InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB affirms name-only matching practices violate FCRA
On November 4, the CFPB issued an advisory opinion to express its interpretation that credit reporting companies, including tenant and employment screening companies, are in violation of the FCRA if they engage in the practice of matching consumer records solely by name. According to the Bureau, the use of name-only matching procedures (without the use of other personally identifying information such as address, date of birth, or Social Security number) does not assure maximum possible accuracy of consumer information. The Bureau emphasized that there is a heightened risk of mistaken identity from name-only matching among Hispanic, Black, and Asian communities due to less surname diversity among those populations as compared to the White population. “When background screening companies and their algorithms carelessly assign a false identity to applicants for jobs and housing, they are breaking the law,” Director Rohit Chopra stated. “Error-ridden background screening reports may disproportionately impact communities of color, further undermining an equitable recovery.” The advisory opinion affirms consumer reporting companies’ obligation to use reasonable procedures to assure maximum possible accuracy, and “does not create a safe harbor to use insufficient matching procedures involving multiple identifiers.” Other practices, such as combining a name with date of birth, could also lead to cases of mistaken identity, the Bureau warned. The Bureau will work closely with the FTC to eliminate illegal conduct in the background screening industry, while the FTC may be able to take actions against unfair or deceptive conduct not covered by the CFPA. The Bureau further emphasized that violating the FCRA can lead to civil penalties, restitution, damages, and other relief.
Chopra issued a statement on the Bureau’s intention to curb false identity matching, pointing out that name-only matching is just one example of an inadequate procedure and that nothing in the advisory opinion “suggests that the responsibility to follow reasonable procedures to assure maximum possible accuracy can be met with a thoughtless application of any particular loose matching criteria, even if more than names alone are matched.” He also warned companies they should not try to evade their FCRA responsibilities “by issuing a disclaimer that their report might not be matched to the right person.” Chopra further noted that the Bureau will support the FTC in its work to monitor business models that rely on harvesting and monetizing personal data, as well as big tech companies and lesser-known data brokers that traffic data and consumer reports.
CFPB issues summer supervisory highlights
On June 29, the CFPB released its summer 2021 Supervisory Highlights, which details its supervisory and enforcement actions in the areas of auto loan servicing, consumer reporting, debt collection, deposits, fair lending, mortgage origination and servicing, payday lending, private education loan origination, and student loan servicing. The findings of the report, which are published to assist entities in complying with applicable consumer laws, cover examinations that generally were completed between January and December of 2020. Highlights of the examination findings include:
- Auto Loan Servicing. Bureau examiners identified unfair acts or practices related to lender-placed collateral protection insurance (CPI), including instances where servicers charged unnecessary CPI or charged for CPI after repossession. Examiners also identified unfair acts or practices related to payoff amounts where consumers had ancillary product rebates due, and also found unfair or deceptive acts or practices related to payment application.
- Consumer Reporting. The Bureau found deficiencies in consumer reporting companies’ (CRCs) FCRA compliance related to the following requirements: (i) accuracy; (ii) security freezes applicable to certain CRCs; and (iii) ID theft block requests. Specifically, examiners found that CRCs continued to include information from furnishers despite receiving furnisher dispute responses that “suggested that the furnishers were no longer sources of reliable, verifiable information about consumers.” Additionally, the report noted instances where furnishers failed to update and correct information or conduct reasonable investigations of direct disputes.
- Debt Collection. The report found that examiners found instances of FDCPA violations where debt collectors (i) made calls to a consumer’s workplace; (ii) communicated with third parties; (iii) failed to stop communications after receiving a written request or a refusal to pay; (iv) harassed consumers regarding their inability to pay; (v) communicated, and threatened to communicate, false credit information to CRCs; (vi) made false representations or used deceptive collection means; (vii) entered inaccurate information regarding state interest rate caps into an automated system; (viii) unlawfully initiated wage garnishments; and (ix) failed to send complete validation notices.
- Deposits. The Bureau discussed violations related to Regulation E and Regulation DD, including error resolution violations, issues with provisional credits, failure to investigate, failure to remediate errors, and overdraft opt-in and disclosure violations.
- Fair Lending. The report noted instances where examiners cited violations of HMDA/ Regulation C involving HMDA loan application register inaccuracies, and instances where lenders, among other things, violated ECOA/Regulation B “by engaging in acts or practices directed at prospective applicants that would have discouraged reasonable people in minority neighborhoods in Metropolitan Statistical Areas (MSAs) from applying for credit.”
