Search auto data

As the coronavirus (“COVID-19”) testing increases across the country, state health departments have been implementing contact tracing to contain viral spread. Contact tracing identifies and monitors individuals who have come into contact with others who have tested positive for COVID-19. Typically, contract tracers work with infected individuals to obtain the contact information for everyone with whom they recently came into contact. Contact tracers often will send an initial text message to let these individuals know that they will be calling. A legitimate contact tracer will never ask for money or personal information, like a Social Security number, bank account number, or credit card number. For a discussion of best practices that makers of contact-tracing apps should consider, see Troutman Sanders’s article here.

Unfortunately, scammers posing as contact tracers have started sending text messages of their own. These fraudulent messages often ask the recipient to click a link, designed to install malware on the device. Malware exposes the user’s personal and financial information to theft.

To combat this fraudulent activity, the Federal Trade Commission recently released tips for individuals to proactively avoid such scams:

  • Ignore and delete suspected scam messages;
  • Filter and block scam messages – some cellphones have the option to filter and block unknown numbers or spam. However, if a phone does not have such an option, wireless providers or call-blocking apps may allow users to block unwanted messages;
  • Use a multi-factor authentication – a multi-factor authentication requires two or more credentials to log in to an account, making it difficult for scammers to gain access;
  • Enable auto updates for operating systems and apps; and
  • Back up data on devices regularly so that valuable information is not lost from scammer attacks.

By following these tips, technology users effectively protect not only individual data, but company data as well.

Businesses specifically should consider implementing further steps to protect against cyberattacks, such as:

  • Sending out frequent reminders to personnel about cybersecurity threats;
  • Updating incident response plans in case there is a security breach; and
  • Reviewing cybersecurity insurance policies to assess whether a security breach is covered and how to engage a carrier.

For further discussion on security safeguards against cybersecurity attacks, including phishing attacks, see Pepper Hamilton’s article here and Troutman Sanders’s articles here and here.

The United States Court of Appeals for the Ninth Circuit recently issued two decisions regarding requirements under the Fair Credit Reporting Act for employers who wish to run background checks on potential or current employees. These decisions should prompt employers to take a look at their current background check disclosure and authorization forms to assess whether they conform to the views stated in these two cases. As FCRA disclosures are a source of both compliance confusion and litigation, these decisions deserve attention and review.

In the first case, Walker v. Fred Meyer, Inc., the Ninth Circuit addressed the “standalone” requirement for disclosures under Section 1681b of the FCRA. In the second case, Luna v. Hansen & Adkins Auto Transport, Inc., the Court addressed the presentation of “standalone” disclosures and also whether there is any FCRA requirement for separate presentation of a consumer authorization for a background check.

These decisions were the third and fourth cases in a series of Ninth Circuit decisions handed down in recent years that relate to what can and cannot be included in a FCRA disclosure form. Taken together, the Ninth Circuit has taken the most rigorous view of the FCRA requirements, a view which will likely shape how companies interpret and implement their disclosure obligations under the FCRA. Below we examine both Walker and Luna and summarize the key takeaways for employers moving forward.

Walker v. Fred Meyer, Inc.

The case in Walker was brought by an employee who was hired contingent upon a background investigation. A vendor of the employer conducted a background investigation after the applicant signed a disclosure and authorization form. When the employee was dismissed from his position following an unsatisfactory result on his background check, he sued, arguing that the disclosures given to him by the employer describing the background check process violated the FCRA.

The FCRA requires that before an employer pulls a consumer report for employment purposes that the employer give the applicant a “clear and conspicuous” disclosure that the employer may obtain such a report. The disclosure must be “in a document that consists solely of the disclosure.” 15 U.S.C. 1681b(b)(2)(A)(i). What can and cannot be included in such a disclosure has been the subject of much debate, including recently in the Ninth Circuit.

In Walker, the district court previously had dismissed the employee’s claim that the disclosure form he signed was not standalone (see our previous coverage of this case here). However, the Ninth Circuit reversed the lower court on this claim, finding that certain provisions in the disclosure form referenced other rights under federal and state law and, in doing so, violated the FCRA’s requirement that the document consist “solely of the disclosure.” The Court said that while the extraneous information likely was included in good faith, in order to provide an applicant with information about the right to inspect his or her file, including such additional information could potentially pull an applicant’s attention away from the privacy rights protected by the FCRA.

