Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB publishes list of consumer reporting companies

    Federal Issues

    On January 27, the CFPB released its annual list of consumer reporting companies, which identifies reporting companies that collect and sell access to people’s data. According to the CFPB, the list can be used “to see what information these firms have, dispute inaccuracies, and file lawsuits if the firms are violating the Fair Credit Reporting Act.” The list also, among other things, permits people to identify which companies provide this information at no cost, as well as search for those that provide specialized reporting by certain markets, including employment, tenant, insurance, and medical. According to a blog post published by the CFPB, features of the list include, among other things: (i) information on how to request a report; (ii) tips for checking specialty reports; and (iii) identity verification information. The CFPB also noted that it previously highlighted consumer complaints concerning nationwide reporting companies. As previously covered by InfoBytes, the CFPB released a report, pursuant to Section 611(e)(5) of the FCRA, covering certain consumer complaints transmitted by the Bureau concerning the three largest nationwide consumer reporting agencies.

    Federal Issues CFPB Consumer Finance Credit Report Consumer Reporting Agency

  • CFPB reports on NCRA’s complaint responsiveness

    Federal Issues

    On January 5, the CFPB released a report, pursuant to Section 611(e)(5) of the FCRA, on information gathered by the Bureau on certain consumer complaints transmitted by the Bureau to the three largest nationwide consumer reporting agencies (NCRAs). According to the report, the CFPB received over 800,000 credit or consumer reporting complaints between January 2020 to September 2021, and of the complaints, over 700,000 were submitted about the same three NCRAs discussed in the report. According to the Bureau, complaints submitted about the NCRAs accounted for over 50 percent of all complaints received by the Bureau in 2020 and over 60 percent in 2021. The Bureau’s analysis revealed that consumers submitted more complaints in each complaint session and are increasingly returning to the Bureau’s complaint process, with a significant amount of complaints regarding inaccurate information on their credit and consumer reports. The CFPB found that the NCRAs reported relief in less than 2 percent of complaints, which is down from approximately 25 percent of complaints in 2019. Additionally, consumers most frequently complained that the inaccurate information belongs to other individuals, and consumers often described being victims of identity theft. The Bureau, in addition to pointing out how the NCRAs are “fail[ing] to meet [their] statutory obligations” under the FCRA, also noted that medical debts are an “unnavigable quagmire” and needs to be addressed. It reported that the NCRAs “do not take available steps to distinguish between complaints authorized by the consumer and those not authorized by the consumer.” The Bureau also mentioned issues that consumers face when attempting to dispute information on their credit reports, such as, among other things: (i) unsuccessfully disputing information in a timely manner; (ii) frequently expending resources to correct inaccuracies; and (iii) and finding themselves caught between furnishers and NCRAs when attempting to resolve disputes. Other highlights of the report include noting that the NCRA rely “heavily” on utilizing template responses to complaints, despite having 60 days to respond, and that two of the NCRAs mentioned in the report do not give “substantive responses to consumers’ complaints if they suspected that a third-party was involved in submitting a complaint.”

    Federal Issues CFPB Consumer Finance Consumer Reporting Agency Credit Furnishing FCRA

  • CFPB reaches $850,000 settlement with debt collectors

    Courts

    On October 26, the U.S. District Court for the District of Maryland entered a stipulated final judgment and order against defendants (a debt collection entity, its subsidiaries, and their owner) in an action alleging FCRA and FDCPA violations. As previously covered by InfoBytes, the Bureau filed a complaint against the defendants in 2019 with alleged violations that included, among other things, the defendants’ failure to ensure accurate reporting to consumer-reporting agencies (CRAs), failure to conduct reasonable investigations and review relevant information when handling indirect disputes, and failure to conduct investigations into the accuracy of information after receiving identity theft reports before furnishing such information to CRAs. The Bureau separately alleged that the FCRA violations constitute violations of the CFPA, and that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts.

    Under the terms of the order, the defendants—who neither admitted nor denied any of the allegations except as specified in the order—are required to, among other things, (i) update existing policies and procedures to ensure information is accurate before it is furnished to a CRA or before commencing collections on an account; (ii) ensure policies and procedures are designed to address trends in disputes; and (iii) hire an independent consultant, subject to the CFPB Enforcement Director’s non-objection, to conduct a review to ensure management-level oversight and FCRA and FDCPA compliance. The defendants must also submit a compliance plan and pay an $850,000 civil money penalty.

