Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • 11th Circuit: Bank not obligated to investigate FCRA dispute

    Courts

    On April 25, the U.S. Court of Appeals for the 11th Circuit affirmed a district court’s dismissal of a putative class action against a national bank, finding that the plaintiff failed to show an investigation would reveal the bank inaccurately furnished information to credit reporting agencies (CRAs). According to the opinion, after the plaintiff failed to make payments on his mortgage, the bank reported the delinquencies to the three CRAs. A Florida circuit court entered a final judgment of foreclosure in the bank’s favor, which the plaintiff paid two years later after the account was transferred to a different lender. Two years after he paid the foreclosure judgment, the plaintiff noticed that the CRAs showed his account as past due despite the fact that the judgment had been paid. However, following an investigation, the CRAs confirmed that the information provided by the bank was accurate, since it reflected two years of missed payments that the plaintiff later contended he was not obligated to make due to the filing for the foreclosure action. The plaintiff filed a class action suit alleging the bank violated the FCRA by failing to report that he had paid off the foreclosure judgment. The district court dismissed the case with prejudice, ruling that the bank satisfied its obligations under the FCRA, and that the plaintiff failed to support his claim that the bank was obligated to report the payoff after it transferred the account.

    On appeal, the 11th Circuit agreed with the district court, opining that because the plaintiff never claimed that the bank was informed of the past-due status dispute by the CRAs, the bank was not obligated to investigate under the FCRA. The court noted that the plaintiff “never alleged that [the bank] received notification from the CRAs that he disputed his account's past-due status as of July 2017,. . .that the CRAs provided notification of any such dispute to [the bank],. . .or even that he contacted the CRAs to dispute that aspect of his credit reports.” The plaintiff further argued that the filing of the foreclosure action and acceleration of the loan relieved him of the obligation to make monthly payments. The 11th Circuit was “unconvinced” by the argument and said that, nonetheless, “[w]hether [the plaintiff] was obligated to make payments on the mortgage after the Foreclosure Action was filed is a currently unresolved legal, not a factual, question. Thus, even assuming [the bank] furnished information that turned out to be legally incorrect under some future ruling, [the bank’s] purported legal error was an insufficient basis for a claim under the FCRA.”

    Courts FCRA Credit Reporting Agency Class Action Eleventh Circuit Appellate

    Share page with AddThis
  • District Court approves relief order in Spokeo

    Courts

    On March 11, the U.S. District Court for the Central District of California approved a stipulation for prospective relief, settling a consumer FCRA action against a purported credit reporting agency (defendant) for alleged procedural violations. In 2016, the case went to the U.S. Supreme Court (covered by a Buckley Special Alert), which remanded the case so the 9th Circuit could fully consider whether the plaintiff had standing under Article III of the Constitution. The approved stipulation lasts three years and, among other things, requires the defendant to (i) post a “clear and appropriately-titled” link to its opt-out privacy form; (ii) create a step requiring that its customers affirmatively agree not to use its information to determine eligibility for a FCRA-related purpose; and (iii) state on all of its webpages that it is not a consumer reporting agency. The order also prohibits the defendant from publishing “any numerical estimates or predictions of consumer credit scores” unless its terms and conditions specify that the information may not be used for FCRA purposes.

    Courts FCRA Spokeo Credit Reporting Agency

    Share page with AddThis
  • 9th Circuit: Plaintiffs failed to show harm in FCRA action

    Courts

    On March 25, the U.S. Court of Appeals for the 9th Circuit affirmed dismissal of five plaintiffs’ allegations against two credit reporting agencies, concluding the plaintiffs failed to show they suffered or will suffer concrete injury from alleged information inaccuracies. According to the opinion, the court reviewed five related cases of individual plaintiffs who alleged that the credit reporting agencies violated the FCRA and the California Consumer Credit Report Agencies Act (CCRAA), by not properly reflecting their Chapter 13 bankruptcy plans across their affected accounts after they requested that the information be updated. The lower court dismissed the action, holding that the information in their credit reports was not inaccurate under the FCRA. On appeal, the 9th Circuit, citing to U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins (covered by a Buckley Special Alert), concluded that the plaintiffs failed to show how the alleged misstatements in their credit reports would affect any current or future financial transaction, stating “it is not obvious that they would, given that Plaintiffs’ bankruptcies themselves cause them to have lower credit scores with or without the alleged misstatements.” Because the plaintiffs failed to allege a concrete injury, the court affirmed the dismissal for lack of standing, but vacated the lower court’s dismissal with prejudice, noting that the information may indeed have been inaccurate and leaving the door open for the plaintiffs to refile the action.