The Ninth Circuit held that in addition to a “plain statement,” a report may be obtained for employment purposes and employers may include a “concise explanation” of what that statement means. The Court gave the example that a properly limited disclosure could include what a consumer report entails, how it would be obtained, and for what type of “employment purpose” the report might be used. The Court cautioned, however, that the explanation must not be so long or confusing such that it detracts from the disclosure or in any way makes the disclosure not clear and conspicuous. The Court emphasized that the purpose of any type of explanation is to help the consumer understand the disclosure.

Specifically, the Court performed a paragraph by paragraph review of the employer’s existing disclosure form and found that:

  • The portion of the employer’s disclosure that referenced both investigative consumer reports as well as standard consumer reports was permissible, as investigative consumer reports are a specific category of consumer reports.
  • Paragraphs that describe who the consumer reporting agency is, how to contact them and what type of information they will review (such as education, work history, address history, criminal records, and driving records) also do not violate the FCRA standalone disclosure requirement.
  • An explanation of how a consumer may obtain and inspect files from a consumer reporting agency, and a reference to obtaining a disclosure on the scope and nature of any investigation performed, conflicts with the standalone requirement as it potentially distracts the consumer from the privacy rights under the FCRA. The Court held that this type of information should be provided in a separate document because it is not part of the disclosure that a consumer report would be obtained for employment purposes but, rather, related to separate consumer rights.

Although the Court engaged in a paragraph by paragraph review of the employer’s disclosure form, opining on which provisions could be included in a standalone disclosure, because it found that certain language violated the standalone requirement, it declined to engage in a discussion of whether the employer’s language met the FCRA’s requirement that the disclosure be “clear and conspicuous.” The Ninth Circuit previously addressed the “clear and conspicuous” question in Gilberg v. Cal. Check Cashing Stores, LLC, issued in 2019. As the parties in Walker had not been able to fully brief the “clear and conspicuous” question, in light of the Gilberg decision, the Ninth Circuit left this question to the district court.

Separately, the Ninth Circuit also affirmed the portion of the district court’s decision which found that employers, in a pre-adverse action letter sent before taking action against an applicant or employee, are not required to provide employees or applicants with an opportunity to directly discuss a consumer report with the employer. Rather, it is sufficient for the employer to have a notice in a pre-adverse action letter that describes the consumer’s ability to dispute the completeness or accuracy of the information with the consumer reporting agency.

Luna v. Hansen & Adkins Auto Transport, Inc.

Shortly after the Walker decision, the Ninth Circuit issued its ruling in Luna. While in Walker the Ninth Circuit looked at the language of a required disclosure, the Luna decision focused on the format of such a disclosure and its accompanying authorization.

In Luna, an employee filed a putative class action alleging that the employer’s disclosure and consent forms for background checks violated the FCRA. The disclosure form was a separate page within a larger group of application materials, and the authorization appeared on a page at the end of the packet along with other notices, waivers, and consents that were unrelated to the consumer report.

The plaintiff employee first argued that by including the disclosure together with other application materials, despite being on its own page, the disclosure should not be considered a “standalone” disclosure and, in doing so, violates the FCRA. The Ninth Circuit pushed back against this interpretation of “standalone” disclosures, finding that such an interpretation was not supported by the text or case history of the FCRA. The Court stated that while a disclosure must not contain other unrelated information (as discussed in Walker), “no authority suggests that a disclosure must be distinct in time, as well.” The Court also pointed out the practical concerns with such an interpretation, questioning how under the plaintiff’s view an employer could ever provide application materials without violating the FCRA. The employer providing the background check disclosure in its own document, despite being alongside other application materials, was “precisely what [the] FCRA requires.”

The Court in Luna also weighed in on the “clear and conspicuous” prong of the FCRA disclosure requirement – one of the issues left open in Walker. The Court reiterated its previous guidance that a disclosure be “readily noticeable” and in a “reasonably understandable form.” Here, the employer’s form had a bold, all-caps header reading simply “FAIR CREDIT REPORTING ACT DISCLOSURE STATEMENT.” The form itself consisted of a short statement describing the background check process, saying that “reports verifying your previous employment, previous drug and alcohol test results, and your driving record may be obtained on you for employment purposes” and citing the applicable statutory sections. The page contained no other information besides employer logos and a signature block for the applicant. The Court found the disclosure to meet the clear and conspicuous requirement saying “applicants, such as big-rig truckers, can be expected to notice a standalone document featuring a bolded, underlined, capital-lettered heading.