- Mortgage Origination. The Bureau cited violations of Regulation Z and the CFPA related to loan originator compensation, title insurance disclosures, and deceptive waivers of borrowers’ rights in security deed riders and loan security agreements.
- Mortgage Servicing. The Bureau cited violations of Regulation X, including those related to dual tracking violations, misrepresentations regarding foreclosure timelines, and PMI terminations.
- Payday Lending. The report discussed violations of the CFPA for payday lenders, including falsely representing an intent to sue or that a credit check would not be run, and presenting deceptive repayment options to borrowers that were contractually eligible for no-cost repayment plans.
- Private Education Loan Origination. Bureau examiners identified deceptive acts or practices related to the marketing of private education loan rates.
- Student Loan Servicing. Bureau examiners found several types of misrepresentations servicers made regarding consumer eligibility for the Public Service Loan Forgiveness (PSLF) program, and identified unfair acts or practices related to a servicer’s “failure to reverse negative consequences of automatic natural disaster forbearances.” Additionally, examiners identified unfair act or practices related to failing to honor consumer payment allocation instructions or providing inaccurate monthly payment amounts to consumers after a loan transfer.
The report also highlights recent supervisory program developments and enforcement actions.
CFPB issues Covid-19 supervisory highlights
On January 19, the CFPB released a special edition of Supervisory Highlights detailing the agency’s Covid-19 prioritized assessment (PA) observations. Since May 2020, the Bureau has conducted PAs in response to the pandemic in order to obtain real-time information from supervised entities operating in markets that pose an elevated risk of pandemic-related consumer harm. According to the Bureau, the PAs are not designed to identify federal consumer financial law violations, but are intended to spot and assess risks in order to prevent consumer harm. Targeted information requests were sent to entities seeking information on, among other things, ways entities are assisting and communicating with consumers, Covid-19-related institutional challenges, compliance management system changes made in response to the pandemic, and service provider data. Highlights of the Bureau’s findings include:
- Mortgage servicing. The CARES Act established certain forbearance protections for homeowners. The Bureau pointed out that many servicers faced significant challenges, including operational constraints, resource burdens, and service interruptions. Consumer risks were also present, with several servicers (i) providing incomplete or inaccurate information regarding CARES Act forbearances, failing to timely process forbearance requests, or enrolling borrowers in unwanted or automatic forbearances; (ii) sending collection and default notices, assessing late fees, and initiating foreclosures for borrowers in forbearance; (iii) inaccurately handling borrowers’ preauthorized electronic funds transfers; and (iv) failing to take appropriate loss mitigation steps.
- Auto loan servicing. The Bureau noted that many auto loan servicers provided insufficient information to borrowers about the impact of interest accrual during deferment periods, while other servicers continued to withdraw funds for monthly payments even after agreeing to deferments. Additionally, certain borrowers received repossession notices even though servicers had suspended repossession operations during this time.
- Student loan servicing. The CARES Act established protections for certain student loan borrowers, including reduced interest rates and suspended monthly payments for most federal loans owned by the Department of Education. Many private student loan holders also offered payment relief options. The Bureau noted however that servicers faced significant challenges in implementing these protections. For certain servicers, these challenges led to issues which raised the risk of consumer harm, including (i) provision of incorrect or incomplete payment relief options; (ii) failing to maintain regular call center hours; (iii) failing to respond to forbearance extension requests; and (iv) allowing certain payment allocation errors and preauthorized electronic funds transfers.
- Small business lending. The Bureau discussed the Small Business Administration’s Paycheck Protection Program (PPP), noting that when “implementing the PPP, multiple lenders adopted a policy that restricted access to PPP loans beyond the eligibility requirements of the CARES Act and rules and orders issued by the SBA.” The Bureau encouraged lenders to consider and address any fair lending risks associated with PPP lending.
The Supervisory Highlights also examined areas related to credit card accounts, consumer reporting and furnishing, debt collection, deposits, prepaid accounts, and small business lending.
CFPB issues Summer 2020 Supervisory Highlights
On September 4, the CFPB released its summer 2020 Supervisory Highlights, which details its supervisory and enforcement actions in the areas of consumer reporting, debt collection, deposits, fair lending, mortgage servicing, and payday lending. The findings of the report, which are published to assist entities in complying with applicable consumer laws, cover examinations that generally were completed between September and December of 2019. Highlights of the examination findings include:
- Consumer Reporting. The Bureau cited violations of the FCRA’s requirement that lenders first establish a permissible purpose before they obtain a consumer credit report. Additionally, the report notes instances where furnishers failed to review account information and other documentation provided by consumers during direct and indirect disputes. The Bureau notes that “[i]nadequate staffing and high daily dispute resolution requirements contributed to the furnishers’ failure to conduct reasonable investigations.”
