2018 was a busy year in the consumer financial services world. As we navigate the continuing heavy volume of regulatory change and forthcoming developments from the Trump administration, Troutman Sanders is uniquely positioned to help its clients successfully resolve problems and stay ahead of the compliance curve.  

In this report, we share developments on consumer class actions, background screening, bankruptcy, FCRA, FDCPA, payment processing and cards, mortgage, auto finance, the consumer finance regulatory landscape, cybersecurity and privacy, and TCPA. 

We hope you find this helpful as you navigate the evolving consumer financial services landscape.

Access full report here.


Your diet and fitness goals are not the only things scheduled to change come the New Year.  On April 10, 2018, Iowa Governor Kim Reynolds signed Senate File 2177, which modified provisions applicable to consumer security freezes and personal information security breach protection.  The Act, which goes into full effect on January 1, was proposed by the Iowa Attorney General’s office as well as state legislators to address certain changes in technology.

With respect to consumer security freezes, S.F. 2177:

  • eliminates the requirement for consumers to submit requests for security freezes through certified mail, and instead allows for such requests to be submitted by mail, telephone, email, or through a secure online connection;
  • requires consumer reporting agencies (“CRAs”) to commence security freezes within three business days after receiving a request, as opposed to the previous five days;
  • requires CRAs to identify for consumers, under certain circumstances, any other “consumer reporting agency that compiles and maintains files on consumers on a nationwide basis” (as defined by section 1681a(p) of the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.), and inform them of appropriate contact information that would permit the consumer to place, lift, or remove a security freeze from such other CRA; and
  • prohibits CRAs from charging a fee for placing, removing, temporarily suspending, or reinstating a security freeze.

CRAs will want to ensure their processes and procedures have been updated to account for such changes, and that employees have been trained to comply with them.

As noted above, S.F. 2177 also modified Iowa’s personal information security breach protection statute. Those changes, however, went into effect July 1, 2018, and include the following:

  • The definition of “encryption” was modified to mean only those certain algorithmic processes that meet accepted industry standards.
  • The Act clarified that the law does not apply to businesses that are subject to and comply with the Health Insurance Portability and Accountability Act of 1996, or “HIPAA.”
  • The Act now requires notification of a security breach to the Iowa Attorney General within five business days after giving notice of the breach of security to any consumer.

Companies tracking data breach notification requirements as part of their incident response plans, policies, and procedures should ensure their materials have been updated to account for such changes.


A court in the United States District Court for the Southern District of Iowa recently ruled that the protections applicable when consumer reports are obtained for “employment purposes” under the Fair Credit Reporting Act (“FCRA”) do not extend to reports obtained for independent contractors. This issue has been unsettled and both employers and background screening companies alike have lacked clear guidance with respect to background reports for independent contractors. The decision becomes part of a small but growing body of law providing clarity on this recurring issue of importance.

The case is Smith v. Mutual of Omaha Insurance Company, No. 4:17-cv-00443 (S.D. Iowa Oct. 4, 2018). A copy of the opinion can be found here.

Requirements for Reports Used for “Employment Purposes”

Some of the FCRA’s most litigated protections apply when a consumer report is obtained for “employment purposes.” 15 U.S.C. § 1681b(b). This includes obtaining the consumer’s written authorization in a “stand-alone disclosure” and providing a pre-adverse action notice and summary of rights if the consumer report will be used to make an adverse employment decision. Importantly, these steps are only required if the report is obtained for employment purposes. “Employment purposes” is defined by the FCRA as “a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” 15 U.S.C. § 1681a(h). It’s these last three words that have caused confusion.

Given the strict requirements, employers often find themselves defending lawsuits – including class action lawsuits – under this provision of the FCRA. Some courts have even been willing to extend the requirements to consumer reporting agencies under certain circumstances. Claims based on alleged violations of these requirements have led to many multi-million dollar settlements. Yet, the courts have not reached a consensus on whether these requirements apply equally to reports obtained for independent contractors.

