FCRA-Out Posture Documentation — Raxx

Status: research memo and internal compliance documentation. This document does NOT constitute legal advice and is not a substitute for an attorney-authored opinion letter. Before relying on this posture in response to any regulatory inquiry, obtain attorney review. See diy-privacy-compliance-path-2026-05-11.md Section 4. Last updated: 2026-05-11 UTC.

Summary

Raxx's collection and display of payment_event_count (a raw count of successful and failed payment events per customer) is NOT a "consumer report" under the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. Raxx is NOT a "consumer reporting agency" as defined by FCRA. Raxx is NOT a "creditor" as defined by the Equal Credit Opportunity Act (ECOA), 15 U.S.C. § 1691 et seq., and Regulation B, 12 CFR Part 1002.

This document sets out the three independent grounds for this determination and identifies the documentation to maintain.

Operator Attestation

I, the undersigned, as authorized representative of [COMPANY LEGAL NAME] ("Raxx"), confirm the following:

1. Raxx's payment_event_count field stores a raw integer count of payment events (successful and failed) associated with a subscriber's account.
2. This count is displayed in the Raxx operator console for internal subscription management purposes only.
3. This count is not furnished to any third party (including credit bureaus, background check companies, or other data aggregators) for any purpose.
4. Raxx does not use this count as an input to any automated credit decision, insurance decision, employment decision, or any other decision governed by FCRA § 1681b permissible purposes.
5. Raxx does not sell, share, or license this count to any third party for credit-related or eligibility-related purposes.

Signed: ____ Printed name: ___ Title: ____ Date: ___

Statutory Analysis

Ground 1 — Raxx is not a "Consumer Reporting Agency"

Statute: 15 U.S.C. § 1681a(f)

"any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties..."

Analysis: Raxx does not engage in the practice of assembling or evaluating consumer credit information for the purpose of furnishing consumer reports to third parties. Raxx collects payment event data from Stripe webhooks solely for its own internal subscription management. The data is never furnished to third parties as a consumer report. Because Raxx is not a CRA, FCRA's consumer-report obligations do not apply to Raxx's data.

Source: https://www.law.cornell.edu/uscode/text/15/1681a

Ground 2 — payment_event_count is not a "Consumer Report"

Statute: 15 U.S.C. § 1681a(d)(1)

"any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for—(A) credit or insurance... (B) employment purposes; or (C) any other purpose authorized under section 1681b"

First-party transaction exclusion — 15 U.S.C. § 1681a(d)(2)(A):

"The term [consumer report] does not include... any report containing information solely as to transactions or experiences between the consumer and the person making the report."

Analysis: Raxx's payment_event_count records transactions and experiences between the consumer (the Raxx subscriber) and Raxx (the person making the report). This is precisely what the first-party transaction exclusion covers. The payment events are not assembled from external sources; they reflect the direct payment history between Raxx and its subscriber. Even if payment_event_count somehow bore on a consumer's creditworthiness (which it is not used for), it would fall outside the "consumer report" definition under this exclusion.

Additionally: The count is not "used or expected to be used" for any FCRA-enumerated purpose (credit, insurance, employment, or other § 1681b purpose). It is used only for Raxx's internal subscription management.

Source: FTC FCRA text at https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf

Ground 3 — Raxx is not a "Creditor" under ECOA

Statute: 12 CFR § 1002.2(l)

"Creditor means a person who, in the ordinary course of business, regularly participates in a credit decision, including setting the terms of the credit."

Statute: 12 CFR § 1002.2(j)

"Credit means the right granted by a creditor to an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor."

Analysis: Raxx sells SaaS subscriptions charged via Stripe at point-of-sale (or on a recurring basis). Raxx does not grant customers the right to defer payment. Raxx does not extend credit, does not set terms for deferred payment, and does not participate in credit decisions. Raxx is not a creditor under ECOA. Accordingly, ECOA's anti-discrimination obligations in the credit-granting context do not apply to Raxx's subscription decisions.

Source: https://www.law.cornell.edu/cfr/text/12/1002.2; CFPB at https://www.consumerfinance.gov/rules-policy/regulations/1002/2/

What This Posture Does NOT Cover

This FCRA-out analysis is based on the current architecture (raw counts, no third-party furnishing, no automated credit decisions). This posture changes if Raxx:

1. Begins furnishing payment data to any third party (credit bureau, data aggregator, background-check service, or any other party) — immediate FCRA CRA status risk.

2. Uses payment_event_count as an input to an automated "accept/reject" decision about a new customer — potential ECOA adverse-action-notice obligation.

3. Aggregates payment_event_count across customers into a scored product sold to operators who use it to make decisions about third parties — transforms Raxx into a CRA.

4. Adds a credit or financing product (e.g., "subscribe now, pay later," deferred billing) — Raxx becomes a creditor under ECOA.

If any of the above changes are made: This memo is obsolete. Obtain a FCRA opinion letter from a CFPB-specialized attorney before implementing.

Supporting Documentation to Retain

The following documents should be retained alongside this memo:

• [ ] Architect v3 design decision: payment_event_count is a raw counter, not a score (cross-reference: architect ADR in codebase)
• [ ] Data flow diagram: Stripe webhook → DB → operator console only; no third-party outbound path
• [ ] Stripe processing agreement (confirms Stripe is the card-data processor; Raxx receives only tokenized/webhook data)
• [ ] Vendor contracts for Heroku, Sentry: confirm no payment data is furnished to third parties via these services
• [ ] This signed attestation (above)

Sources

• FCRA 15 U.S.C. § 1681a: https://www.law.cornell.edu/uscode/text/15/1681a
• FTC FCRA PDF (September 2018 revision): https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf
• ECOA Regulation B 12 CFR § 1002.2: https://www.law.cornell.edu/cfr/text/12/1002.2
• CFPB ECOA definitions: https://www.consumerfinance.gov/rules-policy/regulations/1002/2/
• Orrick on GLBA/FCRA fintech exemptions: https://www.orrick.com/en/Insights/2022/08/What-Fintech-Companies-Need-to-Know-About-GLBA-and-FCRA-Exemptions-Under-State-Data-Protection-Laws