Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 8, the U.S. District Court for the District of Maine granted a trade association’s motion for declaratory judgment against the Maine attorney general and the superintendent of Maine’s Bureau of Consumer Credit Protection (collectively, “defendants”) after it sued the state for enacting amendments to the Maine Fair Credit Reporting Act. The trade association—whose members include the three nationwide consumer credit reporting agencies (CRAs)—filed the lawsuit concerning the 2019 amendments, which, among other things, place restrictions on how medical debts can be reported by the CRAs and govern how CRAs must investigate debt that is allegedly a “product of ‘economic abuse.’” The trade association argued that the amendments, which attempt to regulate the contents of an individual’s consumer report, are preempted by the federal Fair Credit Reporting Act (FCRA). The parties’ main contention was over how broadly the language under FCRA Section 1681t(b)(1)(E) concerning “subject matter regulated under . . . [15 U.S. C. § 1681c] relating to information contained in consumer reports” should be understood. Plaintiffs argued that the language should be read to encompass all claims relating to information contained in consumer reports. The defendants, on the other hand, claimed that § 1681c should be read “as an itemized list of narrowly delineated subject matters, some of which relate to information contained in consumer reports, and only find preemption where a state imposes a requirement or prohibition that spills into one of those limited domains,” which in this case, the defendants countered, the amendments do not.
The court disagreed, concluding that, as a matter of law, the amendments are preempted by § 1681t(b)(1)(E). According to the court, Congress’ language and amendments to the FCRA’s structure “reflect an affirmative choice by Congress to set ‘uniform federal standards’ regarding the information contained in consumer credit reports,” and that “[b]y seeking to exclude additional types of information” from consumer reports, the amendments “intrude upon a subject matter that Congress has recently sought to expressly preempt from state regulation.”
On September 9, the U.S. Court of Appeals for the Fifth Circuit affirmed a district court’s dismissal of a plaintiff’s FCRA claims against two consumer reporting agencies (CRAs), holding that omitting a favorable credit item does not render a credit report misleading. The plaintiff filed a lawsuit after the CRAs stopped reporting a favorable item—a timely paid credit card account—and refused to restore it, alleging that the refusal to include the item on his consumer report violated section 1681e(b), which requires CRAs to follow “reasonable procedures to assure maximum possible accuracy” of consumer information. As a result, the plaintiff claimed his creditworthiness was harmed, which caused him to be denied a credit card and rejected for a mortgage. The district court dismissed the suit.
In affirming the dismissal, the 5th Circuit found that the omission of a single credit item does not render a report ”inaccurate” or “misleading.” According to the appellate court, a “credit report does not become inaccurate whenever there is an omission, but only when an omission renders the report misleading in such a way and to such an extent that it can be expected to adversely affect credit decisions.” As such, “[b]usinesses relying on credit reports have no reason to believe that a credit report reflects all relevant information on a consumer.” The 5th Circuit further held, among other things, that the plaintiff failed to state a claim for violations of section 1681i(a), which requires agencies to conduct an investigation if consumers dispute “the completeness or accuracy of any item of information contained in a consumer’s file.” The court held that because the plaintiff “disputed the completeness of his credit report, not of an item in that report,” the statute did not require an investigation.
On September 9, the U.S. Court of Appeals for the Eleventh Circuit affirmed summary judgment in favor of a cable satellite company, concluding that the company had a “legitimate business purpose” under the FCRA to obtain a consumer’s credit report. According to the opinion, in 2016, following an identity theft, the consumer entered into a settlement agreement with the cable satellite company after the consumer’s personal information was used to fraudulently open two accounts for television services. As part of the agreement, the company put the consumer’s personal information into an internal mechanism designed to flag and prevent unauthorized accounts. In 2017, an unknown individual applied for an account online using some of the consumer’s information. The company’s automated systems sent the information to a consumer reporting agency (CRA), which matched the information to the consumer and resulted in the cable satellite company blocking the account from being opened. Upon request by the company, the CRA deleted the inquiry from the consumer’s credit file. The consumer filed an action alleging that the company breached the settlement agreement and “negligently and willfully obtained the January 2017 consumer report without a ‘permissible purpose’” in violation of the FCRA. While the action was pending, two more attempts were made to use the consumer’s information to open accounts and the satellite company blocked both. The district court granted summary judgment in favor of the satellite company.
On appeal, the 11th Circuit agreed with the district court, concluding that the satellite company had a “legitimate business purpose” to access the credit report. Specifically, the appellate court noted that the “FCRA does not explicitly require a user of consumer reports to confirm beyond doubt the identity of potential consumers before requesting a report.” Moreover, the satellite company was dependent on the credit report to access the consumer’s full social security number and “cross-check that information via its internal mechanisms.” Additionally, the appellate court rejected a claim for breach of the settlement agreement, noting that the company satisfied the terms of the agreement by flagging the social security number in its internal systems and using that system to block the fraudulent application for an account.
On July 14, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a group of defendants, including a credit reporting agency (CRA) and furnisher, after determining that a consumer plaintiff failed to adequately notify the CRA of an error on her credit report. According to the opinion, the plaintiff questioned the accuracy of certain information on her credit report and requested that these inaccuracies be investigated. Defendants investigated and corrected the inaccuracies and informed the plaintiff that if she further disputed the accuracy of the reported information, she could submit additional documentation to support her claim. Plaintiff continued to believe her credit report contained inaccuracies; specifically, she contended that the CRA was misreporting the date on which her bankruptcy was discharged. But rather than notify the CRA, she instead filed suit in federal district court alleging violations under the FCRA. The defendants filed for summary judgment which the district court granted, concluding that while “the date of the bankruptcy may have continued to be misreported after the conclusion of the reinvestigation,’ there was no genuine dispute of material fact on whether [the plaintiff] notified [the CRA] of that specific reporting error.” The 9th Circuit agreed, starting that because the plaintiff failed “to provide adequate notice of this reporting error” the scope of the defendants’ duties were limited. Moreover, the 9th Circuit held that a consumer cannot prevail on a “FCRA claim without first putting the [CRA] on notice of the information that is disputed.”
