Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 4, the CFPB released its summer 2020 Supervisory Highlights, which details its supervisory and enforcement actions in the areas of consumer reporting, debt collection, deposits, fair lending, mortgage servicing, and payday lending. The findings of the report, which are published to assist entities in complying with applicable consumer laws, cover examinations that generally were completed between September and December of 2019. Highlights of the examination findings include:
- Consumer Reporting. The Bureau cited violations of the FCRA’s requirement that lenders first establish a permissible purpose before they obtain a consumer credit report. Additionally, the report notes instances where furnishers failed to review account information and other documentation provided by consumers during direct and indirect disputes. The Bureau notes that “[i]nadequate staffing and high daily dispute resolution requirements contributed to the furnishers’ failure to conduct reasonable investigations.”
- Debt Collection. The report states that examiners found one or more debt collectors (i) falsely threatened consumers with illegal lawsuits; (ii) falsely implied that debts would be reported to credit reporting agencies (CRA); and (iii) falsely represented that they operated or were employed by a CRA.
- Deposits. The Bureau discusses violations related to Regulation E and Regulation DD, including requiring waivers of consumers’ error resolution and stop payment rights and failing to fulfill advertised bonus offers.
- Fair Lending. The report notes instances where examiners cited violations of ECOA, including intentionally redlining majority-minority neighborhoods and failing to consider public assistance income when determining a borrower’s eligibility for mortgage modification programs.
- Mortgage Servicing. The Bureau cited violations of Regulation Z and Regulation X, including (i) failing to provide periodic statements to consumers in bankruptcy; (ii) charging forced-placed insurance without a reasonable basis; and (iii) various errors after servicing transfers.
- Payday Lending. The report discusses violations of the Consumer Financial Protection Act for payday lenders, including (i) falsely representing that they would not run a credit check; (ii) falsely threatening lien placement or asset seizure; and (iii) failing to provide required advertising disclosures.
The report also highlights the Bureau’s recently issued rules and guidance, including the various responses to the CARES Act and the Covid-19 pandemic.
On July 27, the FTC announced the DOJ, on behalf of the FTC, filed a complaint in the U.S. District Court for the Central District of California alleging a background report company used misleading billing and marketing practices in violation of several consumer protection laws. According to the complaint, the background report company’s marketing practices included suggesting that individuals’ reports contained arrest, criminal, sexual offender, bankruptcy, and other records that the reports did not actually include. The complaint alleges the company used these practices to induce users to purchase subscriptions to access background reports. The complaint asserts the company’s practices violated the FTC Act by making false or misleading representations about the criminal records of searched individuals, and that the company violated the Telemarketing Sales Rule and the Restore Online Shoppers’ Confidence Act by materially misrepresenting the benefits of a company subscription; the refund and cancelation policies; and the negative-option features of the subscription.
Moreover, the complaint asserts the company qualifies as a consumer reporting agency under the FCRA, as it “regularly assembles and evaluates information on consumers into consumer reports that, for a fee, it then provides to customers online through interstate commerce.” The complaint argues the company violated the FCRA by failing to maintain reasonable procedures to (i) verify how its reports would be used; (ii) ensure the information was accurate; and (iii) make sure that the information it sold would be used only for legally permissible purposes.
The FTC is seeking a permanent injunction, restitution, and civil money penalties.
On June 23, the CFPB announced a settlement with several contract for deed companies to resolve allegations that the defendants violated the FCRA and its implementing Regulation V, as well as the Consumer Financial Protection Act, by, among other things, misrepresenting to consumers the necessary steps to resolve consumer-reporting complaints. Specifically, the CFPB’s investigation revealed that the defendants allegedly told consumers who complained about errors on their consumer reports that they had to file a dispute with the consumer reporting agency, even though Regulation V requires furnishers to investigate written disputes and contact the applicable consumer reporting agency to resolve any errors. According to the CFPB, this was inaccurate as a matter of law and a deceptive practice. In addition, the CFPB claimed that one defendant failed to implement policies and procedures required by Regulation V to protect the accuracy and integrity of furnished consumer information.