    Courts CFPB Enforcement FCRA FDCPA Consumer Reporting Agency Credit Report Debt Collection CFPA

  • CFPB, FTC, and North Carolina argue public records website does not qualify for Section 230 immunity

    Courts

    On October 14, the CFPB, FTC, and the North Carolina Department of Justice filed an amicus brief in support of the consumer plaintiffs in Henderson v. The Source for Public Data, L.P., arguing that a public records website, its founder, and two affiliated entities (collectively, “defendants”) cannot use Section 230 liability protections to shield themselves from credit reporting violations. The case is currently on appeal before the U.S. Court of Appeals for the Fourth Circuit after a district court determined that the immunity afforded by Section 230 of the Communication and Decency Act applied to the FCRA and that the defendants qualified for such immunity and could not be held liable for allegedly disseminating inaccurate information and failing to comply with the law’s disclosure requirements.

    The plaintiffs alleged, among other things, that because the defendants’ website collects, sorts, summarizes, and assembles public record information into reports that are available for third parties to purchase, it qualifies as a consumer reporting agency under the FCRA. According to the amicus brief, the plaintiffs’ claims do not seek to hold the defendants liable on the basis of the inaccurate data but rather rest on the defendants’ alleged “failure to follow the process-oriented requirements that the FCRA imposes on consumer reporting agencies.” According to plaintiffs, the defendants, among other things, (i) failed to adopt procedures to assure maximum possible accuracy when preparing reports; (ii) refused to provide plaintiffs with copies of their reports upon request; (iii) failed to obtain required certifications from its customers; and (iv) failed to inform plaintiffs they were furnishing criminal information about them for background purposes. The defendants argued that they qualified for Section 230 immunity. The 4th Circuit is now reviewing whether a consumer lawsuit alleging FCRA violations seeking to hold a defendant liable as the publisher or speaker of information provided by a third party is preempted by Section 230.

    In their amicus brief, the CFPB, FTC, and North Carolina urged the 4th Circuit to overturn the district court ruling, contending that the court misconstrued Section 230—which they assert is unrelated to the FCRA—by applying its immunity provision to “claims that do not seek to treat the defendant as the publisher or speaker of any third-party information.” According to the brief, liability turns on the defendants’ alleged failure to comply with FCRA obligations to use reasonable procedures when reports are prepared, to provide consumers with a copy of their files, and to obtain certifications and notify consumers when reports are furnished for employment purposes. “As the consumer reporting system evolves with the emergence of new technologies and business practices, FCRA enforcement remains a top priority for the commission, the Bureau, and the North Carolina Attorney General,” the brief stated. “The agencies’ efforts would be significantly hindered, however, if the district court’s decision [] is allowed to stand.”

    Newly sworn-in CFPB Director Rohit Chopra and FTC Chair Lina M. Khan issued a joint statement saying “[t]his case highlights a dangerous argument that could be used by market participants to sidestep laws expressly designed to cover them. Across the economy such a perspective would lead to a cascade of harmful consequences.” They further stressed that “[a]s tech companies expand into a range of markets, they will need to follow the same laws that apply to other market participants,” adding that the agencies “will be closely scrutinizing tech companies’ efforts to use Section 230 to sidestep applicable laws. . . .”

    Courts CFPB FTC North Carolina State Issues Amicus Brief FCRA Appellate Fourth Circuit Consumer Reporting Agency

  • CFPB takes action against Maryland debt collectors

    Federal Issues

    On August 16, the CFPB entered into a preliminary settlement with a debt collection entity, its subsidiaries, and their owner (collectively, “defendants”) for allegedly violating the FCRA, FDCPA, and the CFPA, resolving a case filed in the U.S. District Court for the District of Maryland. As previously covered by InfoBytes, the complaint alleges that the defendants violated the FCRA and its implementing Regulation V by, among other things, failing to (i) establish or implement reasonable written policies and procedures to ensure accurate reporting to consumer-reporting agencies; (ii) incorporate appropriate guidelines for the handling of indirect disputes in its policies and procedures; (iii) conduct reasonable investigations and review relevant information when handling indirect disputes; and (iv) furnish information about accounts after receiving identity theft reports about such accounts without conducting an investigation into the accuracy of the information. The Bureau separately alleges that the violations of the FCRA and Regulation V constitute violations of the CFPA. Additionally, the Bureau alleges that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts. Under the terms of the proposed stipulated final judgment and order, the defendants are required to, among other things: (i) establish, modify, update, and implement policies and procedures on the accuracy of information furnished to consumer reporting agencies; (ii) establish internal controls to identify activities that may compromise the accuracy or integrity of information; (iii) establish an identity theft report review program; and (iv) retain an independent consultant to review the defendant’s furnishing of consumer information and debt collection activities in addition to provide recommendations. The proposed order also imposes a civil money penalty of $850,000.