- Debt Collection. The report states that examiners found one or more debt collectors (i) falsely threatened consumers with illegal lawsuits; (ii) falsely implied that debts would be reported to credit reporting agencies (CRA); and (iii) falsely represented that they operated or were employed by a CRA.
- Deposits. The Bureau discusses violations related to Regulation E and Regulation DD, including requiring waivers of consumers’ error resolution and stop payment rights and failing to fulfill advertised bonus offers.
- Fair Lending. The report notes instances where examiners cited violations of ECOA, including intentionally redlining majority-minority neighborhoods and failing to consider public assistance income when determining a borrower’s eligibility for mortgage modification programs.
- Mortgage Servicing. The Bureau cited violations of Regulation Z and Regulation X, including (i) failing to provide periodic statements to consumers in bankruptcy; (ii) charging forced-placed insurance without a reasonable basis; and (iii) various errors after servicing transfers.
- Payday Lending. The report discusses violations of the Consumer Financial Protection Act for payday lenders, including (i) falsely representing that they would not run a credit check; (ii) falsely threatening lien placement or asset seizure; and (iii) failing to provide required advertising disclosures.
The report also highlights the Bureau’s recently issued rules and guidance, including the various responses to the CARES Act and the Covid-19 pandemic.
FTC takes action against background check company for misleading practices
On July 27, the FTC announced the DOJ, on behalf of the FTC, filed a complaint in the U.S. District Court for the Central District of California alleging a background report company used misleading billing and marketing practices in violation of several consumer protection laws. According to the complaint, the background report company’s marketing practices included suggesting that individuals’ reports contained arrest, criminal, sexual offender, bankruptcy, and other records that the reports did not actually include. The complaint alleges the company used these practices to induce users to purchase subscriptions to access background reports. The complaint asserts the company’s practices violated the FTC Act by making false or misleading representations about the criminal records of searched individuals, and that the company violated the Telemarketing Sales Rule and the Restore Online Shoppers’ Confidence Act by materially misrepresenting the benefits of a company subscription; the refund and cancelation policies; and the negative-option features of the subscription.
Moreover, the complaint asserts the company qualifies as a consumer reporting agency under the FCRA, as it “regularly assembles and evaluates information on consumers into consumer reports that, for a fee, it then provides to customers online through interstate commerce.” The complaint argues the company violated the FCRA by failing to maintain reasonable procedures to (i) verify how its reports would be used; (ii) ensure the information was accurate; and (iii) make sure that the information it sold would be used only for legally permissible purposes.
The FTC is seeking a permanent injunction, restitution, and civil money penalties.
CFPB settles with contract for deed companies on credit reporting violations
On June 23, the CFPB announced a settlement with several contract for deed companies to resolve allegations that the defendants violated the FCRA and its implementing Regulation V, as well as the Consumer Financial Protection Act, by, among other things, misrepresenting to consumers the necessary steps to resolve consumer-reporting complaints. Specifically, the CFPB’s investigation revealed that the defendants allegedly told consumers who complained about errors on their consumer reports that they had to file a dispute with the consumer reporting agency, even though Regulation V requires furnishers to investigate written disputes and contact the applicable consumer reporting agency to resolve any errors. According to the CFPB, this was inaccurate as a matter of law and a deceptive practice. In addition, the CFPB claimed that one defendant failed to implement policies and procedures required by Regulation V to protect the accuracy and integrity of furnished consumer information.
Under the terms of the consent order, the defendants will collectively pay a total of $35,000 in civil money penalties and have agreed not to “misrepresent or assist others in misrepresenting, expressly or impliedly, how consumers can initiate disputes concerning their consumer reports.”
Kraninger emphasizes need for FCRA and CARES Act compliance
On June 19, CFPB Director Kathy Kraninger spoke during a Consumer Data Industry Association webinar, warning information furnishers and consumer reporting agencies (CRAs) that the Bureau has dedicated significant resources toward enforcement of certain provisions of the CARES Act and the FCRA. Specifically, Kraninger emphasized the Bureau’s reliance on consumer complaint data to inform its supervisory and enforcement activity and noted that April and May had the highest monthly complaint volumes in the Bureau’s history, with approximately 7,200 complaints mentioning Covid-19 related terms during that time. Kraninger referenced the Bureau’s April policy statement, which stated the Bureau would take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the [FCRA] and Regulation V” (covered by InfoBytes here). However, Kraninger warned that furnishers are still required to comply with the CARES Act, and that the “Bureau expects CRAs and furnishers to make good faith efforts to investigate disputes as quickly as possible.” According to Kraninger, due to the unique challenges the Covid-19 pandemic has created, the Bureau will evaluate each CRA and furnisher’s respective efforts and circumstances on an individual basis to determine whether it made the good faith effort to investigate as quickly as possible.