Finally, the Ninth Circuit also dispensed with the employee’s claim that the authorization for an employer to acquire a consumer report on an applicant also needed to be in a clear and conspicuous standalone document. The Court found no statutory support for this position, pointing to the separate subsection of the FCRA that requires an authorization in writing, but that does not use the language found in the disclosure subsection that refers to “a document that consists solely of the disclosure.” Compare 15 U.S.C. 1681b(b)(2)(A)(ii) with 15 U.S.C. 1681b(b)(2)(A)(i).

Takeaways

Together, the Walker and Luna decisions have further refined and clarified the Ninth Circuit’s stance on employer disclosures under the FCRA, namely:

  • The Ninth Circuit has taken a very strict and narrow view of what information may be contained within the disclosure. Along with a “plain statement” that a report may be obtained for employment purposes, employers also may include a “concise explanation” of what that statement means. References to other rights, such as the right to review related documents under state law, should not be included in such a disclosure.
  • If an employer presents the disclosure in a separate document with a clear heading, even if that document is part of a larger group of application materials, the standalone requirement is met.
  • The authorization for an employer to pull a consumer report does not need to be in a standalone document.

These decisions, and the Ninth Circuit’s continued focus on the FCRA’s requirements for standalone consumer disclosures, present an opportunity for employers to review their disclosure and authorization forms with legal counsel and ensure they are in the strongest position possible to avoid future litigation.

Like most industries today, Consumer Finance Services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Sanders and Pepper Hamilton have developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19 news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge. Please join Troutman Sanders for a complimentary webinar regarding the California Consumer Privacy Act and regulatory litigation updates on Thursday, May 7, 2020 from 1:00 – 2:00 p.m. ET. To sign up, click here.

To help you keep abreast of relevant activities, below is a breakdown of some of the biggest COVID-19 driven events at the Federal and State levels to impact the Consumer Finance Services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • Senators Sherrod Brown (D-Ohio) and Elizabeth Warren (D-Mass.) last week released a proposal for new consumer protection measures that they claim are critical to helping Americans weather the COVID-19 pandemic. Noting that the stimulus payments provided by the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) may not be enough to cover basic expenses for even a month, these senators are now calling for “the next coronavirus aid package” to include broad restrictions on debt collection and even debt forgiveness. Such relief is critical, the senators say, so that consumers can aid the economic recovery by spending on goods and services, rather than debt service. For information in the proposal, click here.
  • The Consumer Financial Protection Bureau (“CFPB”) updated its guide, originally published in early April of 2020, that aims to assist consumers with common questions about the Economic Impact Payments under the CARES Act. For more information, click here.
  • The Federal Housing Finance Agency (“FHFA”) announced limits on servicer obligations to advance scheduled monthly principal and interest payments for single-family mortgage loans backed by Fannie Mae and Freddie Mac (the “Enterprises”). Once a servicer has advanced four months of missed payments on a loan, it will have no further obligation to advance scheduled payments. FHFA also is instructing the Enterprises to maintain loans in COVID-19 payment forbearance plans in Mortgage–Backed Security pools for at least the duration of the forbearance plan. For more information, click here.
  • The CFPB issued an interpretive rule intended to “make it easier for consumers with urgent financial needs to obtain access to mortgage credit more quickly in the middle of the COVID-19 pandemic.” The rule clarifies how the right of consumers to waive certain protections provided in the TILA-RESPA Integrated Disclosure rule and Regulation Z may be handled during the ongoing crisis. For more information, click here.
  • The CFPB issued a guide outlining practices in order to provide mortgage servicers clarity, facilitate compliance, and prevent harm to consumers during the transfer of residential mortgages. For more information, click here.
  • COVID-19 has forced us to ask novel questions generally and look for stay-at-home order workarounds. Compliance with the Fair Credit Reporting Act (FCRA) is no different. One of the many questions that has arisen relates to the reinvestigation of disputed court records. How can this be done with limited access to court records? What should be done to permit reporting of these records once access restrictions are lifted? For more answers to these questions, click here.
  • The CFPB wrote a letter to the Federal Communications Commission advising that automated phone calls from financial institutions to their customers could assist consumers as they continue to experience the economic impact of the COVID-19 pandemic. For more information, click here.