The Court’s Decision

Plaintiff alleged he had applied to contract with Mutual of Omaha as an insurance salesperson but had not been hired due to a falsely reported felony on his background check. He alleged Mutual of Omaha failed to provide him with the statutorily-mandated prior notice that the background check had led to his non-hiring. Mutual of Omaha moved to dismiss the claim on the basis that Smith was only applying to work as a contractor and, therefore, the FCRA’s pre-adverse action notice requirement did not apply. Plaintiff responded that he was actually applying as an employee and, even if he was a contractor, the FCRA’s requirements applied to contractors as well as employees.

In finding the FCRA’s pre-adverse action requirement did not apply to reports obtained for independent contractors, the Court first noted how the question was “altogether separate from the question of whether Smith himself would have been an employee.” The Court looked at the plain language of the statute as being limited to reports used for “evaluating a consumer . . . as an employee.” Finding this “unambiguous,” the Court concluded “the FCRA’s requirement of pre-adverse action notice only applies when an applicant applies to be an employee.” In reaching this conclusion, the Court followed the reasoning of the Northern District of Ohio in Johnson v. Sherwin-Williams Co., 152 F. Supp. 3d 1021 (N.D. Ohio 2015) and the Eastern District of Wisconsin in Lamson v. EMS Energy Marketing Service, Inc., 868 F. Supp. 2d 804 (E.D. Wis. 2012).

Although the Court decided the FCRA did not apply to independent contractors, it ordered limited discovery on the issue of whether Smith qualified as an employee or independent contractor, rather than granting outright Mutual of Omaha’s Motion to Dismiss with prejudice.

An Unsettled Issue

While Judge Jarvey in the Southern District of Iowa took a common-sense approach in reading the statute, some support exists for reading “employment purposes” to encompass independent contractors. Indeed, the Federal Trade Commission noted in its 2011 staff report, 40 Years of Experience with the Fair Credit Reporting Act, that “’employment purposes’ is interpreted liberally” and it “may apply to situations where an entity uses individuals who are not technically employees to perform duties.” This theoretically could include independent contractors, agents, and volunteers, so long as the relationship is substantively analogous to employment. This interpretation seems largely based on a 1975 decision from the Fourth Circuit, Hoke v. Retail Credit Corp., 521 F.2d 1079 (4th Cir. 1975), which noted in dicta the FCRA could apply to independent contractors under some circumstances because courts “are not constrained to limit its application by the common-law concept of master and servant.” This expansive interpretation could be reconciled with Judge Jarvey’s approach by the view that whether the FCRA requirements apply depends on the facts and circumstances of a given relationship, rather than the formal designation of someone as an independent contractor.


Although one district court decision does not carry the day on this issue, employers and background screening companies alike should welcome this decision. Still, when obtaining and furnishing background reports for independent contractors, companies should be mindful that other courts may read “employment purposes” broadly and impose the FCRA’s requirements for reports on independent contractors, and that personnel formally denominated an “independent contractor” may not be treated as such in court but rather could be deemed an employee for FCRA purposes, depending on the circumstances. To limit potential lawsuits, companies may consider obtaining the applicant’s authorization for a background check and providing them notice of any adverse decision based on that background check.

The Northern District of California recently dismissed a putative class action, filed under the Fair Credit Reporting Act, challenging an employer’s inclusion of state-specific information in its FCRA consent and disclosure form.  The Court held that the plaintiff had no standing to assert her FCRA claim because she failed to plead a concrete injury-in-fact.

In Soman v. Alameda Health Sys., No. 17-cv-06076-JD, 2018 U.S. Dist. LEXIS 204450 (N.D. Cal. Dec. 3, 2018), consumer Jas Soman argued that the disclosure form used by Alameda Health Systems (“AHS”) violated the FCRA by including language advising Soman that she was entitled to a copy of the consumer report obtained by AHS under state laws of California, New York, Minnesota, and Oklahoma.

