InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Financial institutions, CRA reach settlement over 2017 data breach
On May 15, a putative class of financial institutions filed an unopposed motion for preliminary approval of a settlement in a multidistrict litigation stemming from a credit reporting agency’s (CRA) 2017 data breach. The class, comprised of financial institutions that issued credit or debit cards whose information was believed to have been breached, argued that the data breach was the result of the CRA’s alleged failure to implement the necessary precautions to safeguard consumers’ personally identifiable information (PII). The class further contended that financial institutions suffer the primary harm caused by identity theft, because they “bear the risk of loss when identity thieves use a customer’s PII to open accounts, transfer funds, take out loans, make fraudulent transactions, or obtain credit or debit cards in the customer’s name.”
The proposed settlement—pending approval from the U.S. District Court for the Northern District of Georgia—will require the CRA to pay $5.5 million to class members that submit valid claims, spend at least $25 million over a two-year period on “data security measures pertinent to the [financial intuitions] and their claims,” and cover settlement administration and notice costs, as well as agreed-upon attorney fees, expenses, and named-plaintiff service awards. The motion for preliminary approval states that the CRA will also, among other things, (i) adopt and/or maintain certain measures in order to identify “reasonably foreseeable threats” to PII; (ii) respond to identified vulnerabilities that may impact the confidentiality of PII; (iii) design safeguards to manage risks identified though data security risk assessments; (iv) implement a security control framework consistent with requirements for systems that “store, process, or transmit [p]ayment [c]ard [d]ata in connection with U.S. payment card transactions”; and (v) maintain a compliance program and submit annual certifications to class counsel.
Maryland regulator reminds student loan servicers of obligation to report suspended payments as current
On May 18, the Office of the Maryland Commissioner of Financial Regulation issued an advisory to student loan servicers and credit reporting agency registrants to remind them of their furnishing obligations under the federal CARES Act to ensure that suspended payments are not reported as delinquent. The advisory notes that it has come to the office’s attention that a student loan servicer of a significant amount of federal student loan debt was not accurately furnishing information and reminds servicers that under Maryland’s Student Loan Servicing Bill of Rights, it is a violation of Maryland law to knowing or recklessly provide inaccurate information or refuse to correct it.
7th Circuit: CRAs not required to determine legal validity of disputed debt
On May 11, the U.S. Court of Appeals for the Seventh Circuit affirmed a district court’s dismissal of a putative class action, holding that the FCRA does not compel a consumer reporting agency (defendant) to determine the legal validity of a debt when investigating a dispute. The plaintiffs alleged that they obtained payday loans with allegedly usurious interest rates from online entities affiliated with Native American tribes. After both plaintiffs stopped making monthly payments, the lenders reported the delinquent amounts to the defendant. One of the plaintiffs disputed the accuracy of his credit report, arguing that because the loan was “illegally issued” he was not obligated to make payments. The defendant conducted an investigation and verified the furnished information was accurate. However, the defendant did not investigate whether the debt was legal. The plaintiffs filed suit, alleging two FCRA violations: (i) Section 1681e(b) which requires consumer reporting agencies “to assure maximum possible accuracy of the information” contained in credit reports; and (ii) Section 1681i(a) which “requires consumer reporting agencies to reinvestigate disputed items.” According to the plaintiffs, the defendant’s credit reports “contained ‘legally inaccurate’ information because they posted ‘legally invalid debts.’” The district court granted judgment on the pleadings to the defendant, ruling that the plaintiffs’ FCRA claims fell short because they never alleged that the information that was reported was factually inaccurate and, “until a formal adjudication invalidates the plaintiffs’ loans,” the reported information would not be factually inaccurate.
On appeal, the 7th Circuit held, among other things, that only furnishers—“such as banks, credit lenders, and collection agencies”—are required under the FCRA to correctly report liability, stating it is not the defendant’s responsibility to determine the enforceability of the debt because the “power to resolve these legal issues exceeds the competencies of consumer reporting agencies.” Moreover, the appellate court determined that the defendant cannot be liable under either of the plaintiffs’ FCRA claims if it did not report inaccurate information.