State Activities:

  • On April 20, the Indiana Supreme Court issued a published order protecting COVID-19 stimulus checks from court orders by placing a hold on, attaching, or garnishing funds attributable to a stimulus payment. For more information, click here.
  • Earlier this month, 21 state Attorneys General (“AGs”) and the AGs for Washington, D.C. and Puerto Rico sent a letter to the CFPB urging the CFPB to withdraw its non-binding guidance issued on April 1, 2020 with respect to the CARES Act. The signatory AGs include some from the most populous states and some of the states hardest hit by the pandemic, including California, Illinois, Michigan, New Jersey, New York and Washington. California is part of that coalition and shared a statement here. Unhappy with the response they received from the CFPB on April 21, 2020, the AGs have now gone directly to the three major national consumer reporting agencies with a strong message that the AGs “are committed to protecting consumers in our states and will continue to enforce all federal and state requirements during this crisis.” For more information, click here.
  • The Supreme Court of Appeals of West Virginia issued another amended emergency order extending court deadlines. The Court’s new order delays all court deadlines for matters scheduled to occur during the emergency period from March 23, 2020 to May 15, 2020 until May 18, 2020. Emergency proceedings, however, can take place via video conference or telephone if the constitutional rights of the parties are not affected. Additionally, the order continues generally all other court hearing dates scheduled to occur between March 23, 2020 and May 15, 2020, to be rescheduled at the discretion of the presiding officer at a subsequent date. For more information, click here.
  • The Illinois Supreme Court issued an order stating that if a bank is freezing $4,000 or less in a personal account, the bank is now instructed, under the new order, to release the funds back to the debtor. If there’s more than $4,000 frozen in the account, the $4,000 must be returned. For more information, click here.
  • Maryland Governor Larry Hogan issued an executive order that protects CARES Act Recovery Rebates from garnishment. For more information, click here.
  • Iowa Governor Kim Reynolds issued an order extending the State of Public Health Disaster Emergency in response to the ongoing state of the COVID-19 pandemic. Included in Reynolds’ proclamation is a moratorium on garnishments. For more information, click here.
  • California Governor Gavin Newsom signed an executive order protecting the stimulus money individuals are receiving under the CARES Act from certain debt collection activities. For more information, click here.
  • Minnesota Governor Tim Walz signed Executive order 20-20 directing Minnesotans to Stay Home, establishing what businesses were considered part of the Critical Sector and determining what businesses were exempt from the stay-at-home order. The Governor’s order did not exempt debt collection and workers supporting debt collection from the stay at home requirement which meant the employees of debt collectors were prohibited from working at the location of the debt collection agency. For more information, click here.
  • Illinois Governor J.B. Pritzker declared the entire state a disaster area. This order further required all individuals living in the state to stay at home and suspended a number of post judgment collection actions, including: service of garnishment summonses; wage deduction summonses; citations to discover assets on consumer debtors or consumer garnishees, and the continuance or curtailment of non-essential court matters, including supplemental proceedings. For more information, click here.
  • The Attorney General of Rhode Island, Peter F. Neronha, issued general guidance to financial institutions, creditors and debt collectors in regard to payments exempt from seizure. The purpose of the guidance is to make clear that in addition to other funds protected from seizure under Rhode Island law, stimulus payments to Rhode Island residents by the Federal government pursuant to the CARES Act should be similarly protected. For more information, click here.
  • Following the District of Columbia City Council’s passage of the COVID-19 Response Supplemental Emergency Act, D.C. Attorney General Karl Racine issued guidance on the debt collection provision of the act, which restricts communications with consumers.
  • Idaho Governor Brad Little replaced the expiring statewide stay at home order with the “Stay Healthy Order,” which details reopening of the state. For more information, click here.
  • Kansas Governor Laura Kelly announced that she will lift the statewide stay at home order and will allow Kansas communities to begin reopening. For more information, click here.
  • Nevada Governor Steve Sisolak issued a new directive to modify and extend the state’s stay at home order to May 15, 2020. For more information, click here.
  • Ohio Governor Mike DeWine extended the state’s stay at home order through May 29, 2020. For more information, click here.
  • The status of the Louisiana Public Service Commission’s (“Commission”) potential enforcement of the available emergency measures pursuant to the Do Not Call General Order (Docket No. R_29617, decided Oct. 11, 2006) (“DNC Order”) remains unclear. While these emergency measures have generally been imposed during prior emergencies, they presently remain unimplemented because the Commission has not received a directive from the Governor’s Office of Homeland Security and Emergency Preparedness (“GOHSEP”). The DNC Order restrictions triggering the outright moratorium on all telephonic solicitation – including the foregoing exceptions – will not become effective until the Commission has a “mandatory EOC presence” based on a reporting directive from GOHSEP – as of May 4, 2020, the Commission has “No Mandatory EOC Presence”.

