A major background check vendor has settled charges by the Consumer Financial Protection Bureau (CFPB) that matching practices – the bases by which it attributes a criminal record to a specific individual – violated the Fair Credit Reporting Act (FCRA). At bottom, the settlement attempts to establish a standard that name and Date of Birth matching alone is insufficient to comply with the FCRA’s accuracy requirements, “three-factor” matching (name, DOB and address for example) is the minimum compliant matching standard. The settlement also covered other noteworthy business practices in the background check industry.

On November 22, 2019, the CFPB filed a Complaint against Sterling Infosystems, Inc. in the United States District Court for the Southern District of New York alleging violations under the FCRA and simultaneously filed a Proposed Stipulated Final Judgment and Order.

The 10-page Complaint against Sterling alleges the company violated sections 1681e(b), 1681k(a) and 1681c(a) of the FCRA. Each alleged violation is described below.

1. Alleged Failure to Employ Reasonable Procedures to Assure Maximum Possible Accuracy (1681e(b))

In the Complaint, the CFPB alleges that the following procedures, or lack of procedures, led Sterling to report erroneous adverse items of information on consumer reports:

(i) Matching Based on Two Identifiers: Between December 16, 2012, and October 2014, Sterling matched criminal records using two identifiers (which could include (i) first and last name and (ii) date of birth). This policy allegedly created a heightened risk of false positives because many commonly named individuals (e.g., John Smith) share the same first and last name and date of birth. Because of the widespread lack of access to Social Security numbers in criminal records, background check companies need to determine whether a given record applies to a given consumer using matching criteria. The CFPB takes the position that two-factor matching consisting of name and date of birth is inadequate.

(ii) Insufficient Training on New Policies: Beginning in October 2014, Sterling adopted its first company-wide common-name matching criteria, which required a match on three personal identifiers. But continuing after October 2014 through July 31, 2016, Sterling continued reporting instances of erroneously matching criminal records on common-name applicants due to supposedly insufficient training on the new common-name matching policy. The CFPB seems to be taking the position that three-factor matching can be adequate.

(iii) Junior/Senior Issue: Other instances of reporting errors involving both common and uncommon names were the result of another policy where Sterling permitted matching criminal records with male applicants based solely on a matching first and last name and matching address. This too created an allegedly heightened risk of false positives because some males with the same first and last name (i.e., a junior and senior) live at the same address.

(iv) High-Risk Indicators: On one of its platforms, Sterling included in the Social Security Trace portion of its reports the notation ***HIGH-RISK INDICATOR*** next to an address, followed by a descriptor placing the address into a particular category. These categories included Psychiatric Hospital, Nursing and Personal Care Facility, Corrections Institution and Social Service Facility, among others. Sterling included a statement that the SSN Trace should not be used for an FCRA purpose. Sterling allegedly did not implement any procedures to verify the accuracy of these high-risk designations.

2. Alleged Failure to Maintain Strict Procedures to Ensure that Adverse Public Record Information Contained in the Consumer Reports was Complete and Up to Date (1681k(a))

The CFPB alleges that Sterling violated section 1681k(a) of the FCRA because: (1) Sterling has not, in many instances, notified applicants of the fact that it was reporting public record information about the application at the time that information was being reported, and (2) for the same reasons as described above, Sterling failed to maintain “strict procedures” to ensure that the public record information it reported is “complete and up to date.”

3. Alleged Reporting of Outdated Adverse Information (1681c(a))

Finally, the CFPB alleges that Sterling violated section 1681c(a) in the following ways:

(i) Outdated Addresses: In the Social Security Trace portion of its reports, Sterling reported the ***HIGH-RISK INDICATOR*** next to an address at which the applicant lived and was “last seen” more than seven years before the report was generated. Per the CFPB complaint, “such a designation may be an adverse item of information because it could cast the consumer in a negative or unfavorable light.”

(ii) Outdated Adverse Criminal Information: Beginning in May 2012 and continuing through February 2013, Sterling used the “disposition date” as the start date for the seven-year calculation. The CFPB alleges that “date of entry” should be used on records of arrest, and “date of criminal charge” should be used for other non-conviction criminal record information.

The parties’ Proposed Stipulated Final Judgment and Order provides for the following:

1. Monetary Payment:

$6,000,000 paid into a Redress Fund. The Redress Fund will be paid pro rata to approximately 7,100 consumers who successfully disputed criminal records.

$2,500,000 paid as a Civil Penalty.

2. Conduct Requirements:

The proposed order does not include any specifics in this section. Rather, the proposed order only repeats the requirements of the FCRA under sections 1681e(b), 1681k(a) and 1681c(a).

The only specifically defined change in conduct is that Sterling will not report High-Risk Indicators for the next 5 years.

3. Compliance Committee:

Sterling has to establish a Compliance Committee.

The Compliance Committee must meet at least once every two months and maintain minutes.

The Compliance Committee will be responsible for monitoring and coordinating Sterling’s adherence to the Order.

4. Role of the Board

The Board of Directors of Sterling is ultimately responsible for compliance with this Order and must review all submissions to the CFPB under this Order.

5. Reporting Requirements:

For 5 years, Sterling must provide a written compliance progress report that details the manner and form in which Sterling has complied with each paragraph of the Order.