On July 8, the U.S. District Court for the Eastern District of New York allowed a consumer’s claim under New York’s consumer protection law (N.Y. G.B.L. § 349) to proceed against a national credit reporting agency (CRA) for grievances stemming from a 2017 data breach that compromised the consumer’s personal information. According to the opinion, the consumer alleged that the CRA, among other things, failed to “implement security and privacy measures to safeguard plaintiff’s sensitive information and misrepresented to him that his personal data would be protected from outside threats.” The CRA had previously entered into a class action settlement concerning the data breach and resolved hundreds of data breach cases brought against the company; however, the consumer opted out of that nationwide class action. The CRA moved to dismiss the consumer’s action, arguing, among other things, that data breach claims are not actionable under N.Y. G.B.L. § 349. While the court granted the CRA’s motion as to the consumer’s FCRA claim, the court denied the CRA’s request to dismiss the consumer’s claim under N.Y. G.B.L. § 349. Specifically, the court concluded that the consumer plausibly alleged the CRA misrepresented its ability to protect the consumer’s personal information, which “resulted in actual and pecuniary harm after [the consumer]’s identity was stolen and numerous unauthorized accounts were opened under his name.” The court distinguished this claim from the consumer’s FCRA claim, which asserted the CRA failed to “shield” the consumer’s information from the hackers, whereas the N.Y. G.B.L. § 349 claim rests on the CRA’s representations of protection.
On June 23, the CFPB announced a settlement with several contract for deed companies to resolve allegations that the defendants violated the FCRA and its implementing Regulation V, as well as the Consumer Financial Protection Act, by, among other things, misrepresenting to consumers the necessary steps to resolve consumer-reporting complaints. Specifically, the CFPB’s investigation revealed that the defendants allegedly told consumers who complained about errors on their consumer reports that they had to file a dispute with the consumer reporting agency, even though Regulation V requires furnishers to investigate written disputes and contact the applicable consumer reporting agency to resolve any errors. According to the CFPB, this was inaccurate as a matter of law and a deceptive practice. In addition, the CFPB claimed that one defendant failed to implement policies and procedures required by Regulation V to protect the accuracy and integrity of furnished consumer information.
Under the terms of the consent order, the defendants will collectively pay a total of $35,000 in civil money penalties and have agreed not to “misrepresent or assist others in misrepresenting, expressly or impliedly, how consumers can initiate disputes concerning their consumer reports.”
On June 17, the New York State Department of Financial Services issued guidance to state-regulated consumer credit reporting agencies regarding support for New York consumers impacted by Covid-19. The guidance indicates that all state-regulated consumer credit reporting agencies have agreed to take a number of steps to mitigate consumer harm, including permitting consumers at least one free credit report per month for six months, reminding furnishers of information of the appropriate manner to report accommodations reached pursuant to the CARES Act, and posting on their website a link to a page dedicated to Covid-19 information and updates.
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
Maryland regulator reminds student loan servicers of obligation to report suspended payments as current
On May 18, the Office of the Maryland Commissioner of Financial Regulation issued an advisory to student loan servicers and credit reporting agency registrants to remind them of their furnishing obligations under the federal CARES Act to ensure that suspended payments are not reported as delinquent. The advisory notes that it has come to the office’s attention that a student loan servicer of a significant amount of federal student loan debt was not accurately furnishing information and reminds servicers that under Maryland’s Student Loan Servicing Bill of Rights, it is a violation of Maryland law to knowing or recklessly provide inaccurate information or refuse to correct it.
On May 11, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s dismissal of a putative class action, holding that the FCRA does not compel a consumer reporting agency (defendant) to determine the legal validity of a debt when investigating a dispute. The plaintiffs alleged that they obtained payday loans with allegedly usurious interest rates from online entities affiliated with Native American tribes. After both plaintiffs stopped making monthly payments, the lenders reported the delinquent amounts to the defendant. One of the plaintiffs disputed the accuracy of his credit report, arguing that because the loan was “illegally issued” he was not obligated to make payments. The defendant conducted an investigation and verified the furnished information was accurate. However, the defendant did not investigate whether the debt was legal. The plaintiffs filed suit, alleging two FCRA violations: (i) Section 1681e(b) which requires consumer reporting agencies “to assure maximum possible accuracy of the information” contained in credit reports; and (ii) Section 1681i(a) which “requires consumer reporting agencies to reinvestigate disputed items.” According to the plaintiffs, the defendant’s credit reports “contained ‘legally inaccurate’ information because they posted ‘legally invalid debts.’” The district court granted judgment on the pleadings to the defendant, ruling that the plaintiffs’ FCRA claims fell short because they never alleged that the information that was reported was factually inaccurate and, “until a formal adjudication invalidates the plaintiffs’ loans,” the reported information would not be factually inaccurate.
On appeal, the 7th Circuit held, among other things, that only furnishers—“such as banks, credit lenders, and collection agencies”—are required under the FCRA to correctly report liability, stating it is not the defendant’s responsibility to determine the enforceability of the debt because the “power to resolve these legal issues exceeds the competencies of consumer reporting agencies.” Moreover, the appellate court determined that the defendant cannot be liable under either of the plaintiffs’ FCRA claims if it did not report inaccurate information.
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar