InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Credit reporting agency FCRA suit may go forward
On March 9, the U.S. District Court for the Eastern District of Pennsylvania denied the motion to dismiss and motion to strike a claim of a credit reporting agency (CRA) and its subsidiary (defendants) in a putative class action that alleged the defendants: (i) knowingly used inaccurate eviction information in their tenant screening reports, and (ii) inaccurately represented that they obtained eviction information from public sources, each in violation of the FCRA. Specifically, the plaintiff alleged that the CRA failed to disclose that the eviction information was maintained and sold through the subsidiary, and when the plaintiff requested her credit report from the CRA, the CRA omitted information maintained by the subsidiary and therefore the credit report did not contain “all information in the consumer’s file at the time of the request” as required by the FCRA. She argued that the FCRA prohibits the CRA defendant from skirting the requirement of full and accurate disclosure of consumer information by assigning that duty to a third party—in this case, the subsidiary defendant.
According to its memorandum, the court rejected the CRA’s argument that it could not be held liable for faulty reports issued by its subsidiary. The court answered the question of whether plaintiff “sufficiently alleged that defendant evaded its obligation to make full and accurate disclosure of plaintiff's consumer file. . .through the use of corporate organization, reorganization, structure or restructuring,” concluding that she did so. The court dismissed the defendants’ motion to strike without prejudice, indicating the defendants can raise their argument again in an opposition to class certification.
9th Circuit reduces punitive damages in FCRA class action
On February 27, the U.S. Court of Appeals for the Ninth Circuit reduced punitive damages in a class action against a credit reporting agency (CRA) for allegedly violating the Fair Credit Reporting Act (FCRA) by erroneously linking class members to criminals and terrorists with similar names in a database maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). At trial, the jury found that the CRA violated the FCRA by willfully failing to (i) “follow reasonable procedures to assure accuracy of the terrorist alerts”; (ii) “disclose to the class members their entire credit reports by excluding the alerts from the reports”; and (iii) “provide a summary of rights” to class members with each disclosure. Subsequently, the jury awarded $8 million in statutory damages and $52 million in punitive damages to the class.
Upon appeal, the 9th Circuit affirmed the lower court’s determinations that all class members—not just the class representative—must have “standing at the final stage of a money damages suit when class members are to be awarded individual monetary damages.” But the appellate court found that all class members did have standing due to, among other things, the CRA’s “reckless handling of information from OFAC,” which subjected class members to “a real risk of harm,” and because “the violation of a statutory right constituted a concrete injury.” In addition, the appellate court rejected the CRA’s request for judgment as a matter of law or a new trial on the basis that the class had failed to provide sufficient evidence of injuries or to support the damages award. Moreover, the appellate court held that the district court did not abuse its discretion in finding that the class representative’s claims were typical of the class’s claims, nor in certifying the class or denying the CRA’s motion to decertify the class. The appellate court also agreed with the lower court on statutory damages, but it held that the $52 million punitive damages award was “unconstitutionally excessive.” The appellate court explained that although the CRA’s “conduct was reprehensible, it was not so egregious as to justify a punitive award of more than six times an already substantial compensatory award.” Accordingly, the appellate court vacated the jury’s award of punitive damages and remanded, directing that the punitive damages be reduced to four times the statutory damages award.
CFPB holds symposium on consumer access to financial records
On February 26, the CFPB held a symposium covering consumer access to financial records and Section 1033 of the Dodd-Frank Act, which deals with consumers’ rights to access information about their financial accounts. In her opening remarks, Director Kathy Kraninger pointed out three major changes in data aggregation since the OCC first warned banks about aggregating consumer data in 2001: (i) “the range of actors involved has expanded greatly”; (ii) “the extent to which they are using aggregated data to provide new products and services to millions of American consumers has grown in scope and scale”; and (iii) “technologies that enable safer and more efficient consumer authorized data sharing continue to evolve and proliferate.” According to the CFPB’s press release, the purpose of this symposium was “to elicit a variety of perspectives on the current and future state of the market for services based on consumer-authorized use of financial data.” The symposium consisted of three panels: (i) the current landscape and benefits and risks of consumer-authorized data access; (ii) market developments; and (iii) considerations for policymakers. Panel highlights include:
- Panel #1. The panelists considered potential benefits and risks for consumers around data access as well as the current landscape and benefits and risks of consumer-authorized data access. Panelists agreed that consumers should be given control over their data and also mentioned the need to educate consumers on data security. One panelist suggested that consumers need to understand not only the breadth of data that is accessible, but also what sensitive consumer data is being accessed, stored, and shared. She stressed that entities storing/accessing the data should be subject to the same supervision for cyber security standards as banks.
