Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • District Court cites 9th Circuit, holds Fannie Mae is not a CRA

    Courts

    On February 26, the U.S. District Court for the Northern District of California granted summary judgment in favor of Fannie Mae in an action brought by a consumer alleging that Fannie Mae violated the California Consumer Credit Reporting Agencies Act (CCCRA) and the Fair Credit Reporting Act (FCRA) by prohibiting lenders from providing consumers a copy of Fannie Mae’s Desktop Underwriter (DU) report. According to the opinion, two years after completing a short sale on his previous home, a consumer sought a mortgage with three lenders. One lender used Fannie Mae’s DU program to determine if the loan would be eligible for purchase by the agency, but the DU report listed his prior mortgage loan as a foreclosure rather than a short sale. The lender ultimately denied the application, rather than manually underwrite it. Upon reviewing Fannie Mae’s motion for summary judgment, the court noted that in order for the consumer to succeed on his CCRA and FCRA claims, he must establish Fannie Mae is a credit reporting agency. The court rejected the consumer’s attempts to distinguish his case from the recent 9th Circuit decision in Zabriskie v. Fed. Nat’l Mortg. Ass’n, which held that Fannie Mae was not a credit reporting agency under the FCRA. (Covered by InfoBytes here.) The court acknowledged that even though Fannie Mae may have problems with its foreclosure recommendations in the DU system, it does not undercut the conclusion that Fannie Mae operates the DU system to assist lenders in making purchasing decisions, does not “regularly engage[] in . . . the practice of assembling or evaluating” consumer information, and therefore, is not a credit reporting agency.

    Courts Fannie Mae Credit Reporting Agency FCRA Ninth Circuit Appellate Foreclosure

    Share page with AddThis
  • District Court lets credit inquiry suit go forward

    Courts

    On February 19, the U.S. District Court for the District of Maryland denied a bank’s renewed motion to dismiss FCRA claims by a consumer alleging the bank accessed his credit report without a permissible purpose. Specifically, the consumer alleged his credit report included two credit inquires by the bank for “promotional” purposes but that he never received any offers of credit from the bank. According to the consumer, a bank representative told him to dispute the “illegitimate” credit inquiry with the credit reporting agency, and so he filed suit. The bank moved to dismiss, arguing the facts allegedly failed to establish the bank obtained the credit report without a permissible purpose. The court, however, held that the consumer’s allegations that he did not receive an offer of credit and that a representative advised him the inquiry was illegitimate were sufficient to establish—at the motion to dismiss stage—that no firm offer of credit was extended. In response to the bank’s argument that the consumer’s alleged emotional distress damages based on “invasion of privacy” were implausible—because they would have occurred whether or not there was a permissible purpose for the credit pull—the court noted that unauthorized credit disclosures have been “long seen as injurious,” and that the bank cannot attack the harm experienced by the consumer simply because the “harm would still have existed if [the bank] had acted lawfully.”

    Courts FCRA Credit Report Credit Reporting Agency

    Share page with AddThis
  • Massachusetts amends legislation protecting consumers from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • Massachusetts enacts legislation amending consumer protections from security breaches

    State Issues

    On January 10, the Massachusetts Governor signed HB 4806, following the House and Senate’s adoption of amendments to the bill. The bill, which is effective April 10, amends current law related to security breaches and the protection of consumer financial and credit information. Among other provisions, the amendments to the current law:

    • Prohibit users from requesting or obtaining the consumer credit report of a consumer unless the user obtains the consumer’s prior written, verbal, or electronic consent, and discloses the user's reason for accessing the consumer report to the consumer prior to obtaining consent.
    • Require every consumer reporting agency to disclose to consumers, when properly identified, (i) the nature, contents, and substance of all information on file (except medical information) at the time of the request; (ii) the sources of all credit information; and (iii) “the recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request.”
    • State that a consumer reporting agency may not charge a fee to any consumer for placing, lifting, or removing a security freeze from a consumer report.
    • Specify that a consumer reporting agency may not “knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit.”
    • Require persons who experience a security breach to report specific information to the state Attorney General, as well as certify that their credit monitoring services are in compliance.
    • State that consumers shall receive notice provisions in the event of a breach of security, including the right to obtain police reports, steps for requesting a security freeze, and various mitigation services.
    • Require persons who experience a breach that compromises social security numbers to provide at least 18 months of free credit monitoring for affected individuals.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Security Freeze Data Breach

    Share page with AddThis
  • FTC proposes rule to implement free credit monitoring for servicemembers

    Federal Issues

    On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.

    Federal Issues FTC EGRRCPA Credit Reporting Agency Credit Monitoring Federal Register Servicemembers

    Share page with AddThis
  • California law requires credit reporting agencies to address security vulnerabilities

    State Issues

    On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.

