InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Releases Examination Procedures for Consumer Reporting Agencies
On September 5, the CFPB released procedures to guide its staff in examining “larger participant” consumer reporting agencies (CRAs). In July, the CFPB adopted a rule that will allow it to supervise CRAs with more than $7 million in annual receipts from consumer reporting activities starting September 30, 2012. The procedures outline how examiners should assess a CRA’s compliance with federal requirements, primarily under the Fair Credit Reporting Act, relating to (i) using and providing accurate consumer information, (ii) handling consumer disputes, (iii) providing disclosures to consumers, and (iv) preventing fraud and identity theft. While the procedures focus on issues specific to consumer reporting, they include a module that directs examiners to consider whether a CRA offers any other consumer financial product or service that creates other risks to consumers, particularly with regard to Gramm-Leach-Bliley privacy requirements and potential unfair, deceptive, or abusive acts or practices (UDAAP violations).
Ninth Circuit Holds Reporting Fraudulent Accounts As Lost or Stolen May Violate FCRA
On August 7, the U.S. Court of Appeals for the Ninth Circuit revived a consumer’s suit against his bank and a consumer reporting agency (CRA) in which he alleges that the bank and CRA violated FCRA in connection with a fraudulent account opened in the consumer’s name. Drew v. Equifax Info. Servs. LLC, No. 11-15008, 2012 WL 3186110 (9th Cir. Aug. 7, 2012). The consumer claims that though his account was actually fraudulent, the bank reported it as lost or stolen. He alleges the bank violated FCRA when, after receiving a “fraud block notification” from the CRA, the bank (i) failed to conduct a sufficient investigation, (ii) continued to report the fraudulent account as belonging to the consumer, and (iii) reported the fraudster’s address as the consumer’s address. The district court granted summary judgment on these claims in favor of the bank and granted summary judgment to the CRA based on its argument that the consumer’s claims exceeded the statute of limitations. The appeals court agreed that the bank’s investigation was legally sufficient, but held that material issues of fact remained with regard to the consumer’s other claims. The court reasoned that a jury could find (i) that reporting a fraudulently opened account as a lost or stolen account belonging to the consumer was untrue or facially inaccurate in violation of FCRA and (ii) that reporting the fraudster’s address as the consumer’s address violated FCRA’s requirement to correct inaccurate information. The court also found that the consumer presented evidence of emotional distress sufficient to allege emotional damages, and that such damages are cognizable under FCRA. Finally, the court held that facts regarding the timing of the consumer’s knowledge remain in dispute and overturned the district court’s holding that the consumer’s suit exceeded the statute of limitations.
House Members Seek Information from Data Brokers
On July 24, a bipartisan group of members of the House of Representatives, led by Representatives Barton (R-TX) and Markey (D-MA), sent letters to nine firms the members identified as “major data brokerage companies.” The letters ask each firm to provide information about how it collects, assembles, and sells consumer information. Among the series of specific inquiries, the letters seek information about collection processes and sources, data security measures, and consumer fees and notices. The House members asked each company to respond by August 15, 2012.
CFPB Finalizes Rule to Supervise "Larger Participant" Consumer Reporting Agencies
On July 16, the CFPB finalized a rule that will allow it to begin supervising certain consumer reporting agencies (CRAs). Under the Dodd-Frank Act, the CFPB has authority to supervise, regardless of size, nonbanks offering (i) certain mortgage-related products and services, (ii) private education loans, and (iii) payday loans. The CFPB also has the power to supervise “larger participants” in any other market for consumer financial products or services, provided that it first conducts a rulemaking to define “larger participants.” Under this first “larger participant” rule, the CFPB will have supervisory authority over CRAs with more than $7 million in annual receipts from consumer reporting activities, effective September 30, 2012. The CFPB believes that the $7 million threshold will cover 30 companies that account for 94% of total industry receipts. The final rule is divided into two parts: (i) Subpart A sets the definitions and other terms applicable to the CFPB’s supervision of “larger participants” in general, and (ii) Subpart B identifies the market, terms, and “larger participant” test for the CRA industry. This latter part will be expanded for each new market the CFPB opts to supervise under its “larger participant” authority. While the rule as proposed also included a threshold for use in identifying “larger participants” in the debt collection market, the CFPB has postponed issuance of the final debt collection “larger participant” rule until the fall. The CFPB described the final rule as “the first in a series of rules to define larger participants of other markets.”
FTC Settles FCRA Charges Against Data Broker
On June 12, the FTC announced that a data broker agreed to settle charges that it marketed and sold consumer profiles to companies engaged in human resources, background screening, and recruiting without taking steps to protect consumer information as required by FCRA. The FTC claimed that the data broker operated as a consumer reporting agency and violated FCRA when it failed to ensure that the information it compiled and sold would be used only for permissible purposes. The broker also allegedly failed to ensure that consumer information it sold was accurate and failed to inform buyers of their FCRA obligations. Among other things, the settlement requires the data broker to pay an $800,000 civil penalty and prohibits the firm from any future violations of FCRA.
FTC, CFPB, DOJ File Brief in Suit Challenging FCRA Constitutionality
On May 8, the FTC announced that it had joined the CFPB and the DOJ to file a brief supporting the constitutionality of the Fair Credit Reporting Act (FCRA). The brief was filed in a lawsuit in the U.S. District Court for the Eastern District of Pennsylvania in which a consumer alleged that a consumer reporting agency (CRA) violated FCRA by reporting on arrest records that were more than seven years’ old. Responding to these allegations, the CRA argued that the Supreme Court’s decision in Sorell v. IMS Health, Inc., 131 S. Ct. 2653 (2011), rendered FCRA’s seven-year limitation unconstitutional under the First Amendment. The federal entities’ brief counters that Sorell does not alter the test for commercial speech restrictions established in Central Hudson Gas and Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980). It goes on to argue that, under this test, the government has a substantial interest in protecting individuals’ privacy and that FCRA protects this interest while accommodating businesses’ competing interest in obtaining complete information about potential borrowers.
Tenth Circuit Permits Trade Group Challenge to New Mexico Fair Credit Reporting Act
On May 7, the U.S. Court of Appeals for the Tenth Circuit published an opinion that a trade group has standing to sue the Attorney General of New Mexico over that state’s credit reporting and identify theft requirements. Consumer Data Industry Assoc. v. King, No. 11-2085, 2012 WL 1573563 (10th Cir. May 7, 2012). In 2010, New Mexico enacted the Fair Credit Reporting and Identity Security Act, which, among other things, requires consumer reporting agencies (CRAs) to oblige a consumer’s request to remove credit report information resulting from identify theft until told otherwise by a court or the requesting consumer. The Consumer Data Industry Association challenged the law on behalf of its members, arguing that the state law is preempted by the federal Fair Credit Reporting Act (FCRA). Under FCRA, a CRA can deny a consumer request to remove information based on identify theft if the CRA reasonably determines that the request is fraudulent or erroneous. The district court held that the CDIA failed to prove redressability and therefore lacked constitutional standing to sue. The Tenth Circuit vacated the district court holding and ordered further proceedings. It found that federal courts consistently have found a case or controversy in suits between private parties subject to enforcement and the state entity responsible for enforcement and that if a plaintiff faces a credible threat of enforcement, redressability is established. Here, the court held, the threat of enforcement faced by the CDIA members is sufficient to provide standing to sue for both injunctive and declaratory relief.