber of Commerce (Chamber), Synchrony Bank (Synchrony), and National Consumer Law Center (NCLC) submitted comment letters in response to the Consumer Financial Protection Bureau’s request for information, about medical credit cards and other lending products used to pay for health care expenses. Banking industry groups highlight that the Consumer Financial Protection Bureau (CFPB) lacks authority to regulate healthcare and urge the CFPB to take no action to limit healthcare payment options to avoid unintended consequences.

In July, the CFPB, jointly with the U.S. Department of Health and Human Services (HHS) and U.S. Department of Treasury (Treasury), issued a request for information (RFI) regarding medical payment products. As we previously blogged, the agencies sought information regarding interest and fee costs of medical payment products and information about the following:

• Marketing, application, and approval processes;

• Outstanding debt on medical payment products;

• Types of financial entities that offer medical payment products;

• Risks of medical payment products and patient understanding of risks;

• How medical payment products may exacerbate existing issues in health care billing and collections; and

• Incentives offered to health care providers to promote medical payment products and how those incentives affect the promotion of such products by providers to patients.

The ABA, ACA International, Chamber, Synchrony, and NCLC submitted comment letters in response to the RFI.

ABA. The ABA commented that the CFPB lacks the statutory authority to directly or indirectly regulate healthcare and encouraged the CFPB to “pursue policies that promote a variety of fair and responsible options to pay for healthcare-related products and services, permitting consumers to choose the option that meets their needs.” The ABA reminded the agencies that lending products are highly regulated and require comprehensive disclosures of the cost of credit, allowing consumers to make an informed choice. The ABA cautioned the CFPB to refrain from any actions that will reduce consumer payment options, which could create access barriers to medical services. With respect to deferred interest options, the ABA stressed that consumers understand these plans as evidenced by the 80% payoff rate before interest begins to accrue.

ACA International. ACA International expressed concerns about the CFPB’s prior actions to remove medical debt from credit reporting (as we previously blogged about) and its failure to engage with healthcare stakeholders. They emphasized the CFPB’s inability rewrite the Fair Credit Reporting Act and reminded the CFPB that law making is Congress’ function, not the CFPB’s function through arbitrary decisions. ACA International expressed similar concerns about CFPB authority to regulate healthcare and harm to consumers as expressed by the ABA.

Chamber. The Chamber highlighted that financial services providers allow consumer to pay for an incurred medical bill though a variety of payment products (credit cards, debit cards, checks, loans). They further noted that these payment products are already subject to numerous regulatory requirements and consumer protections. The Chamber emphasized that “consumer financial services providers do not have a role in the sale or delivery of medical services, the medical insurance market, or the medical billing system.” The Chamber further asked the CFPB to consider the following three key points:

1. The CFPB should not try to use payment regulations to address perceived concerns with medical billing and business practices.

2. Any policy actions based on the distinctive treatment of medical debt would be misplaced.

3. The CFPB should not discourage the use of any particular payment product.

Synchrony.  Synchrony offered to share its experiences with the agencies about its CareCredit – its health and wellness care branded credit card issued to consumers and credit card network brand. Synchrony shared some background on its CareCredit card product used for elective medical procedures, such as veterinary clinics, dentistry, cosmetic procedures, and LASIK surgery and explained how the card enhances access to healthcare and sets industry-leading practices. Synchrony stated that the correct public policy choice is to allow consumers to choose how they pay for their access to healthcare. They also stressed that majority of consumers (75-80%) pay no interest on deferred interest plans and focus groups indicate that consumers are satisfied with this payment option. To address the CFPB’s concerns about complexity of deferred interest plans and perceived harm to subprime cardholders, Synchrony noted that subprime borrowers only accounted for 8% of all deferred interest loans.

NCLC. In contrast, the NCLC focused on the risks posed to consumers by using medical payment products, such as when financed amounts should have been covered by insurance, when payments were made on amounts that were billed in error, when consumers could have avoided interest with a medical provider interest free payment plan, and when such debt was not flagged as medical debt and is reported on a credit report.Notably, consumers have some of these same risks if paying by cash or check and these risks are not mitigated through further regulation of medical payments. The NCLC comment letter explains how medical providers fail to provide clear marketing disclosures for offered financing options. As stated above, there are existing laws and regulations to address marketing and disclosure practices and improper sales practices are addressed by the laws preventing unfair, deceptive and abusive acts and practices. The letter “recommend[s] that the CFPB prohibit lenders from placing a charge on an account or issuing funds before a medical procedure is completed or the medical product is delivered.” This comment suggests lenders are in position to police medical facility billing practices and entitled to receive protected healthcare information validating the medical service performed prior to authorizing a credit card transaction and fails to respect patient privacy or recognize how payment authorizations work. The NCLC suggests the CFPB should conduct more research on medical credit cards, bring more enforcement actions, and ban deferred interest on all credit cards, apparently ignoring the harm that this ban will cause to the 80% of consumers that benefit from deferred interest plans.