CFPB issues CARES Act credit reporting FAQs
On June 16, the CFPB released a set of Frequently Asked Questions (FAQs) concerning the Bureau’s previously issued policy statement addressing consumer reporting agencies’ (CRAs) and furnishers’ credit reporting responsibilities under the CARES Act amendments to the Fair Credit Reporting Act (FCRA). The policy statement also emphasized that the Bureau is taking a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the [FCRA] and Regulation V,” including refraining from citing in examinations or bringing enforcement action against CRAs or furnishers acting in good faith. (Covered by InfoBytes here.)
Addressed within the FAQs are topics for furnishers to consider when complying with the CARES Act requirements. These include: (i) reporting as current certain accounts for consumers affected by the Covid-19 pandemic; (ii) citing or suing furnishers that violate the FCRA by failing to investigate disputes; (iii) defining an “accommodation” for purposes of the FCRA amendments, and clarifying whether furnishers are required to provide accommodations to impacted consumers, and if so, what their consumer reporting obligations will be; (iv) clarifying that “using a special comment code to report a natural or declared disaster or forbearance” is not a substitute for complying with the CARES Act credit reporting requirements; (v) warning that reporting forbearances on accounts that are not delinquent, or for which a consumer has not requested a forbearance, “increases the risks of inaccurate reporting and consumer confusion”; and (vi) specifying account status reporting requirements after a CARES Act accommodation ends.
FTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
CFPB issues Supervisory Highlights special edition on consumer reporting
On December 9, the CFPB released a special edition of its fall 2019 Supervisory Highlights, focusing on recent supervisory findings in the areas of consumer reporting and information furnishing to consumer reporting companies (CRCs). This is the second special edition to focus on consumer reporting issues, and follows a report that the Bureau released in March 2017 covered by InfoBytes here. According to the Bureau, recent supervisory reviews of FCRA and Regulation V compliance have identified new violations as well as compliance management system (CMS) weaknesses at CFPB-supervised institutions. However, the Bureau noted that examiners have also observed significant improvements, such as continued investment in FCRA-related CMS.
Highlights of the supervisory findings include:
- Recent examples of CMS weaknesses and FCRA/Regulation V violations (where corrective action has either been taken or is currently being taken) in which one or more (i) mortgage loan furnishers did not maintain policies and procedures “appropriate to the nature, size, complexity, and scope of the furnisher’s activities”; (ii) auto loan furnishers’ policies and procedures failed to provide sufficient guidance for investigating indirect disputes containing allegations of identity theft; (iii) debt collection furnishers’ policies and procedures failed to differentiate between FCRA disputes, FDCPA disputes, or validation requests, leading to a lack of consideration for applicable regulatory requirements when handling these matters; and (iv) deposit account furnishers lacked written policies and procedures for furnishing or validating the information provided to specialty CRCs.
- Examiners found that one or more furnishers provided information they knew, or had reasonable cause to believe, was inaccurate. Examples include inaccurate derogatory status codes due to coding errors and unclear addresses for consumers to submit disputes.
- Examiners discovered several instances where furnishers failed to send prompt notifications to CRCs after determining that information previously furnished was inaccurate, including situations where furnishers failed to promptly update or correct information after consumers paid charged-off balances in full or discharged them in bankruptcy.
- Examiners found that some furnishers reported the incorrect date of the first delinquency in connection with their responsibility to provide notice of delinquent accounts to CRCs.
- Examiners found several instances where furnishers failed to investigate disputes, complete investigations in a timely manner, or notify consumers of certain determinations related to “frivolous or irrelevant” disputes.
The Bureau also discussed supervisory observations concerning CRC compliance with FCRA provisions, and commented that CRCs continue to (i) improve procedures concerning the accuracy of information contained in consumer reports; (ii) implement improvements to prevent consumer reports from being furnished to users who lack a permissible purpose; (iii) strengthen procedures to “block information that a consumer has identified as resulting from an alleged identity theft”; and (iv) investigate and respond to consumer disputes.