Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Buckley Special Alert: New York Governor Cuomo Directs NYDFS to Make Credit Reporting Agencies Comply With the State’s Cybersecurity Regulation

    Privacy, Cyber Risk & Data Security

    On September 18, 2017, New York Governor Andrew Cuomo directed the New York Department of Financial Services (NYDFS) to issue a regulation that would require all consumer credit reporting agencies doing business in the state to register with NYDFS by February 1, 2018, and to re-register annually. Governor Cuomo’s directive was issued in response to a recent highly publicized security incident at a major consumer credit reporting agency. NYDFS issued a proposed regulation on the same day (CRA Regulation).

    One of the primary intents of the registration directive is to make consumer credit reporting agencies subject to the state’s “First-in-the-Nation Cybersecurity Regulation” (Cybersecurity Regulation) (see previous InfoBytes coverage here) that was finalized earlier this year. The Cybersecurity Regulation applies to entities “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” and regulated by NYDFS. The Cybersecurity Regulation imposes a series of requirements on covered entities with compliance deadlines ranging from August 28, 2017 to March 1, 2019. These substantive requirements, which are in many ways more stringent and proscriptive than federal requirements for financial institutions, are described in our previous InfoBytes coverage on the Cybersecurity Regulation. Consumer credit reporting agency registrants would be subject to all of the requirements of the Cybersecurity Regulation, but under a different schedule beginning on April 4, 2018 and running through October 4, 2019.

    ***
    Click here to read full special alert.

    If you have questions about the report or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Credit Reporting Agency 23 NYCRR Part 500

  • Credit Reporting Agency Announces Widespread Consumer Data Breach

    Privacy, Cyber Risk & Data Security

    On September 7, a major credit reporting agency issued a press release announcing a data breach that impacts approximately 143 million U.S. consumers. An internal investigation revealed that from mid-May through the end of July 2017, hackers exploited a website application vulnerability to access names, Social Security numbers, birth dates, addresses, driver’s license numbers, as well as roughly 209,000 credit card numbers. The company discovered the breach on July 29 and “acted immediately to stop the intrusion.” A “leading, independent cybersecurity firm” has been hired to recommend security improvements, and the company is working with law enforcement authorities. Furthermore, the press release states that “the company has found no evidence of unauthorized activity on [its] core consumer or commercial credit reporting databases.” A website has been set up to assist consumers trying to determine if their information has been affected and offers credit file monitoring and identify theft protection.

    Privacy/Cyber Risk & Data Security Credit Reporting Agency Data Breach

  • Eleventh Circuit Rules Credit Reporting Agency Did Not Willfully Violate FCRA

    Courts

    In an August 24 opinion, the U.S. Court of Appeals for the Eleventh Circuit held that a credit reporting agency had not interpreted the Fair Credit Reporting Act (FCRA) in an “objectively unreasonable” manner when it included in a plaintiff’s credit report that the plaintiff was an authorized user of her parents’ delinquent credit card account. In doing so, the appellate court upheld the Georgia district court’s decision to dismiss the class action lawsuit over allegations that two credit reporting agencies failed to take reasonable precautions to ensure the accuracy of the plaintiff’s credit score. The appellate court concluded that including the information was a reasonable interpretation of the FCRA obligation to “follow reasonable procedures to assure the maximum possible accuracy” of the reported information—meaning the report must be technically accurate. Because this interpretation was not objectively unreasonable, the plaintiff could not plead that the violations were willful.

    The case concerned a plaintiff who was designated as an authorized user of her parents’ credit card when they became ill. After the plaintiff’s parents died, the account went into default, and the credit card company reported the default to consumer reporting agencies listing the consumer as an authorized user, which caused her credit score to drop by 100 points. The credit card company—responding to the plaintiff’s complaint over the inaccurate information—interceded in the matter with the credit reporting agencies. The information was expunged from the plaintiff’s report and her credit score returned to its prior level. The plaintiff then filed a consumer class action complaint in 2015, contending that the consumer reporting agencies had violated their duty under the FCRA when they failed to take reasonable precautions to ensure the accuracy of her credit score.