- Panel #2. The panel, which was comprised of experts in market developments and trends, including in the areas of cash flow underwriting and the business of securing consumer permission to access checking account data, discussed market developments in consumer-authorized data access. One panelist suggested that the U.S. is behind countries like Australia and Canada (where government intervention in the market clarified consumers’ legal right to access their financial data) because of a lack of connectivity and of data field availability in the U.S. Others discussed alternatives to the current screen scraping model—which does not advance transparency or traceability for consumers—such as a model based on an application program interface (API) (APIs can be used to combine data from various sources into one application). The panelists also discussed tokenized authentication as a possible middle phase when going from screen scraping to APIs. Panelists suggested that the market is making significant technological improvements, but lacks guidance from policymakers.
Panel #3. The third panel, focused on “where we are going and how we get there” or the “future of the market” and “considerations for policymakers on how to” ensure consumer data is safeguarded “while ensuring that consumers have continual access to their data.” Among other things, the panel discussed that regulatory intervention in this space has not been common. Many panelists also mentioned areas of uncertainty, including whether banks or consumers should decide the limitations of rights to consumer data. Regarding Section 1033, one panelist suggested that the bank view is that the CFPB does not need to regulate here and should not provide consumers and their agents with access to their information, however, any entities that have access to the data should be regulated. Others believed that banks and other financial institutions do not view Section 1033 correctly. Another area of uncertainty discussed was whether the consumer data right is an ownership right, and whether a bank can decide to whom it will or will not provide consumer data.
CFPB denies debt collection law firm’s request to set aside CID
On February 10, the CFPB denied a debt collection law firm’s request to modify or set aside a third-party Civil Investigative Demand (CID) issued to the firm by the Bureau while investigating possible violations of the FDCPA, CFPA, and the FCRA. As previously covered by InfoBytes, the Bureau also denied a request by a debt collection company to modify or set aside a CID, which sought information about the company’s business practices and its relationship with the firm in the same investigation. The firm’s petition asserted arguments largely based on the theory that the CFPB’s structure is unconstitutional, and that the Dodd-Frank Act provides the Bureau’s director with “overly broad executive authority.” Alternatively, the firm argued that if the CID is not set aside, it should be modified, stating, among other things, that the CID’s scope exceeds applicable statutes of limitation.
As it did in the debt collection company’s request to set aside or modify the CID, the Bureau rejected the firm’s constitutionality argument, stating that “[t]he administrative process for petitioning to modify or set aside CIDs is not the proper forum for raising and adjudicating challenges to the constitutionality of provisions of the Bureau’s statute.” Additionally, the Bureau’s Decision and Order discounts the firm’s statute of limitations argument, contending that “the Bureau is not limited to gathering information only from the time period in which conduct may be actionable. Instead, what matters is whether the information is relevant to conduct for which liability can be lawfully imposed.” The Bureau also directed the firm to comply with the CID within ten days of the Order.
CFPB updates FCRA exam procedures
On February 11, the CFPB issued updates to its Supervision and Examination Manual to include requirements of the FCRA created by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The updates apply to the examination procedures covering consumer reporting, larger participants, and education loans, and aim to reduce instances of consumer compliance law violations by companies that provide consumer financial products and services. According to the CFPB, the larger participants examination procedures provide guidance to examiners covering a number of areas including, among other things, (i) “accuracy of information and furnisher relations”; (ii) “contents of consumer reports”; (iii) “consumer inquiries, complaints, and disputes and the reinvestigation process”; (vi) “consumer alerts and identity theft provisions”; and (v) “other products and services and risks to consumers.” The Bureau’s guidance to examiners on education loan exam procedures concentrates on servicing and origination. Some of the topics included are: (i) “advertising, marketing, and lead generation”; (ii) “customer application, qualification, loan origination, and disbursement”; (iii) “student loan servicing”; (iv) “borrower inquiries and complaints”; and (v) “information sharing and privacy.”
CFPB denies debt collector’s request to set aside CID
On February 6, the CFPB released a Decision and Order denying a debt collection company’s (petitioner) request to set aside or modify a third-party Civil Investigative Demand (CID) issued by the Bureau, and directing the petitioner to provide all information required by the CID. The CID in dispute was issued to the petitioner by the CFPB in November and seeks documents and written responses pertaining to the petitioner’s business practices and its relationship with a New York-based debt collection law firm. The CID requests information regarding whether “debt collectors, furnishers, or associated persons” had, among other things, (i) violated the Consumer Financial Protection Act by ignoring warnings regarding debts resulting from identity theft “in a manner that was unfair, deceptive or abusive”; (ii) violated the FDCPA by disregarding cease-and-desist requests or by failing to provide required notices or making false or misleading statements; or (iii) violated the FCRA by “fail[ing] to correct and update furnished information, or fail[ing] to maintain reasonable policies and procedures.”
In its petition to set aside or modify the CID, the petitioner set out four primary arguments: (i) the structure of the CFPB is unconstitutional, and it therefore “lacks authority to proceed with enforcement activity”; (ii) the CID improperly seeks attorney-client privileged information; (iii) the CID is “overly broad,” does not apply to the petitioner, and does not sufficiently provide the “nature of the conduct under investigation and the applicable provisions of law”; and (iv) the CID improperly seeks information beyond the applicable statute of limitations.
The Bureau’s denial of the petitioner’s request addresses each of the petitioner’s arguments. Regarding the constitutionality of the CFPB’s structure, the order asserts that “the administrative process set out in the [B]ureau’s statute and regulations for petitioning to modify or set aside a CID is not the proper forum for raising and adjudicating challenges to the constitutionality of the [B]ureau’s statute.” In response to the petitioner’s attorney-client privilege argument, the order states that the petitioner “does not ask…to modify the CID to avoid seeking privileged information—it only asks that the CID be quashed in its entirety.” The Bureau states that because the petitioner makes a “blanket assertion” of attorney-client privilege rather than providing the required privilege log in order to properly claim privilege over materials requested in the CID before filing its petition, the petitioner’s argument is “procedurally improper” and does not show that the “CID should be set aside on these grounds.” To the petitioner’s lack of specificity argument, the order states that the CID “sets forth in detail both the conduct under investigation and applicable laws,” adding that there is no requirement that the Bureau disclose the targets of its “ongoing and confidential law-enforcement investigations.” The order also rejects the petitioner’s statute of limitations argument, explaining that the Bureau is not limited to the three years preceding the CID, but “instead what matters is whether the information is relevant to conduct for which liability can be lawfully imposed.”
District court voids debt collectors’ $2.5 million jury award
On February 6, the U.S. District Court for the Northern District of Texas vacated a jury award of $2.5 million in favor of two nationwide debt collection agencies (plaintiffs), in an action alleging fraud by a law firm and vendor (defendants) in their provision of credit repair services. According to the opinion, the plaintiffs claimed that the defendants ran “a fraudulent credit repair scheme” in which the defendants “prey[ed] on financially troubled consumers by drafting, signing, and mailing frivolous dispute correspondences—all using [the defendant’s] patented software that generates context-based unique letters—in the name of consumers, without the consumer’s specific knowledge or consent, and without identifying that the letters are from a law firm, rather than a consumer,” in violation of the FDCPA and the FCRA. The defendant law firm responded that all of its credit repair clients provided consent for the law firm to send the letters on their behalf in an effort to improve their credit. After a six day trial, the defendants filed an amended motion for judgment as a matter of law, claiming the plaintiffs had not met their burden of proof on several elements of their fraud claims. The court “reserved ruling on the motion and stated that it would consider the arguments raised in the motion post-verdict, as necessary.” After the jury found in favor of the plaintiffs and awarded them $2.5 million in damages, the defendants filed a renewed motion for judgment as a matter of law, arguing that the plaintiffs had not shown any “material misrepresentation” or “material false statement” by the defendants, and further, that the plaintiffs did not show a “reasonable reliance” on such statements, or that the defendants had any duty to disclose facts to the plaintiffs.
According to the opinion, the defendants’ motion for judgment as a matter of law called into question the “legal sufficiency” of the plaintiffs’ evidence in support of the jury’s verdict. In granting the motion and vacating the jury award in favor of the plaintiffs, the court held that the plaintiffs failed to show a material false statement by the defendants, and therefore the evidence could not support the jury’s fraud verdict.
7th Circuit holds both parties lack standing in FCRA suit
On January 28, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of claims and counterclaims in a privacy lawsuit, holding that neither party had standing under the Fair Credit Reporting Act (FCRA). In 2016, the consumer filed a lawsuit against the credit reporting agency claiming privacy violations and emotional distress after the agency released his credit information without authorization. According to the consumer, his credit information appeared on a “prescreen list” given to a prospective lender that was no longer under contract with the agency to make loan offers to pre-screened consumers. The agency filed an FCRA counterclaim arguing that the plaintiff violated the FCRA when he obtained a copy of the prescreen list without authorization in order to file the lawsuit. The district court dismissed both claims, ruling that neither party had standing to sue because they had not suffered a concrete injury.