We will continue to monitor for further developments from this RFI and any policy statements or proposed rulemaking by the CFPB related to medical debt and medical payments.

The Consumer Financial Protection Bureau (CFPB) has started the process of issuing rules on several topics affecting the entire ecosystem that collects, sells, and uses data about consumers, according to an Outline of the CFPB’s plans for rulemaking under the Fair Credit Reporting Act (FCRA) released on September 21. A copy of the Outline can be found here.

The Outline sets out an ambitious agenda for the proposed rulemaking that will have major impacts on:

• “Data brokers” and “data aggregators,” which are not defined under the FCRA, and which have not historically been considered consumer reporting agencies;

• Consumer reporting agencies (CRAs);

• Furnishers of data to CRAs;

• Persons who are sources of data for “data brokers” and “data aggregators”; and

• End users of data obtained from CRAs and/or “data brokers”/“data aggregators.”

While the Outline has wide-ranging implications for the entire ecosystem, in prepared remarks for a press call hosted by Vice President Kamala Harris, CFPB Director Rohit Chopra discussed only one aspect of the proposal: a rule barring reporting medical debt collections through the credit reporting system. He said the CFPB’s rulemaking would “block medical debt collectors from weaponizing the credit reporting system to coerce patients into paying bills they may not even owe. We are also kicking off a rulemaking process to prohibit lenders from using certain medical billing information in their underwriting decisions.”

At a very high level, one of the most important impacts of the contemplated rule is that many businesses and use cases that do not meet the FCRA’s definition of “consumer reporting agency” could be dragged into FCRA regulation. From the Outline, it is not obvious that the CFPB has considered the significant negative consequences of ignoring the plain language of the FCRA. For example, data that has been used for decades to prevent fraud and identity theft will no longer be permitted for those use cases outside the limited set of enumerated FCRA “permissible purposes” or under the CFPB’s new proposed strict rules for obtaining consumer consent. However, that is only one of many probable monumental shifts in how the industry and courts have understood the FCRA. Compliance requirements and risks for the potentially new and existing members of the FCRA-regulated consumer data ecosystem are going to be more demanding in multiple, significant ways, some of which are identified below.

The Outline follows up on an announcement of the planned initiative, described here, and is part of the first step of a formal CFPB rulemaking. The Outline is supplied for initial comment to a panel of small businesses convened under the Small Business Regulatory Enforcement Fairness Act (SBREFA). After this SBREFA process is complete, then the CFPB will issue a proposed rule and open it up for comment, which the CFPB’s director indicated would likely occur in 2024.

Impacts on Industries Likely Affected by the Proposed Rule

The contemplated rulemaking disclosed in the Outline would affect participants in the consumer data ecosystem in many ways, including:

So-Called “Data Brokers” and “Data Aggregators”

Who qualifies as a “data broker” or “data aggregator”? In the CFPB’s view, a “data broker” or “data aggregator” is any company that collects and sells consumer data, for any purpose, and who also “assembles” or “evaluates” the data. The CFPB thus appears to intend to expand the definition of “consumer report” beyond those “data brokers” that are CRAs “under current law.”

Further ignoring the FCRA’s definition of “consumer report,” the CFPB states that it intends to apply the statute where the information is used for any permissible purpose (ignoring the FCRA’s threshold eligibility requirements), regardless of whether the data broker knew that the information would be used or intended to be used for that purpose. Indeed, the CFPB says that information would be a “consumer report” based only on the fact that the information might bear on eligibility — addressing only part of the FCRA’s definition of “consumer report.” It is likewise unclear how the CFPB intends to “clarify” the meaning of “assemble” and “evaluate” in a way that has not already been addressed by the courts.

The impacts for so-called “data brokers” and “data aggregators” go further.

• Among other implications is the fact that “data brokers” and “data aggregators” would be able to sell data only for permissible purposes allowed by the FCRA — principally for eligibility determinations for credit, insurance, or employment — or by way of written authorization of the consumer. Use of data for product improvement and identity verification to access an online account, for example, would be prohibited absent the consumer’s written authorization.