    Federal Issues FDCPA Enforcement CFPB Act CFPB Credit Reporting Agency Debt Collection FCRA Credit Furnishing Consumer Reporting Agency

  • District Court grants CFPB’s motion to strike affirmative defenses in FCRA, FDCPA action

    Courts

    On June 30, the U.S. District Court for the District of Maryland issued a memorandum opinion granting the CFPB’s motion to strike four out of five affirmative defenses presented by defendants in an action alleging FCRA and FDCPA violations. As previously covered by InfoBytes, the Bureau filed a complaint against the defendants (a debt collection entity, its subsidiaries, and their owner) for allegedly violating the FCRA, FDCPA, and the CFPA. The alleged violations include, among other things, the defendants’ failure to ensure accurate reporting to consumer-reporting agencies, failure to conduct reasonable investigations and review relevant information when handling indirect disputes, and failure to conduct investigations into the accuracy of information after receiving identity theft reports before furnishing such information to consumer-reporting agencies. The Bureau separately alleged that the FCRA violations constitute violations of the CFPA, and that the defendants violated the FDCPA by attempting to collect on debts without a reasonable basis to believe that consumers owed those debts.

    After the court denied the defendants’ motion to dismiss on the basis that the CFPB was unconstitutional and therefore lacked standing, the defendants filed an amended affirmative defense asserting the following: (i) the alleged FDCPA violation was a bona fide error; (ii) the Bureau was “barred from seeking equitable relief by the doctrine of unclean hands”; (iii) the Bureau’s leadership structure was unconstitutional under Article II at the time the complaint was filed, thus the actions taken at the time were invalid; (iv) the Bureau structure is unconstitutional under Article I and therefore the Bureau lacked standing because “it is not accountable to Congress through the appropriations process”; and (v) the statute of limitations on the alleged violations had expired. The Bureau asked the court to strike all but the statute of limitations defense. Concerning the bona fide error defense, the defendants contended the alleged violations were not intentional and resulted from a bona fide error notwithstanding the maintenance of “detail[ed] policies and procedures for furnishing accurate information to the consumer reporting agencies,” but the court ruled this defense insufficient because the defendants failed to identify “specific errors [and] specific policies that were maintained to avoid such errors” and failed to explain their procedures. With respect to the unclean hands defense, the court ruled to strike the defense because it found that the defendants had not “alleged ‘egregious’ conduct or shown how the prejudice from that conduct ‘rose to a constitutional level’” when claiming the Bureau engaged in “duplicitous conduct” by allegedly disregarding its own NORA process or by serving multiple civil investigative demands. Finally, the court further decided to strike the two constitutional defenses because it found that allowing those defenses to proceed “could ‘unnecessarily consume the Court’s resources.’” The court granted the defendants 14 days to file an amended affirmative defense curing the identified defects.

    Courts CFPB Enforcement FCRA FDCPA Consumer Reporting Agency Credit Report Debt Collection CFPA Bona Fide Error

  • CFPB enforcement bulletin emphasizes accuracy in rental data

    Federal Issues

    On July 1, the CFPB released an enforcement compliance bulletin to reiterate to landlords, consumer reporting agencies (CRAs), and others of their obligation to correctly report rental and eviction information. The CFPB noted that it is “concerned that the end of the CDC eviction moratorium could mean both an increase in negative rental information in the consumer reporting system and an increase in consumers seeking rental housing.” According to the bulletin, the CFPB intends to examine if landlords, property management companies, and debt collectors are reporting accurate information to CRAs and complying with their dispute-handling obligations under the FCRA. Specifically, the Bureau will “pay particular attention to whether furnishers are reporting arrearages” regarding amounts paid on behalf of a tenant through a government grant or relief program and fees or penalties prohibited by CARES Act or other laws. In addition, the Bureau noted that it intends to look at whether CRAs are, among other things: (i) following procedures to only include accurate rental information in individuals’ consumer reports; (ii) reporting rental information for the consumer who is the subject of the report; (iii) reporting accurate and complete eviction information; and (iv) properly investigating when inaccuracies are reported by the consumer.