The FCRA requires an employer to make certain disclosures prior to obtaining a consumer report for employment purposes.  Specifically, the FCRA requires “a clear and conspicuous disclosure” in writing that consists “solely” of the disclosure.  AHS moved to dismiss Soman’s second amended complaint, arguing that the text boxes advising residents of certain states of their rights under state law could not “possibly make the FCRA disclosure non-compliant for saying more than what was ‘solely’ required.”  AHS argued that under Article III, even if the text boxes were superfluous, they amounted to a “bare procedural violation” divorced from any concrete harm.

The District Court agreed, finding it “hard to see how Soman’s complaint is actionable” under either Rule 12(b)(1) or 12(b)(6) of the Federal Rules of Civil Procedure.  The Court noted that the boxes containing the state-law provisions were “not of a sort that would make the notice in the FCRA disclosure less than clear and conspicuous in any meaningful way, or violate the intent of being ‘solely’ disclosures.”  The Court reasoned that the boxes were “wholly consistent with Congress’s intent to protect applicants’ rights by advising them in plain words of state-law rights that enhance the FCRA’s disclosure requirements.”

The Court’s opinion distinguished AHS’s disclosures from the form at issue in Syed v. M-I, LLC, 853 F.3d 492, 496 (9th Cir. 2017).   The form in Syed included a liability waiver in the disclosure.  Comparing the issues in Syed to AHS’s disclosure, the Court noted that there was no liability waiver in AHS’s disclosure, and the inclusion of the state-specific language did not limit Soman’s rights but provided her with additional information under state laws that are “in full harmony with the FCRA.”

At the same time that Soman argued the FCRA disclosure contained superfluous information, she also alleged the FCRA disclosure contained too little information, specifically pointing to a missing digit in the ZIP code for the vendor who conducted the background check.  The Court also held this allegation was insufficient to establish an injury-in-fact, reasoning that this “minor typo is the quintessence of a procedural misstep that could not cause an injury[.]”

Finding that Soman’s complaint failed to allege an injury-in-fact, the Court dismissed the case without prejudice.  This case is yet another example of ways in which consent and disclosure forms continue to be challenged.  Troutman Sanders routinely reviews these types of forms and recommends that all employers utilizing background checks review their disclosure forms to ensure FCRA and state law compliance.

On November 16, the United States District Court for the Southern District of California granted final approval of a $1.2 million Fair Credit Reporting Act class action settlement against Petco Animal Supplies, Inc.

As we previously reported, a putative class action was filed against Petco in June 2016, challenging the company’s form of disclosure for employment background checks.  The complaint alleged that the background check disclosure was “hidden” among other pages of “fine print” and did not constitute the “stand alone” disclosure required by law.  After more than two years of litigation, including discovery and motions practice, the parties reached a class settlement.

The key terms of the settlement are as follows:

  • Total Settlement Fund: $1.2 million
  • Settlement Class Definition: “All persons regarding whom Defendant procured or caused to be procured a consumer report for employment purposes during the period from May 1, 2014 through December 31, 2015.  Included in the Settlement Class is a subclass consisting of those against whom Petco took an adverse action subsequent to procuring a consumer report and did not receive a pre-adverse action notification letter.”
  • Settlement Class Sizes: The Disclosure Class consists of 37,279 class members.  The Adverse Action Subclass consists of 52 class members.
  • Settlement Class Member Benefits: Members of the Disclosure Class will receive approximately $20 each.  Members of the Adverse Action Subclass will receive an additional $150 each, for a total settlement of approximately $170 each.
  • Attorneys’ Fees: $300,000.
  • Total Incentive Award for the Two Named Plaintiffs: $10,000.

A copy of the Court’s Order granting final approval of the class settlement can be found here.


As Congress’ emboldened majority has sought to lessen the federal government’s regulatory footprint, the states have not always been quiet, as one summertime example amply shows.