    Courts Ninth Circuit Appellate Spokeo FCRA Bankruptcy Credit Reporting Agency

    Share page with AddThis
  • District Court reduces jury’s $3 million award in FCRA action to $490,000

    Courts

    On March 21, the U.S. District Court for the Northern District of Alabama reduced a consumer’s punitive damages award from $3 million to $490,000 in an action against a credit reporting agency for the alleged misreporting of credit information. According to the opinion, after the consumer had a debt dismissed by small claims court, he requested that the credit reporting agencies remove the trade line from his credit report. When one credit reporting agency refused to initiate a dispute investigation because it suspected fraud, the consumer filed a complaint alleging violations of the FCRA. In May 2018, a jury awarded the consumer $5,000 in compensatory damages and $3 million in punitive damages. The credit reporting agency moved to have the court enter judgment as a matter of law and/or have the judgment amended or altered. The court reviewed the award, noting that the punitive to compensatory damages ratio of 600 to 1 “suspiciously cocked” the “court’s eyebrows.” The court emphasized that a single-digit multiplier would not be sufficient to deter the credit reporting agency from future wrongdoing and instead, applied the 98 to 1 ratio used by the U.S. Court of Appeals for the 4th Circuit, bringing the punitive damages down to $490,000. In addition, the court applied the “one satisfaction” rule, concluding the credit reporting agency did not have to pay the compensatory damages, as the consumer already received settlement proceeds that exceed the jury award from other defendants, and “the injuries the [consumer] described are indivisible between [the credit reporting agency] and the settling defendants.”

    Courts Credit Reporting Agency FCRA Damages Punitive Damages Fourth Circuit Appellate

    Share page with AddThis
  • District Court cites 9th Circuit, holds Fannie Mae is not a CRA

    Courts

    On February 26, the U.S. District Court for the Northern District of California granted summary judgment in favor of Fannie Mae in an action brought by a consumer alleging that Fannie Mae violated the California Consumer Credit Reporting Agencies Act (CCCRA) and the Fair Credit Reporting Act (FCRA) by prohibiting lenders from providing consumers a copy of Fannie Mae’s Desktop Underwriter (DU) report. According to the opinion, two years after completing a short sale on his previous home, a consumer sought a mortgage with three lenders. One lender used Fannie Mae’s DU program to determine if the loan would be eligible for purchase by the agency, but the DU report listed his prior mortgage loan as a foreclosure rather than a short sale. The lender ultimately denied the application, rather than manually underwrite it. Upon reviewing Fannie Mae’s motion for summary judgment, the court noted that in order for the consumer to succeed on his CCRA and FCRA claims, he must establish Fannie Mae is a credit reporting agency. The court rejected the consumer’s attempts to distinguish his case from the recent 9th Circuit decision in Zabriskie v. Fed. Nat’l Mortg. Ass’n, which held that Fannie Mae was not a credit reporting agency under the FCRA. (Covered by InfoBytes here.) The court acknowledged that even though Fannie Mae may have problems with its foreclosure recommendations in the DU system, it does not undercut the conclusion that Fannie Mae operates the DU system to assist lenders in making purchasing decisions, does not “regularly engage[] in . . . the practice of assembling or evaluating” consumer information, and therefore, is not a credit reporting agency.

    Courts Fannie Mae Credit Reporting Agency FCRA Ninth Circuit Appellate Foreclosure

    Share page with AddThis
  • District Court lets credit inquiry suit go forward

    Courts

    On February 19, the U.S. District Court for the District of Maryland denied a bank’s renewed motion to dismiss FCRA claims by a consumer alleging the bank accessed his credit report without a permissible purpose. Specifically, the consumer alleged his credit report included two credit inquires by the bank for “promotional” purposes but that he never received any offers of credit from the bank. According to the consumer, a bank representative told him to dispute the “illegitimate” credit inquiry with the credit reporting agency, and so he filed suit. The bank moved to dismiss, arguing the facts allegedly failed to establish the bank obtained the credit report without a permissible purpose. The court, however, held that the consumer’s allegations that he did not receive an offer of credit and that a representative advised him the inquiry was illegitimate were sufficient to establish—at the motion to dismiss stage—that no firm offer of credit was extended. In response to the bank’s argument that the consumer’s alleged emotional distress damages based on “invasion of privacy” were implausible—because they would have occurred whether or not there was a permissible purpose for the credit pull—the court noted that unauthorized credit disclosures have been “long seen as injurious,” and that the bank cannot attack the harm experienced by the consumer simply because the “harm would still have existed if [the bank] had acted lawfully.”

    Courts FCRA Credit Report Credit Reporting Agency

    Share page with AddThis
  • Massachusetts amends legislation protecting consumers from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • Massachusetts enacts legislation amending consumer protections from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • FTC proposes rule to implement free credit monitoring for servicemembers

    Federal Issues

    On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.

    Federal Issues FTC EGRRCPA Credit Reporting Agency Credit Monitoring Federal Register Servicemembers

    Share page with AddThis
  • California law requires credit reporting agencies to address security vulnerabilities

    State Issues

    On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis

Pages

Upcoming Events