Last year, Rep. Heath Shuler (D-NC) introduced the Medical Debt Resolution Act (H.R. 2086), which would amend the Fair Credit Reporting Act to require the Consumer Reporting Agencies (CRAs) to remove paid or settled medical debt from a consumers’ credit file.

The bill would require information related to a single fully paid or settled medical debt of $2,500 or less that had been characterized as delinquent, charged off, or in collection for credit reporting purposes, which, from the date of payment or settlement, antedates the report by more than 45 calendar days.

As a general rule, expunging predictive information is not in the best interest of consumers or credit granters — both of which benefit when credit reports and scores are as accurate and predictive as possible. If any type of debt information proven to be predictive is expunged, consumers risk exposure to improper credit products as they may appear to be more financially equipped to handle new debt.

It’s important to note that medical debts are never taken into consideration by the credit scoring company VantageScore if the debt reporting is known to be from a medical facility. The challenge, however, is knowing when a debt is medical related. For example, when a medical debt is outsourced to a third-party collection agency it is difficult to know the true origin of the debt. Collection accounts of lower than $250, or ones that have been settled, have less impact on a consumer’s VantageScore.

The legislation also does not address medical bills paid with a credit card and there is risk that the current language could be interpreted to require that a credit card balance containing paid medical debt be expunged from a credit file. This is a growing issue as patients pay about $45 billion in medical costs with a credit card, according to a 2007 report by Mckinsey & Company.

Share your thoughts …

Congress Looks at Removing Paid or Settled Medical Debt from Credit Reports ex.pn/LTrVKn

— Experian News (@ExperianNews) June 28, 2012

Photo: Shutterstock

Earlier this spring, the Federal Deposit Insurance Corporation (FDIC) announced a proposed amendment to the Assessments, Dividends, Assessment Base and Large Bank Pricing (LBP) rule that it put forward in February 2011.

The revised rule attempts to address lender concerns that they would be unable to comply with the new rule’s provisions, particularly the added requirement of reporting subprime and leveraged consumer loans.

Under the new proposal, subprime consumer loans would be renamed “higher-risk consumer loans and securities,” and would be defined as:

• All consumer loans where, as of origination, or, if the loan has been refinanced, as of refinance, the probability of default within two years was greater than 20 percent, excluding those consumer loans that meet the definition of a nontraditional mortgage loan; and
• Securitizations that are more than 50 percent collateralized by consumer loans meeting the criteria in (a), except those classified as trading book.

The FDIC is reviewing comments on the changes and has extended the compliance date for the new reporting requirements until October 1, 2012.

In Vermont, the state legislature passed a new law that requires entities to notify the state attorney general’s office within 14 days of a security breach, unless the data collector has affirmed with the attorney general’s office that a written data security plan is in place and the organization can comply with breach notification requirements. In addition, the Vermont law would require that a consumer be notified of the incident in general terms; alerted to the types of information exposed; provided with a toll-free number to call for guidance; given advice about credit monitoring; and provided with the date of the breach and its discovery by the business within 45 days. The Connecticut legislature also passed a new data breach law that requires companies to notify the state attorney general’s office of a security breach before a notice is sent to consumers.

Congress is also considering data breach notification proposals.  In the Senate, several members have signaled their intent to offer data breach notification amendments when the Chamber considers cybersecurity legislation.

However, there are a number of hurdles that lawmakers must address before they can move forward. First, the large number of congressional committees that have jurisdiction on the issue has led to turf battles. Also, it has been difficult for Congress to settle on a standard that would effectively preempt the current patchwork of state laws.

Photo: Shutterstock

Recently there has been one area of Consumer Financial Protection Bureau (CFPB) reform that has gained support from Republicans and Democrats in Congress, as well as the CFPB Director himself: ensuring the confidentiality of privileged information that financial institutions provide to the bureau.

Current law ensures that when a financial institution turns over documents containing information covered by the attorney-client privilege to a specific list of regulators — the Federal Reserve, the Federal Deposit Insurance Corp. or the Office of the Comptroller of the Currency — its right to privilege will not be waived. This guarantees that the confidential information will not be viewed by third parties, including other regulators, who could use it to mount a legal case. However, the law that created the CFPB failed to add the bureau to the list of regulators exempted from privilege.

In March, the CFPB announced a proposed rule to formalize protections for privileged information provided to the bureau, whether it is from banks or non-banks.  The proposal also seeks to clarify that the transfer of privileged information to other Federal or state regulators does not waive the financial institution’s right to privilege.  Congress has also been active on the issue.  This spring the House unanimously approved legislation (H.R. 4014) to legally ensure that privilege is not waived for documents submitted to the CFPB.  Similar legislation has been introduced in the Senate and is likely to be brought to the floor soon.

Photo: Shutterstock

On March 26^th, the Federal Trade Commission (FTC) released its highly anticipated final reports on consumer privacy, entitled “Protecting Consumer Privacy in an Era of Rapid Change.”

In their final report, the Commission applauded industry’s efforts towards strengthening industry self-regulations—including the Digital Advertising Alliance’s Self Regulatory Program for Online Behavioral Advertising—but called on industry to do more to protect consumer privacy.

To achieve this goal, the FTC recommended that industry follow a privacy framework based upon three commonly accepted privacy principles:

• Privacy by Design
• Simplified Consumer Choice
• Greater Transparency

In the report, the FTC states the proposed framework is not intended to serve as a model for future law enforcement or regulatory actions, but rather a guide to strengthen industry self regulation.

The new FTC report—coupled with the White House’s February report—will likely bring greater attention from policymakers as they continue to debate the issue of online privacy.  In particular, the report will most certainly bring Congressional hearings to review the recommendations of the FTC.

The Death Master File (DMF) is a database operated by the Social Security Administration (SSA) that contains over 87 million records with information on persons who had Social Security numbers and whose deaths were reported to the SSA from 1962 to the present. The DMF is considered a public document under the Freedom of Information Act, and monthly and weekly updates of the file are made available through the Department of Commerce.

Congress is considering legislation that would limit access to the DMF to only qualified entities.   For example, government agencies, credit reporting agencies, financial institutions and medical organizations use the DMF to verify death and prevent identity fraud.

At a hearing before the House Social Security Subcommittee in early February, members of the panel heard from a variety of witnesses who said that more needs to be done to secure DMF records from misuse while also recognizing the importance of ensuring access for legitimate uses.

Photo: Shutterstock

Over the last year, the FTC and the Department Commerce have been studying these issues and each released preliminary reports looking at the changing privacy landscape.  Although much of the discussion has focused on online data, the reports take a broader look at the privacy practices of organizations both online and offline, offering a number of recommendations that challenge policy makers and companies to better protect consumer information.

As regulatory agencies and Congress continue to examine business practices around consumer privacy, I thought it might be helpful to take a look at recent comments Experian filed with the FTC and highlight a few areas that will be important for policy makers to consider going forward.

A flexible and adaptive regulatory system is essential to an innovative economy.
Consumer privacy expectations are continuing to evolve and, as a result, standards must not be rigid.  Along with existing regulations, new challenges should be dealt with robust and evolving self-regulation – not new laws – to ensure consumers are protected now and in the future.

Consumer privacy should be viewed from multiple perspectives.
The recent debate around commercial information sharing has centered on consumer privacy; however there are other viewpoints that should be considered. For example, how are businesses using information in a responsible manner to innovate and increase productivity or how does the overall economy benefit from consumer information that makes us more competitive in a global marketplace.

Incorporating consumer privacy into all aspects of a business is a powerful consumer benefit.
The FTC report recommends a “privacy by design” framework – meaning that companies incorporate privacy into every aspect of their business operations.  This framework could potentially evolve into a useful tool for companies to evaluate their privacy and data security policies.

Photo: Shutterstock