In 2017, two congressmen introduced two bills which, if enacted, would expand the scope of federal preemption to include non-bank entities. Introduced by Rep. Patrick McHenry (R-N.C.), the first of these two bills – the Protecting Consumers’ Access to Credit Act of 2017 (HR 3299) – states that bank loans with a valid rate when made will remain valid with respect to that rate, regardless of whether a bank has subsequently sold or assigned the loan to a third party. A second bill known as the Modernizing Credit Opportunities Act of 2017 (HR 4439), championed by Rep. Trey Hollingsworth (R-Ind.), strives “to clarify that the role of the insured depository institution as lender and the location of an insured depository institution under applicable law are not affected by any contract between the institution and a third-party service provider.” Perhaps most significantly, it would establish federal preemption of state usury laws as to any loan to which an insured depository institution is the party, regardless of any subsequent assignments. In so doing, both bills amend provisions of the Home Owners’ Loan Act, Federal Credit Union Act, and/or Federal Deposit Insurance Act. Such an amendment would invalidate a long-line of judicial precedent barring a non-bank buyer’s ability to purchase a national bank’s right to preempt state usury law, which culminated in the Second Circuit’s 2015 decision in Madden v. Midland Funding, LLC, and thereby provide non-originating creditors with a potent – and until now nonexistent – shield against liability under certain state consumer laws.

On June 27, 2018, the attorneys general of twenty states[1] and the District of Columbia stated their opposition to both bills in a letter to Congressional leadership. Beginning with an historically accurate observation – “[t]he states have long held primary responsibility for protecting American consumers from abuse in the marketplace” – the A.G.s attacked these legislative efforts as likely to “allow non-bank lenders to sidestep state usury laws and charge excessive interest that would otherwise be illegal under state law.” The cudgel of preemption, they warned, would “undermine” their ability to enforce their own consumer protection laws. The A.G.s went on to argue many non-bank lenders “contract with banks to use the banks’ names on loan documents in an attempt to cloak themselves with the banks’ right to preempt state usury limits”; indeed, “[t]he loans provided pursuant to these agreements are typically funded and immediately purchased by the non-bank lenders, which conduct all marketing, underwriting, and servicing of the loans.” For their small role, the banks “receive only a small fee,” with the “lion’s share of profits belong[ing] to the non-bank entities.” In support of this position, the A.G.s cite to a 2002 press release by the Office of the Comptroller of the Currency (“OCC”) and the more recent OCC Bulletin 2018-14 on small dollar lending, the latter announcing the OCC’s “unfavorabl[e]” view of “an[y] entity that partners with a bank with the sole goal of evading a lower interest rate established under the law of the entity’s licensing state(s).

The A.G.s concluded by arguing that the proposed legislation would erode an “important sphere of state regulation,” state usury laws having “long served an important consumer protection function in America.”

We will continue to monitor this legislation and other developments in the preemption arena, and will report on any further developments.

[1] The signatories come from California, Colorado, Hawaii, Illinois, Iowa, Maryland, Massachusetts, Minnesota, Mississippi, New Mexico, New York, North Carolina, Oregon, Pennsylvania, Rhode Island, Tennessee, Vermont, Virginia, and Washington.

In a recent Eighth Circuit case, the appellate court vacated the district court’s orders, holding that the plaintiff lacked Article III standing to bring her Fair Credit Reporting Act claims in federal court. 

In Auer v. Trans Union, LLC, plaintiff Colleen Auer had accepted a job as city attorney for the City of Minot, North Dakota.  Several days later, Auer signed an authorization form permitting the City to run a background check on her.  The City later terminated Auer’s employment.  

Auer then filed a lawsuit against several defendants, including the City, the City’s law firm, and the consumer reporting agency that provided the background report, alleging violations of a number of obligations under the FCRA.  Specifically, Auer asserted that the City procured her consumer report without making “a clear and conspicuous disclosure” that her “consumer report may be obtained for employment purposes;” that the City did not obtain her written authorization to do so; and that the City procured and used her report for purposes not authorized by the FCRA.  Auer claimed that these purported violations “caused her to suffer injury to her privacy, reputation, personal security, the security of her identity information and loss of time spent trying to prevent further violations of her rights under the FCRA.”  The district court dismissed Auer’s claims on the merits and Auer appealed. 

On appeal, the Eighth Circuit first considered whether Auer had standing to assert her claims.  The Court held that “[b]ecause Auer consented to the City’s background check, she failed to plead an intangible injury to her privacy that is sufficient to confer Article III standing.”  Auer’s argument that she did not authorize or consent to the procurement and use of her consumer report “is belied by her well-pleaded allegation that she completed the City’s authorization form.”  In sum, Auer’s conclusory and speculative allegations of some undefined harm were insufficient to establish Article III standing.  The Eighth Circuit therefore vacated the district court’s orders dismissing Auer’s claims on the merits and remanded with instructions to dismiss for lack of jurisdiction.


On October 1, the State of Michigan will join more than 150 cities and counties as well as over 32 states in enacting a ban-the-box policy that prohibits asking job applicants if they have been convicted of a felony in an initial application. The policy applies to Michigan state positions and public employees, not private employers. The question will remain on applications where state law does not allow former felons from being licensed, such as in the healthcare field.

Michigan Governor Rick Snyder is encouraging private employers to follow suit.  Currently, eleven states require the removal of criminal history questions from job applications for private employers.

Troutman Sanders will continue to monitor related legislative developments concerning employment background screening and employee hiring.

Clarity on Overlapping Background Check Laws in California

By Timothy St. George, David Anthony, Ronald Raether, Jonathan Yee and Sadia Mirza

On Aug. 20, 2018, the California Supreme Court issued its long-awaited order in Connor v. First Student Inc., finding the state’s Investigative Consumer Reporting Agencies Act, or ICRAA, was not unconstitutionally vague as applied to employer background checks, despite overlap with the Consumer Credit Reporting Agencies Act, or CCRAA.[1]

The Supreme Court resolved a conflict between two courts of appeal which had left many consumer reporting agencies, or CRAs, wondering whether the ICRAA applied even if they did not obtain the information from personal interviews — the definition of “investigative consumer report” used under the Fair Credit Reporting Act to impose additional requirements under 15 U.S.C. §1681l similar to those included in the ICRAA. With this decision, CRAs providing consumer reports for employment and tenant screening will need to carefully review their products to assure compliance with the ICRAA and the CCRAA.

View full article published on Law360.


On August 16, seven Democrat senators proposed a bill (S.3351, named the “Medical Debt Relief Act of 2018”) to amend the Fair Credit Reporting Act and Fair Debt Collection Practices Act to cover certain provisions related to the collection of medical-related debt. The proposed act would institute a 180-day waiting period under the FCRA before medical debt could be reported on a person’s credit report. Further, medical debt that has been settled or paid off would be required to be removed from a person’s credit report within 45 days of payment or settlement.

The bill has been referred to the Senate Banking Committee for consideration. The senators introducing the bill were Jeff Merkley (D-Ore.), Richard Blumenthal (D-Conn.), Dianne Feinstein (D-Calif.), Elizabeth Warren (D-Mass.), Dick Durbin (D-Ill.), Bob Menendez (D-N.J.), and Maggie Hassan (D-N.H.).

The bill targeted Section 1692(g) of the FDCPA specifically and would require debt collectors to send a statement to individuals that includes a notification that:

(1) the debt may not be reported to a credit bureau for 180 days from the date in which the statement is sent, and

(2) if the debt is settled or paid by the individual or an insurance agency during the 180-day period, the debt may not be reported to a consumer reporting agency.

Troutman Sanders will continue to monitor these developments and provide any further updates as they are available.