• In addition to limiting who can receive data from “data brokers” and “data aggregators,” those entities, once designated as CRAs, would need to give consumers (and identity thieves) rights to access and dispute their data, and consumers could sue them under the FCRA for violating those FCRA requirements.

CRAs

Who is a CRA? The FCRA defines a CRA as a person who collects, assembles, or evaluates consumer credit information or other data on consumers for the purposes of furnishing consumer reports. In turn, a consumer report contains “seven factor” data reflecting on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, and is expected to be used for the purpose of establishing a consumer’s eligibility for credit, insurance, or employment, among other specific “permissible purposes.”

What are the impacts of the contemplated rulemaking for CRAs?

• Under current law, a CRA’s sale of identifying data — widely known as “credit header data” —about a consumer is not regulated by the FCRA, mainly due to courts consistently concluding such information does not bear on the factors listed in the statutory definition of “consumer report.” The CFPB seems to acknowledge this existing law and then, contrary to its statements on data brokers discussed above, proclaims that such information is now being used to determine “eligibility” and, as a result, is now regulated consumer report information that can only be used for FCRA permissible purposes. The Outline suggests that the CFPB is focused on subjecting all consumer data held by a CRA to the FCRA’s requirements, meaning that only persons with an FCRA “permissible purpose” can obtain this data from CRAs. That restriction would have major implications for end users as well, noted below.

• The Outline also reflects the potential for a proposed rule that would create an obligation not found anywhere in the FCRA for a CRA “to protect” consumer reports from a data breach or data security incident (i.e., unauthorized access). This would be contrary to the fact that courts consistently hold that the FCRA does not apply to such incidents, given the plain language of the statute.

• Other provisions of the rulemaking being contemplated by the CFPB would basically exclude from the ecosystem, any collection or distribution of medical debt collection information altogether. That will have major implications for users and furnishers as well, as noted below.

• The CFPB also proposes to give consumers the power to file a dispute not only for themselves, but also on behalf of whole groups of consumers (a sort of “class action” dispute), and the CRAs would have to investigate the dispute, and respond, on a group basis. This obligation would also apply to furnishers, as discussed below.

• Finally, the CFPB would also have CRAs and furnishers interpret legal issues that may impact the accuracy of information provided, for example, by a court. Not only does such a requirement ignore what courts have found is required by the FCRA — investigating only factual disputes about the completeness or accuracy of data — but could also require the involvement of an attorney in every dispute to make sure there are no “legal” issues that need to be resolved.

Furnishers

Who is a furnisher? A “furnisher” is a person who supplies their own “transaction and experience” consumer data to a CRA. A creditor or servicer who supplies a CRA with data about a consumer’s performance of a credit obligation is a furnisher.

What are the impacts for furnishers?

• As with CRAs, the contemplated rule would give consumers the power to make a dispute on behalf of not only themselves but also whole groups of consumers, and furnishers would have to investigate and respond to these disputes on a group basis.

• As with CRAs, the contemplated rule would require furnishers to evaluate legal issues raised by a dispute.

• Medical debt collection information would be excluded from the consumer data ecosystem, so furnishers who currently report medical debt would no longer have any way to share this data with end users through CRAs.

Data Sources for “Data Brokers” and “Data Aggregators”

Who is a “data source” for “data brokers” and “data aggregators”? “Data brokers” and “data aggregators” collect data from a wide variety of governmental and business sources.

What are the impacts of data sources for “data brokers”? Supplying data to “data brokers” and “data furnishers,” who would now be regulated directly under the FCRA, could also result in some data sources becoming “furnishers” themselves. This would saddle these data sources with the duties of a furnisher under the FCRA as to accuracy of data, responding to disputes and putting in place identity theft protections. This could become problematic, especially if the data source is making no effort to associate a record with a specific purpose (i.e., doing nothing more than parroting the public record sources such as court records).

End Users

Who is an end user? An “end user” is a person who consumes consumer data for business purposes. This can include marketing, identity verification, fraud prevention, and eligibility determinations of consumers for products and services including but not limited to credit, insurance, and employment.

What are the potential impacts for an end user?

• A major effect of the inclusion of “data brokers” and “data aggregators” in the definition of CRA is that users will only have the ability to look to the consumer data ecosystem for data if the user has an FCRA permissible purpose, or the written instructions of the consumer give the user permission to access the consumer’s data. This will have a detrimental effect on preventing fraud and misuse, especially when combined with the CFPB’s intent to restrict the “legitimate business need” permissible purpose.

• Likewise, materially changing the current understanding of “aggregated” (i.e., anonymized) data could eliminate numerous use cases that benefit consumers by improving functionality and reducing the price of products and services.

• The Outline also includes the prospect that the CFPB will promulgate specific requirements for a consumer’s written instructions, including required steps to obtain authorization, who can collect written instructions, and limits on the scope of authorization. The proposal also confirms the consumer’s right to revoke authorization and contemplates methods for such revocation. The CFPB has not explained whether this would be a prospective requirement or if it intends to apply its rule to data already collected and not flagged for this purpose.

• The Outline seeks to clarify when an end user has a “legitimate business need” for which a CRA may furnish a consumer report. The FCRA provides that a “legitimate business need” includes a need for the information (i) in connection with a business transaction initiated by the consumer, or (ii) to review an account to determine whether the consumer continues to meet the terms of the account. The proposal seeks to limit those needs, respectively, to (i) determining eligibility for a consumer-purpose transaction, or (ii) actual account reviews for which the consumer report information is required to determine whether the consumer continues to meet the terms of the account.

• Users will not have access to medical debt collection data through the regulated consumer data ecosystem, which could result in the making of riskier loans that would otherwise not be made in the current environment.

As we have been discussing on our special podcast series that anticipated these new rules under the FCRA, after the comment period is complete, the CFPB will issue a final rule. A final rule is unlikely before 2025. Based on the sweeping proposed reform as to the CFPB’s interpretation of the FCRA’s scope, it appears likely that some parts of the CFPB’s proposed rule will face significant legal challenges.

This proposed rulemaking, if it proceeds as outlined, will have a dramatic effect across the board for all businesses involved in the consumer data ecosystem. Comments and advocacy will be required by these affected stakeholders.

A District Court in New Jersey recently ruled that complying with Reg F does not necessarily equal compliance with the Fair Debt Collection Practices Act (FDCPA). Specifically, the NJ District Court held that although the date of the letter is not a requirement in the Model Validation Notice, failing to include a date in an initial demand that tracks the Model Validation Notice might violate the FDCPA.   

In Ginsberg v. I.C. System, Inc., (Civ Action # 22-1147; Dist ct. NJ 2003), a consumer received an initial demand letter that mirrored the format of Reg F’s Model Validation Notice (MVN). The letter stated a balance as of 1/25/2021 and referenced interest, fees, and payments “between 1/25/2021 and today.” The letter concluded by stating the amount the consumer owed “now.”  

Since the letter was not dated, the consumer filed a lawsuit claiming the debt collector withheld a material term, which made the letter difficult to understand. Without the ability to determine from the letter which date “today” and “now” refer to, the consumer alleged she was misled as to the status of the debt. According to the consumer, the letter’s misleading nature violated the FDCPA.  

The debt collector argued that since it complied with Reg F’s Model Validation Notice, which does not require the letter to be dated, It was entitled to a “safe harbor” from claims of an FDCPA violation. In response, the consumer argued that complying with the Model Form only ensures compliance with Reg F, not the FDCPA. Further, the consumer argued that any safe harbor applies to the form of the letter, not its substance.  

The Court agreed with the consumer. Following the lead of a February 2023 case from the Southern District of Florida (Roger v. GC Services Limited Partnership), the Court reasoned, “Regulation F never purported to make the use of the model validation notice a ‘safe harbor’ against statutory violations, only violations of the regulations themselves”. Additionally, the Court noted that the Model Form might provide a “safe harbor,” but it only provides a “safe harbor” for the “form” of the required information, but not the “substance.”  

Therefore, the Court held that compliance with Reg F alone does not provide a “safe harbor” from a violation of the FDCPA. Since the omission of the date may have created confusion, the Court found that the consumer alleged sufficient facts for the case to continue. 

insideARM Perspective  

With the disclaimer that you should always consult your own counsel before changing your letters, the most straightforward surface takeaway from this case is that if you use words like “today” and “now,” it’s probably a good idea to date your letters.  

The more nuanced takeaway is that many in the ARM industry conflated Reg F with the FDCPA. However, during the implementation phase of Reg F,  many voices also said, “If it didn’t violate the FDCPA pre–Reg F, it won’t violate the FDCPA after Reg F.” In other words, Reg F provided regulatory clarity but did not serve to change the statutory text of the FDCPA. Those in the ARM industry shouldn’t forget this. While following Reg F is crucial for several reasons, it’s important to remember that the statutory text of the FDCPA still rules the day.  

