As reported in last year's Annual Survey, (1) the Consumer Financial Protection Act of 2010 ("CFPA") (2) revised the Fair Credit Reporting Act ("FCRA") (3) enforcement and rulemaking scheme. Since then, the various federal financial regulatory agencies, including the new Consumer Financial Protection Bureau ("CFPB") and the Federal Trade Commission ("FTC"), have begun to implement their duties under the CFPA and FCRA, in recognition of the new regulatory scheme.
In addition to summarizing these regulatory developments, this survey discusses changes to the statutory provisions governing the Identity Theft Red Flags Rule and examines selected FCRA litigation developments.
REGULATORY DEVELOPMENTS: CFPA IMPLEMENTATION
RULEMAKING AND ENFORCEMENT JURISDICTION
The CFPA has remade federal agency jurisdiction under the FCRA. Existing general rulemaking power, which had previously been diffused among the federal banking agencies, transferred to the CFPB on the designated transfer date of July 21, 2011. (4) As reported in last year's Annual Survey, (5) the CFPB will have general rulemaking authority under the FCRA, and will be solely responsible for prescribing many of the specific rules required by the FCRA, such as rules regarding the provision of risk-based pricing notices to consumers. (6)
The CFPB will enforce the FCRA and its implementing rules against banks with more than $10 billion in assets, but functional regulators will enforce these provisions against other regulated entities. (7) In addition, the CFPA amended the FCRA to provide the CFPB with general enforcement powers "with respect to any person subject to this title," but the FTC continues to maintain its general enforcement jurisdiction under the FCRA as well. (8) Thus, as a practical matter, the CFPB and the FTC appear to share residual enforcement jurisdiction under the FCRA.
NEW FCRA RULES TO BE MADE BY THE FEDERAL SECURITIES REGULATORS
The CFPA amended three FCRA provisions to add rulemaking authority for the U.S. Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC"). Specifically, the FCRA is amended to require the SEC and CFTC to make an "Identity Theft Red Flags Rule" for persons under the respective jurisdiction of the two agencies. (9) In addition, the FCRA is amended to require the CFTC to issue rules regarding the secure disposal of consumer report information, (10) and to make an "Affiliate Marketing Rule" for persons under its jurisdiction, (11) (The SEC already was required to make rules regarding the secure disposal of consumer report information and an Affiliate Marketing Rule. (12)
The CFPA does not specify a time period within which the SEC and CFTC are required to issue these rules. The CFTC has already issued in final form its Affiliate Marketing Rule (13) and its rules regarding the secure disposal of consumer report information. (14) As of this writing, neither the SEC nor the CFTC has proposed an Identity Theft Red Flags Rule.
CFPB CREDIT REPORTING STUDIES
The CFPA requires the CFPB to conduct two studies of the consumer reporting industry. CFPA section 1078 requires the CFPB to "conduct a study on the nature, range, and...