    Federal Issues CFPB Consumer Reporting Agency FCRA CARES Act Covid-19

  • 11th Circuit affirms majority of $380 million data breach settlement

    Courts

    On June 3, the U.S. Court of Appeals for the Eleventh Circuit affirmed a district court’s approval of a roughly $380.5 million settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (CRA), which resolved allegations arising from a 2017 cyberattack that caused a data breach of the CRA. (Covered by InfoBytes here.) The 11th Circuit’s opinion resolves challenges brought by objectors to the settlement who argued that plaintiffs lacked Article III standing because they did not have their identities stolen, and challenged, among other things, certain procedural requirements, the appropriateness of class certification given the possibility that some class members may have been able to recover state statutory damages, and the district court’s adoption of an approval order “ghostwritten” by plaintiffs’ counsel. The objectors also argued that the settlement was inadequate given the “unique risks associated with stolen social security numbers,” and disagreed with the award of $77.5 million in attorneys’ fees, as well as the district court’s decision to impose appeal bonds of $2,000 on each objector.

    On appeal, the 11th Circuit rejected almost all of the objectors’ arguments after determining that class members—even if they were not victims of identity theft—faced a material risk of harm. The appellate court also held that the procedural requirements were not particularly burdensome given the roughly 147 million class members involved. Moreover, the appellate court concluded that the fact that class members in a couple of states could have argued for statutory damages did not make the named plaintiffs inadequate class representatives. Furthermore, the appellate court noted that (i) the settlement addressed the seriousness of the stolen social security numbers; (ii) attorneys’ fees (equal to 20.36 percent of the common fund) were within the reasonable range; (iii) objectors failed to show any “practice of uncritically adopting counsel’s proposed orders”; and (iv) the district court did not “abuse its discretion when it imposed the appeal bonds based on its finding that there was a ‘substantial risk that the costs of appeal will not be paid unless a bond is required.’” Moreover, the 11th Circuit noted that “[a]bsent the settlement, the class action could have faced serious hurdles to recovery, and now the class is entitled to significant settlement benefits that may not have even been achieved at trial,” adding that the FTC, CFPB, and state attorneys general for 48 states, the District of Columbia, and Puerto Rico all support the settlement.

    The appellate court, however, did reverse the district court’s award of incentive payments to class representative and remanded the case solely for the purpose of vacating the awards.

    Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Settlement Consumer Reporting Agency Consumer Data Appellate

  • District Court: Identity theft alone is not enough to remove allegedly fraudulent debt from credit report

    Courts

    On April 20, the U.S. District Court for the Southern District of California granted a defendant debt collector’s motion for summary judgment, ruling that claiming to be a victim of identity theft alone is not enough to have a collection item removed from a credit report, or to give rise to an FDCPA violation. In 2014, the plaintiff purportedly obtained a payday loan from a lender who ultimately assigned the loan to the defendant for collection. In 2019, the plaintiff called the defendant to verbally dispute the debt as fraudulent after seeing the loan on her credit report. The defendant continued to report the loan to the consumer reporting agencies (CRAs), but marked the account as disputed, and informed the plaintiff of measures she needed to take to have the item removed from her credit report, including instructions for filing an identity theft affidavit. After an attorney representing the plaintiff submitted a formal written dispute of the debt, the defendant responded with the required verification and continued reporting the debt until the account was recalled by the lender. At this point the loan record was deleted and the defendant stopped reporting the loan account to the CRAs. The plaintiff filed suit alleging the defendant violated FDCPA Sections 1692e and 1692f and various state laws by continuing to report the debt after it was notified of the potential fraud. The court disagreed, stating, “there was nothing about [the defendant’s] statements that would confuse or mislead even the least sophisticated debtor’s attempt to remove the fraudulent account from their credit report,” the court wrote, adding that none of the defendant’s communications were false, deceptive, or misleading, nor did they undermine the plaintiff’s “ability to intelligently choose her action concerning the loan account.”

    Courts Debt Collection FDCPA Consumer Finance Consumer Reporting Agency State Issues

  • CFPB settles with auto loan company for inaccurate furnishing

    Federal Issues

    On December 22, the CFPB announced a settlement with a nonprime auto loan originator and servicer (company) for allegedly violating the FCRA by providing erroneous consumer loan data to consumer reporting agencies (CRAs). According to the consent order, between January 2016 and August 2019, the company (i) furnished inaccurate information to CRAs it knew or should have known was inaccurate; (ii) failed to promptly update information with the CRAs once it was determined to be inaccurate or incomplete; (iii) failed to furnish dates of first delinquency for severely delinquent or charged off accounts; and (iv) failed to implement reasonable written policies and procedures regarding the accuracy of furnished information. The consent order imposes a civil money penalty of $4.75 million and requires the company to, among other things, correct all inaccuracies identified by the Bureau, conduct monthly reviews of information furnished to CRAs, and establish reasonable written policies and procedures regarding the accuracy and integrity of furnished information.

    Federal Issues CFPB FCRA Enforcement Civil Money Penalties Auto Finance Consumer Reporting Agency

Pages

Upcoming Events