Under the terms of the consent order, the defendants will collectively pay a total of $35,000 in civil money penalties and have agreed not to “misrepresent or assist others in misrepresenting, expressly or impliedly, how consumers can initiate disputes concerning their consumer reports.”
On June 19, CFPB Director Kathy Kraninger spoke during a Consumer Data Industry Association webinar, warning information furnishers and consumer reporting agencies (CRAs) that the Bureau has dedicated significant resources toward enforcement of certain provisions of the CARES Act and the FCRA. Specifically, Kraninger emphasized the Bureau’s reliance on consumer complaint data to inform its supervisory and enforcement activity and noted that April and May had the highest monthly complaint volumes in the Bureau’s history, with approximately 7,200 complaints mentioning Covid-19 related terms during that time. Kraninger referenced the Bureau’s April policy statement, which stated the Bureau would take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the [FCRA] and Regulation V” (covered by InfoBytes here). However, Kraninger warned that furnishers are still required to comply with the CARES Act, and that the “Bureau expects CRAs and furnishers to make good faith efforts to investigate disputes as quickly as possible.” According to Kraninger, due to the unique challenges the Covid-19 pandemic has created, the Bureau will evaluate each CRA and furnisher’s respective efforts and circumstances on an individual basis to determine whether it made the good faith effort to investigate as quickly as possible.
On June 16, the CFPB released a set of Frequently Asked Questions (FAQs) concerning the Bureau’s previously issued policy statement addressing consumer reporting agencies’ (CRAs) and furnishers’ credit reporting responsibilities under the CARES Act amendments to the Fair Credit Reporting Act (FCRA). The policy statement also emphasized that the Bureau is taking a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the [FCRA] and Regulation V,” including refraining from citing in examinations or bringing enforcement action against CRAs or furnishers acting in good faith. (Covered by InfoBytes here.)
Addressed within the FAQs are topics for furnishers to consider when complying with the CARES Act requirements. These include: (i) reporting as current certain accounts for consumers affected by the Covid-19 pandemic; (ii) citing or suing furnishers that violate the FCRA by failing to investigate disputes; (iii) defining an “accommodation” for purposes of the FCRA amendments, and clarifying whether furnishers are required to provide accommodations to impacted consumers, and if so, what their consumer reporting obligations will be; (iv) clarifying that “using a special comment code to report a natural or declared disaster or forbearance” is not a substitute for complying with the CARES Act credit reporting requirements; (v) warning that reporting forbearances on accounts that are not delinquent, or for which a consumer has not requested a forbearance, “increases the risks of inaccurate reporting and consumer confusion”; and (vi) specifying account status reporting requirements after a CARES Act accommodation ends.
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
On December 9, the CFPB released a special edition of its fall 2019 Supervisory Highlights, focusing on recent supervisory findings in the areas of consumer reporting and information furnishing to consumer reporting companies (CRCs). This is the second special edition to focus on consumer reporting issues, and follows a report that the Bureau released in March 2017 covered by InfoBytes here. According to the Bureau, recent supervisory reviews of FCRA and Regulation V compliance have identified new violations as well as compliance management system (CMS) weaknesses at CFPB-supervised institutions. However, the Bureau noted that examiners have also observed significant improvements, such as continued investment in FCRA-related CMS.
Highlights of the supervisory findings include:
- Recent examples of CMS weaknesses and FCRA/Regulation V violations (where corrective action has either been taken or is currently being taken) in which one or more (i) mortgage loan furnishers did not maintain policies and procedures “appropriate to the nature, size, complexity, and scope of the furnisher’s activities”; (ii) auto loan furnishers’ policies and procedures failed to provide sufficient guidance for investigating indirect disputes containing allegations of identity theft; (iii) debt collection furnishers’ policies and procedures failed to differentiate between FCRA disputes, FDCPA disputes, or validation requests, leading to a lack of consideration for applicable regulatory requirements when handling these matters; and (iv) deposit account furnishers lacked written policies and procedures for furnishing or validating the information provided to specialty CRCs.
