An $8 million settlement announced November 19, 2014, between the Consumer Financial Protection Bureau (CFPB) and the nation’s largest “buy here pay here” auto dealer represents yet another warning coming out of Washington, D.C. that:

1. Compliance with the requirements of the Fair Credit Reporting Act (FCRA) when businesses furnish credit information to consumer reporting agencies (CRAs) is a top federal regulatory priority; and

2. The CFPB is creating and enforcing its own debt collection rules applicable to any creditor modeled after those specified for debt collectors under the federal Fair Debt Collection Practices Act (FDCPA).

While this enforcement action is in the context of a “buy-here pay-here” car dealer operation – DriveTime Automotive Group, Inc. (“DriveTime”) – the issues raised apply to any business that reports information to the CRAs or collects consumer debts. Moreover, this enforcement action comes hard on the heels of a $2.75 million settlement of alleged FCRA violations by an auto lender; other settlements against creditors for abusive collection activities; and bulletins issued by the CFPB reminding businesses of their obligations under the FCRA. In particular, the CFPB’s $2.75 million settlement in August 2014 with First Investors Financial Services Group, Inc. involved the alleged distortion of consumer credit records via flaws in the auto lender’s computer system that resulted in the inaccurate furnishing of information to the CRAs. The CFPB-First Investors consent order can be found here.

Here, DriveTime and its finance company affiliate not only agreed to pay an $8 million civil penalty, but also agreed to follow a comprehensive set of compliance requirements for its debt collection and credit reporting operations. In toto, the settlement subjects DriveTime’s debt collection and credit reporting operations to the close supervision of the CFPB for five years.

DriveTime’s specific practices deemed in violation of the FCRA include:

    • Having inadequate written policies governing DriveTime’s furnishing information to the CRAs. Even though written policies are required by Regulation V promulgated under the FCRA, DriveTime’s policies were only one and a half pages long, had not been updated for three years, and omitted any discussion of how to handle consumer disputes of credit information;
    • Reporting inaccurate current balance information on charged off accounts, the timing of repossessions, and the date of first delinquency. At least some of these problems were known to DriveTime and caused by problems converting data from DriveTime’s computer systems to that of a vendor engaged to handle credit reporting to the CRAs; and
    • Failing to properly respond to consumer disputes by investigating the disputes and correcting errors that were detected. DriveTime receives 22,000 disputes a year, which are handled by two employees.

In the settlement, DriveTime agreed to revamp its FCRA compliance procedures and policies in conjunction with a CFPB-approved consultant, to provide a comprehensive plan to the CFPB for improvements, and to report on implementation.

DriveTime’s specific debt-collection practices deemed by the CFPB to constitute unfair harassment of debtors focused on DriveTime’s failure to record and respect “do not call” or DNC requests, including:

    • Calling debtors at their workplace after receiving “do not call” or DNC requests from the debtors;
    • Repeatedly calling third-party references provided by debtors with their credit application, even after the references requested the calls to stop, and discussing the consumer’s debt with the references; and
    • Obtaining telephone numbers from third-party vendors, and repetitively dialing those numbers – even when the numbers were not associated with the debtor – resulting in complete strangers receiving multiple debt-collection calls from DriveTime.

In the settlement, DriveTime agreed to abide by DNC requests, and to take steps to avoid making repetitive calls to third-party references or disclosing the debt to the references. DriveTime also agreed to provide customers with information on how to make requests to limit calls to debtors and to improve its systems to prevent unwanted calls. These conduct agreements are analogous to requirements under the FDCPA that require debt collectors to respect DNC requests and to avoid disclosing to third parties the existence and status of a consumer’s debt. In other words, by way of this settlement, DriveTime is bring required to abide by standards of conduct – in collecting its own debts – analogous to those imposed on third-party debt collectors under the FDCPA, even though DriveTime is not directly subject to the FDCPA. DriveTime also agreed to revamp its debt-collection procedures, to hire a CFPB-approved consultant, to provide a comprehensive plan to the CFPB for improvements, and to report on implementation of this plan.

One other aspect of the settlement is notable. The CFPB has no specific direct supervisory authority over DriveTime, as opposed to large banks and mortgage lenders, among others. Nevertheless, even when the CFPB lacks supervisory authority, the CFPB has jurisdiction to enforce the Dodd-Frank Act’s general Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) protections against essentially any financial services company. Moreover, as part of the settlement, DriveTime agreed to subject itself to the supervisory authority of the CFPB, meaning that the CFPB will have the power to conduct on-site examinations at will.

Finally, we also note that the CFPB has included “buy-here pay-here” auto dealers in its September proposal for regulating larger participants in the nonbank auto finance market. The proposal can be found here. In sum, businesses that think that they are beyond the reach of the CFPB because they are not within its supervisory authority are mistaken and must gauge their compliance efforts accordingly.