    At issue, the appellate court opined, was which interpretation should be applied when determining “maximum possible accuracy,” which, depending on differing court opinions, might mean (i) making certain that any included information is “technically accurate,” or (ii) ensuring the information is not only technically accurate but also not misleading or incomplete. The appellate court asserted that while the first interpretation was a less exacting reading of the FCRA, the plaintiff failed to cite any judicial precedents or agency interpretive guidance advising that reporting authorized user information was a violation. Further, the plaintiff failed to show that the credit reporting agency reported false information.

    Of note, the appellate court determined the plaintiff had shown an “injury in fact” and had standing to sue based on the following reasons: (i) reporting inaccurate credit information “has a close relationship to the harm caused by the publication of defamatory information,” which has a long provided basis as a cause of action; (ii) a concrete injury was allegedly sustained due to time spent resolving the problems resulting from the credit inaccuracies; and (iii) the plaintiff was affected personally because her credit score fell due to the reported information.

    Courts Credit Reporting Agency Appellate Eleventh Circuit FCRA

  • Hawaii Enacts Law to Prohibit Release of Credit Information of Children, Others

    State Issues

    On July 5, Hawaii Governor David Y. Igge signed into law H.B. 651, which was devised to protect children and certain other individuals from identity theft and credit fraud. The law applies to “protected consumers,” defined as minors under the age of 16 years, incapacitated persons, and individuals with appointed guardians or conservators.

    Based on research suggesting that minors may be targeted for identity theft due to their clean credit reports, the legislation permits representatives of protected consumers to place and remove security freezes on protected consumers’ credit files. Because one impediment to requesting such a freeze is the lack of an existing credit file, the legislation also requires consumer credit reporting agencies (CRAs) to create records for the protected consumers. A CRA may not release the protected person’s file when it is in a security freeze until the representative requests a removal of the freeze. In order to request a security freeze or a freeze removal, a protected person’s representative must provide proper identification and evidence of authority to the CRA. Additionally, with a few exceptions, the CRA may charge a fee not to exceed five dollars for each freeze or removal of a freeze to a protected person’s credit file.

    The law will go into effect on January 1, 2018.

    State Issues Debt Collection Fraud Privacy/Cyber Risk & Data Security State Legislation Credit Reporting Agency

  • CFPB Releases Study on Credit Visible Consumers

    Consumer Finance

    On June 7, the CFPB published analysis of how consumers transition out of credit invisibility. “Credit invisibility” refers to an individual who lacks a credit record at any of the three nationwide credit reporting agencies. The report, entitled CFPB Data Point: Becoming Credit Visible, highlights the results of its latest study of the credit reporting industry, finding that consumers in low-income areas are more likely to gain credit visibility in negative ways such as through an account in collection or some form of public record. In a previous study, the CFPB estimated approximately 26 million Americans were credit invisible with an additional 19 million consumers having “unscorable” credit files—i.e. files that contain insufficient or too brief credit history. (See previous InfoBytes coverage here.) Without such a record, lenders find it more difficult to assess a consumer’s creditworthiness, resulting in credit invisible individuals having a harder time accessing credit.

    The report notes that credit invisibility can present a “Catch-22” scenario, whereby a consumer needs credit history to get access to credit but cannot establish a credit history without first being extended credit. However, the report concludes that because 91 percent of consumers acquire a credit record before turning 30, it is possible to avoid a “Catch-22” situation.

    The Bureau highlighted the following key findings:

    • Most consumers – almost 80 percent – become credit visible before age 25, but Consumers in low- and moderate-income neighborhoods are likely to be older when they establish a credit history.
    • Members of all age groups and income levels most commonly use credit cards to establish credit history, with student loans ranking second.
    • Approximately 1-in-4 consumers first establish credit history through an account either held by another responsible party—i.e. becoming an “authorized user”—or with a co-borrower. This trend is more common among higher-income groups.
    • Consumers in lower-income neighborhoods, however, are more likely to establish a credit history through “non-loan items,” which usually convey negative information (e.g., third-party collections, delinquent utility bills, child support payments, etc.).
    • In recent years, more consumers create a credit history using a credit card, except within the under 25 age group. The report attributed the trend in the under 25 age group to a number of factors including increased student loans and the restrictions of the Credit Card Accountability Responsibility and Disclosure Act, which made credit cards less available to young consumers.

    Consumer Finance CFPB Credit Scores Credit Reporting Agency

  • FTC Halts Scheme to Enroll Consumers in Credit Monitoring Service

    Courts

    On January 10, the FTC filed a complaint against an online company that owns three “free credit report” websites as well as three individuals connected to the company with claims that they illegally lured consumers to their websites. The scheme, as alleged in the complaint, made use of Craigslist ads promoting non-existent or unauthorized apartments and houses for rent as the means of encouraging consumers to request additional information, which would then prompt them to click on a link to one of the three websites owned by the company to get a “free” credit check. The consumers allegedly were then enrolled in a credit monitoring service, supposedly without their knowledge or consent. The company has purportedly accrued millions of dollars using this method. On January 11, the U.S. District Court for the Northern District of Illinois entered a temporary restraining order against the defendants.

    Courts Consumer Finance FTC Credit Reporting Agency

  • CFPB Issues Consent Order to a National Bank Over Student Loan Servicing Practices

    Consumer Finance

    On August 22, the CFPB issued a consent order to a national bank to resolve allegations that its student loan servicing practices were unfair and deceptive in violation of the Dodd-Frank Act and that its payment aggregation practices violated the Fair Credit Reporting Act. The CFPB alleged that the bank failed to disclose key aspects related to its payment allocation process, including that partial payments would be distributed across all loans, even if a payment was sufficient to satisfy the minimum payment required for an individual loan. According to the consent order, the bank’s “allocation of a Partial Payment proportionally to all loans in the account sometimes caused consumers’ payments to satisfy fewer, if any, of the loan amounts due in the account than if the Partial Payment had been allocated in a manner that satisfied as many of the loan amounts as possible.” According to the CFPB, the bank’s failure to properly disclose its method for payment allocation resulted in consumers incurring improper late fees, which, if left unpaid for more than 30 days at the end of the month, were reported as delinquent to consumer reporting agencies. The CFPB further alleged that the bank’s payment processors used a late fee monitoring report that had a system coding error that improperly charged consumers late fees if a payment was made on the last day of a grace period, or if consumers chose to make partial payments instead of one payment. The CFPB contended that the bank failed to update, correct, or remove negative information that was inaccurately reported to credit reporting agencies. Pursuant to the consent order, the bank must (i) pay $410,000 in consumer redress; (ii) pay a civil penalty of $3.6 million; (iii) improve its student loan servicing practices to ensure that consumers’ partial payments are distributed in such a way that the amount due is satisfied for as many loans as possible, unless the consumer requests otherwise; (iv) enhance its disclosure statements; and (v) remove or correct errors on consumers’ credit reports.

    CFPB Dodd-Frank FCRA Student Lending Enforcement UDAAP Credit Reporting Agency

  • CFPB's Latest Monthly Complaint Snapshot Highlights Issues Related to Credit Reporting

    Consumer Finance

    On May 24, the CFPB released its latest consumer complaint report. This month’s report highlights complaints related to credit reporting, noting that such complaints made up approximately 143,700 of the 882,800 total complaints that the CFPB has handled as of May 1. The report found, among other things, that: (i) credit reporting remains among the top three products complained about by consumers, with more than 4,500 complaints submitted in April alone; (ii) the three largest U.S. credit reporting companies are also the top three companies offering credit reporting services, accounting for 95% of the credit reporting complaints submitted between December 2015 and February 2016; and (iii) during that same time period, consumers also submitted more than 2,000 complaints involving specialty consumer reporting companies that provide reports in particular areas, including background and employment screening, checking account screening, rental screening, and insurance screening. According to the report, the most common types of credit reporting complaints have included the following: (i) inaccurate information appearing on credit reports, particularly information related to debt collection items and information resulting from identity theft; (ii) difficulty in correcting inaccuracies, including long delays, negative customer service experiences, and failed attempts to have inaccuracies removed; and (iii) the inability to access credit reports online due to overly burdensome identity authentication questions.

    CFPB Consumer Complaints Credit Reporting Agency

  • Seventh Circuit Finds No Enforceable Arbitration Agreement Case Involving Chicago-Based Credit Reporting Company

    Consumer Finance

    Recently, the U.S. Court of Appeals for the Seventh Circuit issued an opinion affirming a district court’s denial of a credit reporting company’s motion to compel arbitration in a putative class action. The Seventh Circuit considered whether a particular online process was sufficient to form a contract between the company and its customer. Sgourros v. TransUnion Corp., No. 15-1371 (7th Cir. Mar. 25, 2016). The plaintiff in the case purchased a credit score report from the company that he alleged was inaccurate — it was 100 points higher than a lender’s report — and therefore he alleged that the report was useless. The plaintiff sued the company under various state and federal consumer protection laws. The company sought to compel arbitration, arguing that the plaintiff had agreed to the terms of a service agreement that included a mandatory arbitration clause because he clicked on various acceptance buttons in the online ordering process. In this regard, the company took the position that the plaintiff had agreed to the terms of the service agreement by clicking the “I Accept & Continue to Step 3” button. The federal district court disagreed, concluding that no contract had been formed, and the Seventh Circuit affirmed. In reviewing the matter, the appellate court found that the online presentation process was insufficient to form a contract, because the web pages did not include a clear statement that the purchase was subject to the terms and conditions of the service agreement. The court observed that no such statement appeared either in the displayed text of the agreement visible within the scroll box, or in the statement displayed below the scroll box. The company argued that there was additional language in the service agreement stating that the purchase was governed by the service agreement, and the plaintiff should be bound by that language. However, the court held that since the additional language was not readily visible unless the plaintiff scrolled the agreement or opened the printable version, it was insufficient to put him on notice that the service agreement applied to the purchase. The court also observed:

    Illinois contract law requires that a website provide a user reasonable notice that his use of the site or click on a button constitutes assent to an agreement. This is not hard to accomplish, as the enormous volume of commerce on the Internet attests. A website might be able to bind users to a service agreement by placing the agreement, or a scroll box containing the agreement, or a clearly labeled hyperlink to the agreement, next to an “I Accept” button that unambiguously pertains to that agreement. There are undoubtedly other ways as well to accomplish the goal.

    Accordingly, the Seventh Circuit found that no enforceable agreement to arbitrate arose between the company and the plaintiff and remanded the case to the District Court for further proceedings on the merits.

    Arbitration Credit Scores Credit Reporting Agency

  • CFPB Provides Consumers with Information on Obtaining Credit Reports

    Consumer Finance

    On January 27, the CFPB announced that it published its 2016 list of consumer reporting companies. The list includes contact information for the three largest nationwide reporting companies and various specialty reporting companies concentrating on specific geographic market areas and consumer segments. In addition, the list provides consumers with (i) tips on determining which specialty credit reports may be important to review depending upon the particular circumstances, such as applying for a job or a new bank account; (ii) information regarding how companies confirm the identity of the consumer requesting a copy of his or her credit report; and (iii) information on which companies also provide free credit scores. The CFPB also reminds consumers of their legal rights to (i) obtain the information in their credit reports, per the FCRA; and (ii) dispute inaccuracies contained in the report.

    CFPB FCRA Credit Scores Credit Reporting Agency

Pages

Upcoming Events