On appeal, the 7th Circuit agreed with the decision, concluding the plaintiff failed to meet the injury-in-fact requirements under Article III and that any harm he may have suffered when the prescreen list was shared was “exceedingly remote and speculative.” According to the appellate court, “[i]dentifying a violation of a statutory right does not automatically equate to showing injury-in-fact for standing purposes.” Moreover, the plaintiff “had to come forward with something showing that he did not receive a firm offer, that [the prospective lender] would not have honored a firm offer, that he was affected by the lack of a firm offer, or that he suffered any actual emotional damages,” the 7th Circuit wrote, which he failed to do. The 7th Circuit also agreed with the district court that the company’s alleged reputational harm was insufficient to confer standing. The appellate court further rejected the agency’s second argument that defending the suit counted as a concrete injury, holding that the agency was attempting to “shoehorn itself into another cause of action,” and that the FCRA does not create an independent cause of action for which the agency can recover its costs.
CFPB files claims against debt relief companies
On January 9, the CFPB announced that it filed a complaint in the U.S. District Court for the Central District of California against a mortgage lender, a mortgage brokerage, and several student loan debt relief companies (collectively, “the defendants”), for allegedly violating the FCRA, TSR, and FDCPA. In the complaint, the CFPB alleges that the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products. The Bureau asserts that the reports of more than 7 million student loan borrowers were actually resold or provided to companies engaged in marketing student loan debt relief services.
According to the complaint, “using or obtaining prescreened lists to send solicitations marketing debt-relief services is not a permissible purpose under FCRA.” The complaint alleges that the defendants violated the TSR by charging and collecting advance fees before first “renegotiat[ing], settl[ing], reduc[ing], or otherwise alter[ing] the terms of at least one debt pursuant to a settlement agreement, debt-management plan, or other such valid contractual agreement executed by the customer,” and prior to “the customer ma[king] at least one payment pursuant to that settlement agreement, debt management plan, or other valid contractual agreement between the customer and the creditor or debt collector.” The CFPB further alleges that the defendants violated the TSR and the CFPA when they used telemarketing sales calls and direct mail to encourage consumers to consolidate their loans, and falsely represented that consolidation could lower student loan interest rates, improve borrowers’ credit scores, and change their servicer to the Department of Education.
The Bureau is seeking a permanent injunction to prevent the defendants from committing future violations of the FCRA, TSR, and CFPA, as well as an award of damages and other monetary relief, civil money penalties, and “disgorgement of ill-gotten funds.”
Mortgage broker allegedly violated federal laws by posting customers’ personal information on website
On January 7, the FTC announced a proposed settlement with a California mortgage broker and his company to resolve alleged violations of the FTC Act, FCRA, Regulation P, and the Safeguards Rule. According to a complaint filed by the DOJ on behalf of the FTC, the defendants published the personal information of customers who posted negative reviews on a public website, including customers’ “sources of income, debt-to-income ratios, credit history, taxes, family relationships, and health.” The alleged posts containing negative financial information violated the defendants’ responsibilities under Regulation P (Privacy of Consumer Financial Information) as the required privacy disclosure provided to the customers stated that the defendants would not share personal information with any third party. Regulation P also “prohibits financial institutions from disclosing to any nonaffiliated third party any nonpublic personal information about a customer unless it has provided the customer with an opt-out notice, . . . a reasonable opportunity to opt out of the disclosure, and the customer has not opted out.” In this instance, customers were not given the opportunity to opt out of disclosure of their personal financial information in response to online consumer reviews, the complaint asserts. In addition, the complaint alleges that the defendants also violated the FTC Act by causing unfair or deceptive acts or practices that “deprived consumers of the ability to control whether and to whom they disclosed sensitive information.” The defendants also allegedly violated the FCRA by using consumer reports for impermissible purposes, and the FTC’s Safeguards Rule by failing to implement or maintain an adequate information security program. Under the terms of the proposed settlement, the defendants will pay a $120,000 civil penalty and are prohibited from (i) misrepresenting their privacy and data security practices; (ii) using consumer reports for anything other than a permissible purpose; (iii) not providing required privacy notices; and (iv) improperly disclosing nonpublic personal information to third parties. Among other things, the company is also prohibited from transferring, selling, sharing, collecting, maintaining, or storing nonpublic personal information unless it implements a comprehensive information security program; and must obtain independent third-party assessments of its information security program every two years.