State AGs, U.S. senators urge CRAs to protect credit scores during Covid-19 crisis
On April 28, New York Attorney General Letitia James and Pennsylvania Attorney General Josh Shapiro, along with the attorneys general of 19 other states and the District of Columbia sent letters to the three credit reporting agencies (CRAs) stating their intention to protect consumer credit and ensure fair and accurate reporting on consumer credit reports during the Covid-19 crisis. The letter calls attention to the obligations of the CRAs under the FCRA and state credit-reporting laws and further states that the attorneys general intend to enforce compliance of all related requirements. Notwithstanding the CFPB’s announcement that it will ease the FCRA’s 30 or 45-day time restrictions for CRAs to investigate consumer complaints, the letter insists that the attorneys general will enforce the FCRA deadlines. Pursuant to the CARES Act amendment of the FCRA—which requires that consumer accounts be reported by furnishers as current if the consumer was current prior to the grant of a CARES Act accommodation—the letter asserts that its signors will actively monitor for compliance to this amendment. Finally, the letter expresses appreciation for the CRAs’ compliance and cooperation.
On April 27, Senator Elizabeth Warren (D-MA) and Senator Brian Schatz (D-HI) sent letters to the same CRAs also urging the agencies to protect consumer credit reports by complying with the CARES Act amendment to the FCRA. In addition, the Senators request that the CRAs reply to six questions included in the letters to assist the Senators in understanding all efforts the CRAs are taking to protect consumer credit scores during the Covid-19 crisis.
Multi-jurisdiction settlement reached with credit reporting agency over 2017 data breach
On April 17, the Massachusetts attorney general announced a settlement with a credit reporting agency (CRA) to resolve a state investigation into a 2017 data breach that reportedly compromised the personal information of nearly three million Massachusetts residents. According to the AG’s 2017 complaint (covered by InfoBytes here), the CRA ignored cybersecurity vulnerabilities for months before the breach occurred and failed to take measures to implement and maintain reasonable safeguards. Under the terms of the proposed settlement, pending final court approval, the CRA will pay Massachusetts $18.2 million and is required to take significant measures to strengthen its security practices to ensure compliance with Massachusetts law. These measures include (i) implementing a comprehensive information security program; (ii) minimizing the collection of sensitive personal information; (iii) managing and implementing specific technical safeguards and controls; (iv) providing consumer-related relief, such as credit monitoring services and security freezes; and (iv) allowing third-party assessments of its data safeguards.
Earlier, on April 14, the Indiana attorney general also announced that the CRA will pay the state $19.5 million to resolve allegations that it failed to protect Indiana residents whose personal information was exposed in the 2017 data breach. Under the terms of the final judgment and consent decree, in addition to paying $19.5 million in restitution, the CRA must take measures similar to those outlined in the Massachusetts settlement.
Massachusetts and Indiana were the only two states that chose not to participate in the 2017 multi-agency settlement that resolved federal and state investigations into the data breach and required the company to pay up to $700 million (covered by InfoBytes here).
Separately, on April 7, the City of Chicago announced a $1.5 million settlement to resolve allegations that the CRA’s failure to employ adequate data-security measures led to the breach.
5th Circuit affirms summary judgment in FCRA case
On April 22, the U.S. Court of Appeals for the Fifth Circuit affirmed a district court’s dismissal of an FCRA action, holding that the plaintiff failed to prove that his alleged injuries were the result of the defendants’ actions. According to the opinion, the plaintiff alleged that a financial institution wrongfully reported a payment delinquency on his retail credit card, which he claimed caused the subsequent denial of a loan application. Upon learning of the denial, the plaintiff disputed the late-payment notation with three credit reporting agencies (CRAs). Prior to the district court’s judgment, the plaintiff settled with the retailer, the financial institution, and one of the three CRAs. The remaining two defendant CRAs reinvestigated the delinquency with the financial institution, confirmed the information, and notified the plaintiff of the result of their investigation. The plaintiff argued that the CRAs “failed to conduct a reasonable investigation” because they never directly contacted the retailer about the disputed late payment. However, the district court held that that the CRAs’ reliance on the Automated Consumer Dispute Verification (ACDV) system to investigate the dispute and confirm the information was “generally acceptable.”
On appeal, the 5th Circuit agreed with the district court that the plaintiff “offered no reasonable factual basis” for why the CRAs “should have been on notice of a need to go beyond the ACDV system as to this dispute.” The appellate court further agreed that the plaintiff was unable to show that contacting the retailer would have changed the CRAs’ conclusions about the information they already possessed. Finally, the 5th Circuit held that the plaintiff had shown no evidence that the denial of his loan application was a direct result of the CRAs’ actions because, as the district court concluded, the loan application was denied because of a credit report from the CRA that had previously settled with the plaintiff and was no longer a party to the suit.
States ask Treasury to exempt stimulus payments from garnishment and urge CFPB to “vigorously enforce” FCRA
On April 13, a coalition of state attorneys general and the Hawaii Office of Consumer Protection (states) sent a letter to Treasury Secretary Steven T. Mnuchin, calling for immediate action to ensure that stimulus checks issued under the CARES Act to consumers affected by the Covid-19 pandemic are not subject to garnishment by creditors and debt collectors. While the CARES Act does not “explicitly designate these emergency stimulus payments as exempt from garnishment,” the states claim that a “built-in mechanism” contained within a provision of the CARES Act can rectify the legislative oversight. Specifically, the states point to Section 2201(h), which “authoriz[es] Treasury to issue ‘regulations or other guidance as may be necessary to carry out the purposes of this section,’” and ask Treasury to immediately designate the stimulus checks as “‘benefit payments’ exempt from garnishment.”
The same day, another coalition of state attorneys general sent a letter to CFPB Director Kathy Kraninger urging the Bureau to rescind an April 1 policy statement directed at consumer reporting agencies (CRAs) and furnishers (covered by InfoBytes here) that stated the Bureau will take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the Fair Credit Reporting Act [(FCRA)] and Regulation V.” According to the states, the policy statement suggests that the Bureau does not plan on enforcing the CARES Act amendment to the FCRA, which requires lenders to report as current any loans subject to Covid-19 forbearance or other accommodation. The Bureau’s decision, the states contend, may discourage consumers from taking advantage of offered forbearances and other accommodations. The states also argue that allowing CRAs to take longer than the FCRA-prescribed 30 days to investigate consumer disputes puts consumers at risk. The states stress that the recent increase in Covid-19 scams has heightened the need for the Bureau to vigorously enforce the FCRA, and that, moreover, the thousands of complaints received by the states, FBI, FTC, and DOJ concerning phishing and other scams designed to gather consumers’ financial information have highlighted identity theft risks. The states emphasize “that even if the CFPB refuses to act. . .we will not hesitate to enforce the FCRA’s deadlines against companies that fail to comply with the law.”
CFPB plans credit reporting supervisory flexibility during Covid-19 pandemic, contingent on accurate reporting
On April 1, the CFPB issued a policy statement directed at consumer reporting agencies (CRAs) and furnishers. Taking into consideration the Covid-19 pandemic, the statement explains that the Bureau will take a “flexible supervisory and enforcement approach during this pandemic regarding compliance with the Fair Credit Reporting Act [(FCRA)] and Regulation V.” The Bureau states that it will be flexible with CRAs and furnishers by refraining from taking enforcement actions and citing during exams in certain situations. Two examples of when the Bureau will be flexible include: (i) furnishers that continue to furnish accurate data to CRAs, including regarding payment relief arrangements (the Bureau notes that the CARES Act obliges furnishers to report consumer accounts as current when furnishers grant payment accommodations requested by consumers impacted by Covid-19); and (ii) CRAs and furnishers that make good faith efforts to investigate consumer disputes but take longer than the FCRA-prescribed 30 days. The statement notes that “the continued operation of the consumer reporting system…will enable consumers, as well as lenders, insurers, employers and other consumer report users, to maintain confidence in the consumer reporting system.”
Illinois Department of Financial and Professional Regulation issues guidance to student loan servicers
On March 30, the Illinois Department of Financial and Professional Regulation, Division of Banking (Division), issued guidance encouraging Illinois-licensed student loan servicers to make prudent efforts to meet the financial needs of all student loan borrowers affected directly or indirectly by the Covid-19 pandemic. The guidance reiterates the importance of provisions in the Illinois Student Loan Servicing Rights Act that prohibit servicers from engaging in any unfair or deceptive practices and misapplying payments made by borrowers. Servicers are reminded that they are obligated to lay out all available options to borrowers, including income-based repayment, deferment, forbearance, and relieving borrowers of interest. In addition to adhering to the credit reporting provisions set forth under the CARES Act, the Division also encourages student loan servicers to use the disaster status code in conjunction with a deferment when reporting to the consumer credit reporting agencies to minimize any negative credit reporting impact to consumers due to the Covid-19 crisis.
Utah modifies credit reporting notification requirements
On March 24, the Utah governor signed HB 412, which modifies requirements for creditors when submitting negative credit reports to credit reporting agencies. Creditors are now required to provide written notification to the affected party “no more than 30 days after the day on which the creditor submits the negative credit report to the credit reporting agency.” Creditors may provide the written notice in-person, via first class mail, or electronically if the party consented to receive notices by email. The amendments take effect 60 days following adjournment of the legislature.