In Hansen v. Mountain America Federal Credit Union, the plaintiff became delinquent on a credit card account with her credit union. The credit union then assigned the debt to a third-party collection agency. Following the assignment, the collection agency opened its own tradeline for the debt, while the credit union also continued to report the debt. Although the credit union’s tradeline was updated to reflect that the account was “closed” and in collections, and the collection agency’s tradeline indicated that the credit union was the original creditor, both tradelines showed a balance, albeit for different amounts — $18,340 for the credit union and $20,875 for the collection agency.

The plaintiff submitted written disputes concerning the credit union’s tradeline to the three national consumer reporting agencies, claiming the reporting was inaccurate because the inclusion of both balances resulted in double reporting. After investigation, the credit union determined that its reporting was accurate and declined to make any changes.

The plaintiff filed suit in Utah District Court, alleging that the credit union negligently and willfully violated §1681s–2(b) of the Fair Credit Reporting Act (FCRA) by failing to remove the balance under its tradeline in response to her dispute.

The credit union moved to dismiss, arguing that its investigation was reasonable and its information was accurate because the tradeline showed the account as “closed” and that it had been assigned for collection.

The court denied the motion, explaining that an item on a credit report can be inaccurate not only by being patently incorrect, but also by being “misleading in such a way and to such an extent that it can be expected to adversely affect credit decisions.” Here, the court found that there were aspects of the plaintiff’s credit report that could be misleading, specifically the fact that there were balances for both tradelines and for conflicting amounts.

Moreover, the court was unable to locate “authority that provides clear guidance about how a debt should be reported when it has been assigned.” Notably, although the credit union argued that the Fair Debt Collection Practices Act (FDCPA) allowed the collection agency to report the debt and that the reporting standards for credit unions are encoded in the Metro 2 guidelines published by the Consumer Data Industry Association, those materials were not provided to the court and therefore were not considered in its decision.

As such, the court found that the plaintiff had alleged an inaccuracy on her credit report, for which the credit union did not change its reporting, thus giving rise to a plausible claim for violation of §1681s–2(b) of the FCRA.

A copy of the order is available here.

Delaware Gov. John Carney on Sept. 11 signed into law House Bill 154, the Delaware Personal Data Privacy Act.  This makes Delaware the 12th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, and Oregon. The Act will go into effect Jan. 1, 2025.

Applicability

The Act applies to persons that conduct business in Delaware or persons that produce products or services that are targeted to residents of Delaware and that during the preceding calendar year did any of the following:

1. Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

2. Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.

Exemptions

Exemptions include, but are not limited to:

1. Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. 6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;

2. Data subject to the Gramm Leach Bliley Act and the rules and implementing regulations promulgated thereunder;

3. Protected health information under HIPAA;

4. Activities regulated by the Fair Credit Reporting Act.

Consumer Rights

Consumers have the right to:

1. Confirm processing of their personal data and access such data;

2. Correct inaccuracies, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;

3. Delete personal data provided by, or obtained about, the consumer;

4. Obtain a copy of the consumer’s personal data processed by the controller;

5. Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data;

6. Opt out of processing if for the purpose of targeted advertising, sale, or profiling.

Sensitive Personal Information

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with the Delaware Online Privacy and Protection Act, specifically Del. Code Ann. tit. 6, § 1204C.

Sensitive Data means personal data that includes any of the following:

1. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.

2. Genetic or biometric data.

3. Personal data of a known child.

4. Precise geolocation data.

Contract Requirements

A contract between a controller and processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties and:

1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

2. At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter.

4. After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

5. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor.

Data Protection Assessments

A controller that controls or processes the data of not less than 100,000 consumers must conduct and document on a “regular basis” a data protection assessment for processing activities that presents a heightened risk of harm to a consumer, including:

1. Processing for the purpose of targeted advertising;

2. Processing for the purpose of selling personal data;

3. Processing for the purpose of certain profiling; and

4. Processing sensitive data.

The “100,000 consumers” threshold excludes data controlled or processed solely for the purpose of completing a payment transaction.

Enforcement

The Act does not create a private right of action. A violation is an unlawful practice under Del. Code Ann. tit. 6, § 2513 and can be enforced solely by the Attorney General pursuant to Del. Code Ann. tit. 6, § 2522. Provided a person cannot cure a violation within 60 days, the Attorney General may seek injunctive relief and a civil penalty of not more than $10,000 for each willful violation. The opportunity to cure provision expires Dec. 31, 2025.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.