Privacy and Cybersecurity Activities:

  • On April 27, 2020, the Office of Civil Rights (OCR) within the Department of Health and Human Services shared the recording of its webinar regarding updates on the Health Insurance Portability and Accountability Act (“HIPAA”) and COVID-19. Some things discussed related to:
    • permissible disclosures under the HIPAA Privacy Rule;
    • enforcement discretion and guidance for telehealth remote communications;
    • guidance for disclosures to first responders and public health authorities;
    • enforcement discretion for business associates to use and disclose personal health information for public health and health oversight activities; and
    • enforcement discretion for community-based testing sites.
  • On April 29, 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) updated its analysis report to include new considerations regarding security configurations for Microsoft Office 365 – a cloud-based collaboration solution. CISA warns that the effects of COVID-19 may lead to hasty deployment, resulting in “oversights in security configurations and undermine a sound [Office 365] security strategy.” To learn more about the steps CISA recommends, click here.
  • On April 30, 2020, chairman of the Senate Committee on Commerce, Science, and Transportation, Senator Roger Wicker, R-Miss., introduced the “COVID-19 Consumer Data Protection Act.” The act is aimed at regulating companies interested in developing contact-tracing apps. For organizations interested in learning more about current guidelines, read our recently published article on Law360, by clicking here.
  • On April 30, 2020, the Federal Financial Institutions Examination Council (“FFIEC”) issued a statement involving the “use of cloud computing services and security risk management principles in the financial services sector.” The full report can be read here.

On May 01, 2020, CISA launched a new telework product line focused on providing cybersecurity guidance to organizations looking to adopt or expand telework policies during COVID-19. The resource offers valuable information such as it relates to video conferencing tips, cybersecurity recommendations for critical infrastructure using video conferencing, and telework best practices. More information can be found here.

Like most industries today, consumer finance services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Sanders and Pepper Hamilton have developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19-related news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge.

To help you keep abreast of relevant activities, below is a breakdown of some of the biggest COVID-19-driven events at the federal and state levels to impact the consumer finance services industry this past week.

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

  • On April 17, the Federal Trade Commission filed a complaint against Ponte Investments, LLC – a Rhode Island-based company – and its owner, John C. Ponte, claiming that they misrepresented Ponte Investments as an approved small business lender for the COVID-19 relief program. The FTC has sought a permanent injunction against these misrepresentations and other equitable relief from the United States District Court for the District of Rhode Island. Ponte Investments also operates as “SBA Loan Program” and “SBA Loan Program.com.” For more information, click here.
  • Few of the emergency orders related to COVID-19 have addressed service of process. This article offers some practical guidance in light of state and federal service rules, which remain largely in effect despite stay-at-home and emergency court operations orders.
  • The American Council on Education (ACE) wrote a letter to Speaker of the House Nancy Pelosi (D-Calif.) and Minority Leader Kevin McCarthy (R-Calif.) requesting extended student loan relief on behalf of more than 30 higher education organizations. In the letter, which focuses on the likely long-term economic impact of the COVID-19 pandemic, ACE requested that Congress extend the benefits of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to student loan borrowers, through at least June 30, 2021, or until unemployment falls below 8% for three consecutive months. For more information, click here.
  • The National Credit Union Administration issued a temporary final rule on April 21, easing regulatory requirements to assist federal credit unions (FCUs) and federally insured credit unions (FICUs) during the COVID-19 pandemic. The rule makes the following key changes that will be effective through December 31, 2020:
    • Raises the maximum aggregate amount of loan participations that a FICU may purchase from a single originating lender to the greater of $5 million or 200% of the FICU’s net worth;
    • Suspends limitations on the eligible obligations that a FCU may purchase and hold; and
    • Tolls the required timeframes for the occupancy or disposition of properties that are not being used for FCU business or that have been abandoned.