    State Issues State Legislation Credit Reporting Agency Privacy/Cyber Risk & Data Security Data Breach

    Share page with AddThis
  • Free security freezes available nationwide

    Federal Issues

    On September 21, the FTC announced the nationwide availability of free security freezes and one-year fraud alerts, which were authorized under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA). Specifically, Section 301 of EGRRCPA prohibits a national credit reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also allows parents to obtain a free credit freeze for any of their children who are under 16, and guardians, conservators, and those with a valid power of attorney can obtain a free freeze for the person for whom they have legal authority to act. Additionally, Section 301 extends the duration of the free fraud alert from 90 days to one year. Consumers are required to contact all three nationwide credit reporting agencies to place the security freeze, but only are required to contact one of the three for the fraud alert, as each bureau is obligated to notify the others of a fraud alert.

    Federal Issues FTC Security Freeze Fraud Credit Reporting Agency EGRRCPA S. 2155 Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • CFPB studies geographic patterns in credit invisibility

    Consumer Finance

    On September 19, the CFPB released a new Data Point report from the Office of Research titled, “The Geography of Credit Invisibility,” which examines geographic patterns in the prevalence of “credit invisible” consumers, a term for those who do not have a credit record maintained by a national credit reporting agency, or have a credit record that is deemed to have too little or too old of information to be treated as “scorable” by widely used credit scoring models. The report studies whether the geographic location of a consumer’s residence is correlated with the likelihood of remaining credit invisible and aims to “aid policymakers and advance the conversation around potential causes and solutions.” Among other things, the report found:

    • credit invisibility may be higher for geographic tracts near universities due to their concentration of adults under 25 who may not have established a credit record yet;
    • rural areas have the most credit invisibility per capita;
    • consumers are less likely to use a credit card as an entry product to establishing a credit record in rural and low-to-moderate income areas;
    • credit invisibility was more prevalent in areas with less internet access as many products are originated through online services; and
    • there is little relationship between distance to the nearest bank branch and the occurrence of credit invisibility.

    The CFPB previously published two other Data Point reports on the subject: “Credit Invisibles” in 2015 and “Becoming Credit Visible” in 2017.

    Consumer Finance CFPB Research Credit Reporting Agency

    Share page with AddThis
  • 8th Circuit holds employee failed to plead injuries in FCRA suit against employer, law firm, and credit reporting agency

    Courts

    On September 6, the U.S. Court of Appeals for the 8th Circuit held that an employee lacked standing to bring claims under the Fair Credit Reporting Act (FCRA) because she failed to sufficiently plead she suffered injuries. An employee brought a lawsuit against her former employer, a law firm, and a credit reporting agency (defendants) alleging various violations of the FCRA after the employee’s credit report that was obtained as part of the hiring process background check was provided to the employee in response to her records request in a wrongful termination lawsuit she had filed. The district court dismissed the claims against the employer and the law firm and granted judgment on the pleadings for the credit reporting agency. Upon appeal, the 8th Circuit, citing the Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins (covered by a Buckley Sandler Special Alert), concluded the former employee lacked Article III standing to bring the claims. The court found that the former employee authorized her employer to obtain the credit report and failed to allege the report was used for unauthorized purposes, therefore there was no intangible injury to her privacy. Additionally, the court determined that the injuries to her “reputational harm, compromised security, and lost time” were “‘naked assertion[s]’ of reputational harm, ‘devoid of further factual enhancement.’” As for claims against the law firm and credit reporting agency, the court found that the injury was too speculative as to the alleged failures to take reasonable measures to dispose of her information. Further, whether the credit reporting agency met all of its statutory obligations to ensure the report was for a permissible purpose was irrelevant, as she suffered no injury because she provided the employer with consent to obtain her credit report.

    Courts FCRA Eighth Circuit Appellate Spokeo Credit Reporting Agency Standing

    Share page with AddThis
  • 6th Circuit holds that failing to report a trial modification plan can constitute incomplete reporting under FCRA

    Courts

    On August 23, the U.S. Court of Appeals for the 6th Circuit held that a borrower met the requirements necessary for a Fair Credit Reporting Act (FCRA) claim to proceed when two mortgage servicers failed to report the existence of a trial modification plan when reporting the borrower was delinquent to reporting agencies. In 2014, a borrower brought an action against three credit reporting agencies and two mortgage servicers alleging, among other claims, violations of the FCRA due to payments being reported as past due while successfully making payments under a trial modification plan (also referred to as a Trial Period Plan, or “TPP”) and working towards a permanent modification. Regarding the FCRA claim, the 6th Circuit reversed the lower court’s decision granting the servicers’ motion for summary judgment, finding that the borrower met the statutory requirements for an FCRA claim because failing to report the existence of a TPP can constitute “incomplete reporting” in violation of the statute. The 6th Circuit rejected the servicers’ argument that the Home Affordable Modification Program guidelines “encouraged, but did not require” that they report a TPP. The court acknowledged this distinction but noted that “[r]eporting that [a borrower] was delinquent on his loan payments without reporting the TPP implies a much greater degree of financial irresponsibility than was present here.” The court remanded the case to the district court to determine whether the servicers conducted a reasonable investigation after the borrower disputed the reporting.

    Courts Sixth Circuit Mortgages Loss Mitigation Mortgage Servicing Credit Report Credit Reporting Agency FCRA HAMP Consumer Finance

    Share page with AddThis

Pages

Upcoming Events