- Examiners found that one or more furnishers provided information they knew, or had reasonable cause to believe, was inaccurate. Examples include inaccurate derogatory status codes due to coding errors and unclear addresses for consumers to submit disputes.
- Examiners discovered several instances where furnishers failed to send prompt notifications to CRCs after determining that information previously furnished was inaccurate, including situations where furnishers failed to promptly update or correct information after consumers paid charged-off balances in full or discharged them in bankruptcy.
- Examiners found that some furnishers reported the incorrect date of the first delinquency in connection with their responsibility to provide notice of delinquent accounts to CRCs.
- Examiners found several instances where furnishers failed to investigate disputes, complete investigations in a timely manner, or notify consumers of certain determinations related to “frivolous or irrelevant” disputes.
The Bureau also discussed supervisory observations concerning CRC compliance with FCRA provisions, and commented that CRCs continue to (i) improve procedures concerning the accuracy of information contained in consumer reports; (ii) implement improvements to prevent consumer reports from being furnished to users who lack a permissible purpose; (iii) strengthen procedures to “block information that a consumer has identified as resulting from an alleged identity theft”; and (iv) investigate and respond to consumer disputes.
On November 22, the CFPB announced a settlement with an employment background screening company resolving allegations that the company violated the FCRA. In the complaint, the Bureau asserts that the company failed to “employ reasonable procedures to assure maximum possible accuracy” in the consumer reports it prepared. Specifically, the Bureau claims that until October 2014, the company matched criminal records with applicants based on only two personal identifiers, which created a “heightened risk of false positives” in commonly named individuals. The company also had a practice of including “high-risk indicators,” sourced from a third party, in its consumer reports and did not follow procedures to verify the accuracy of the designations. Additionally, the Bureau asserts that the company failed to maintain procedures to ensure that adverse public record information was complete and up to date, resulting in reporting outdated adverse information in violation of the FCRA. Under the stipulated judgment, in addition to injunctive relief, the company will be required to pay $6 million in monetary relief to affected consumers and a $2.5 million civil money penalty.
On October 16, the FTC announced that it reached a settlement with a Texas-based company over allegations that it violated the FCRA by failing to take reasonable steps to ensure the accuracy of tenant-screening information furnished to landlords and property managers. The FTC alleges that the company compiled screening reports through an automated system using broad criteria that incorrectly matched applicants to criminal records. Additionally, the company allegedly lacked policies or procedures to assess the accuracy of those results, which led to some renters being turned down for housing. The settlement requires the company to pay $3 million—the largest civil penalty ever assessed by the FTC against a background screening company. In addition, the company must maintain reasonable procedures to ensure consumer reports contain the maximum possible accuracy of information and is subject to compliance, recordkeeping, and reporting requirements.
On September 10, the U.S. Court of Appeals for the 3rd Circuit issued a precedential order reversing in part and affirming in part a lower court’s dismissal of claims brought by three individuals who claimed a company violated the Fair Credit Reporting Act (FCRA) when it failed to provide them with copies of their consumer reports. According to the opinion, the three plaintiffs applied for jobs with the company and were ultimately not hired due to information discovered in their background checks. The plaintiffs filed a putative class action asserting the company did not send them copies of their background checks before it took adverse action when deciding not to hire them, and also failed to provide them with notices of their rights under the FCRA. The district court dismissed the claims against the company, finding there was only a “bare procedural violation,” and not a concrete injury in fact as required under the Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins (covered by a Buckley Sandler Special Alert). On appeal, the 3rd Circuit reversed the lower court’s decision, concluding that the plaintiffs had standing to assert that the company violated the FCRA by taking adverse action without first providing copies of their consumer reports. Additionally, the court noted that “taking an adverse employment action without providing the required consumer report is ‘the very harm that Congress sought to prevent, arising from prototypical conduct proscribed’ by the FCRA.” However, the appellate court affirmed the lower court’s dismissal of the plaintiffs’ claim alleging the company failed to provide them with a notice of their FCRA rights, finding that the claim was a “‘bare procedural violation, divorced from any concrete harm,’” and lacked Article III standing under Spokeo. The 3rd Circuit remanded the case for further proceedings consistent with their findings.
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar