On October 29, 2015, the Consumer Financial Protection Bureau (“CFPB”) announced the settlement of an enforcement action against two affiliated consumer reporting agencies under the Fair Credit Reporting Act (“FCRA”) based on these companies’ employment background screening practices.  The consent order requires these background screeners to pay a total of $13 million in penalties and consumer redress.  The Order also requires significant changes in the companies’ practices with regard to matching and use of public record information.  This enforcement action provides another example of the CFPB flexing its regulatory muscle in the FCRA arena.  All consumer reporting agencies (“CRAs”), all businesses that furnish data to a CRA (“furnishers”), and all users of data obtained from a CRA (“users”) should be concerned about the CFPB’s use of its enforcement authority. 

The targets of the CFPB’s enforcement action were General Information Services, Inc. and e-Backgroundchecks.com, Inc. (the “Respondents”).  The Respondents provide public record background information – such as criminal records and civil judgment data – to employers who are conducting screenings on job applicants and current employees. 

In the enforcement action, the CFPB claimed the Respondents failed to employ reasonable procedures to assure “maximum possible accuracy” of the data provided to employers, as required by the FCRA.  One main thrust of the Order, for example, focused on the procedures used by Respondents to “match” a criminal record to a given individual. 

The Order seemed to take exception with the “strict procedure” practices of Respondents’ employees when deciding whether a record related to a consumer in the employment screening context.  Under Section 613 of the FCRA, consumer reporting agencies under certain circumstances are required to use “strict procedures” to ensure that public records reported for employment purposes are complete and up to date.  The Order, however, does not only address “strict procedures.”  It also addresses the broader standard of “reasonable procedures” generally applicable to almost all information reported by a consumer reporting agency for any permissible purpose.   

The CFPB appears to conclude that matching should be done by requiring an exact match based on first, middle and last name, plus one additional identifier such as date of birth or Social Security number.  By this Order, therefore, the CFPB in effect is attempting to create a detailed standard of conduct in matching data – but one which likely does not recognize the realities of the market.  For example, very few if any courts provide a social security number of the defendant, making a match on this element impossible for some criminal records.  Likewise, it is not uncommon for courts to record the middle name as the first name or to carry forward an error either intentionally introduced by the defendant (for example to avoid a warrant) or through key stroke errors by the court personnel.  Indeed, there is substantial evidence that persons with criminal records frequently supply alternate names to defeat background checks.  Thus, it would be dangerous to conclude that this Order should create an industry wide standard; using the CFPB’s view could allow someone with a dangerous conviction to avoid detection and gain employment in a highly sensitive place of employment, such as a daycare or senior living facility. 

Another main thrust of the Order focused on the Respondents’ internal compliance procedures.  The Order claims they failed to have written procedures for researching public record information for consumers with common names, failed to analyze consumer dispute data to determine data integrity issues and identify potential reporting weaknesses, and failed to conduct regular meetings to discuss errors.  The Order requires Respondents to correct all of these claimed deficiencies.  Again, by this Order, the CFPB seeks to establish a detailed standard for internal compliance procedures down to the level of detail of how often internal meetings should occur to discuss consumer complaints (monthly). 

Because the Respondents were unable to discern from the FCRA a requirement to use first, last, and middle names in matching, and the necessity of monthly meetings, the CFPB imposed significant monetary and non-monetary penalties.  The Order requires the Respondents to establish a $10.5 Million fund dedicated to payments to the consumers at issue.  The Order also imposes a total of $2.5 Million in civil money penalties, payable to the CFPB directly. 

While the specifics of the Order are of particular concern to CRAs, the broader lesson of the Order is that the CFPB is asserting enforcement power under the FCRA that not only includes CRAs, but also any other businesses regulated by the FCRA, including furnishers and users. In the Order, the CFPB specifically cites its authority to enforce the FCRA against “persons subject to the FCRA.”  The phrase “persons subject to the FCRA” draws upon a provision of the FCRA that gives the CFPB enforcement authority over “any person” subject to the FCRA.  The FCRA regulates not only CRAs, but also the conduct of many businesses that supply information to CRAs and most businesses that use data obtained from CRAs.  Hence, the Order teaches that if your business is involved in FCRA-regulated activities, then the CFPB is interested in you.  Moreover, the CFPB may not provide any guidance on an issue before an enforcement action is pursued.  From a compliance perspective, businesses must look ahead to what issues will become important to the CFPB, which may not always be obvious to those not actively involved in the FCRA. 

Troutman Sanders’ attorneys are nationally recognized experts in the FCRA, consumer class actions, and CFPB enforcement proceedings.  Our attorneys are well-equipped to assist consumer reporting agencies, furnishers, and employers alike with their FCRA compliance procedures.  We have advised numerous Fortune 500 companies on strategies to comply with the FCRA, and with litigation when those FCRA procedures are challenged.  We will continue to monitor developments in this and other CFPB enforcement proceedings.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield helps consumer-facing clients navigate compliance, litigation and regulatory risks posed by the complex web of state and federal consumer protection laws. He is a trusted advisor and tireless advocate, helping clients develop practical compliance and dispute-resolution strategies.

Read more about Alan D. WingfieldAlan's Linkedin Profile
Photo of David M. Gettings David M. Gettings

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA) and associated FCC regulations, the Fair Debt Collection Practices Act, the Truth in Lending Act, the Electronic Fund Transfer Act, and many similar state consumer protection statutes.

Read more about David M. GettingsDavid M.'s Linkedin Profile
Show more Show less
Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Read more about David N. AnthonyDavid N.'s Linkedin Profile
Photo of John C. Lynch John C. Lynch

John is a first-chair litigator with a distinguished defense record in class action matters and other high-stakes litigation. He is sought after for his trial-to-verdict experience in state and federal courts throughout the U.S., effective strategies, and practical advice.

Read more about John C. LynchJohn C.'s Linkedin Profile
Photo of Keith J. Barnett Keith J. Barnett

Keith’s experience representing clients in the financial services industry as a litigation, compliance, regulatory, investigations (internal and regulatory), and enforcement attorney spans 20 years. Keith represents clients against government regulators (CFPB, FTC, SEC, CFTC), industry regulators (FINRA), and private litigants in federal courts…

Keith’s experience representing clients in the financial services industry as a litigation, compliance, regulatory, investigations (internal and regulatory), and enforcement attorney spans 20 years. Keith represents clients against government regulators (CFPB, FTC, SEC, CFTC), industry regulators (FINRA), and private litigants in federal courts, state courts, and before arbitration and administrative law panels in the financial services industry.

Read more about Keith J. BarnettKeith's Linkedin Profile
Show more Show less
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Read more about Tim J. St. GeorgeTim J.'s Linkedin Profile
Related Posts
BackgroundScreening_1010627844
General Counsel of the CFPB Delivers Remarks Focusing on Medical Collections and Tenant Screening
April 15, 2024
MortgageLenders_1131103345
HUD Issues Rulemaking Amending Regulations Governing Admission to Public Housing for Applicants with Criminal Records
April 15, 2024
CFSblog_CFS_YIR_1200x600
Troutman Pepper Publishes 2023 Consumer Financial Services Year in Review and A Look Ahead
February 1, 2024