For more information, click here.

  • The Consumer Financial Protection Bureau has released a video, available here, providing non-filers of federal tax returns with guidance to receive their economic impact payments, authorized by the CARES Act in response to the COVID-19 health crisis. The video notes that most people who qualify for an economic impact payment will receive the payment automatically. However, some individuals must take additional action at the Internal Revenue Service’s webpage in order to claim their economic impact payments or to claim their additional payments for dependent children under age 17. For more information, click here.
  • President Donald Trump signed the Paycheck Program and Health Care Enhancement Act, providing roughly $484 billion in relief for small businesses, including the United States Small Business Administration Paycheck Protection Program (PPP), hospitals, and expanded medical testing. The funding also includes economic disaster loans for small businesses. The United States Department of the Treasury and the Small Business Administration issued a Frequently Asked Questions document, which will be updated regularly, to address PPP guidelines for borrowers and lenders.

State Activities:

  • Multiple states have come together to enact initiatives aimed at prohibiting private student loan servicers from certain activities during the COVID-19 pandemic.
    • Recently, New York worked out an agreement with private student loan servicers operating in the state to offer similar relief guaranteed by the CARES Act.
    • Modeling an agreement after the one that New York reached with private servicers, California, Colorado, Connecticut, Illinois, Massachusetts, New Jersey, Vermont, Virginia, and Washington entered into an agreement with some of the nation’s largest private student loan servicers to provide relief to borrowers impacted by COVID-19.

For more information, click here.

  • On April 21, Missouri became the first state to sue China for its handling of the COVID-19 pandemic. Led by Attorney General Eric Schmitt, Missouri joins the ranks of at least seven federal class action lawsuits filed by private plaintiffs claiming that China, despite knowing the danger of COVID-19, acted slowly and attempted to cover up and suppress news of the virus out of its own economic self-interest. For more information, click here.
  • North Carolina Insurance Commissioner Mike Causey issued an extended order requiring collection agencies to advise consumers of the option to defer payments during any communication. This extended order will expire May 27, 2020. For more information, click here.
  • The Minnesota Department of Commerce has extended regulatory guidance related to collectors working from home while the State’s stay-at-home order is in effect and during any potential extension of that order. Due to the concerns surrounding the transmission of COVID-19, the department has decided not to act against any licensee who allows his or her individual registered collectors to temporarily work from home as a precautionary measure if the following criteria are met:
    • The activity is conducted from the home location of an individual working on behalf of a Minnesota licensee;
    • The individual is working from home due to a reason relating to the COVID-19 outbreak and has informed the licensee of such reason;
    • None of the activity will be conducted in person with members of the public from the home location; and
    • The licensee shall, at all times, exercise supervision of the activity being performed at the home office and ensure that appropriate safeguards and controls are in place to protect consumer information and data.
  • California’s Governor signed an executive order to exempt CARES Act payments and any other federal, state, or local government financial assistance made available to individuals in express response to the COVID-19 pandemic from any attachment, levy, execution, or garnishment, unless such activity is connected to any child support, spousal support, family support, or any criminal restitution action or judgment.
  • Vermont Attorney General T.J. Donovan issued a directive that payments authorized by the CARES Act are exempt from garnishment or collection under Vermont law. The Attorney General also is urging the banking community to voluntarily suspend collection activity for overdrafts or other administrative fees that could otherwise jeopardize the receipt, reallocation, and circulation of stimulus monies issued to Vermont residents as a result of the COVID-19 public health emergency.
  • New York Attorney General Letitia James issued guidance clarifying that CARES Act payments are exempt from garnishment. According to the guidance, CARES Act payments are aimed at consumers’ essential needs, “and therefore should not be subject to garnishment and similar legal process[es]. Banking institutions are advised that they should treat CARES Act payments as subject to the same protections as statutorily exempt payments.”
  • Oregon Governor Kate Brown issued an executive order to protect CARES Act stimulus payments to individuals from most garnishments.

Privacy and Cybersecurity Activities:

  • On April 20, the Department of Health and Human Services (HHS) received a donation from Oracle to assist the department in gathering crowd-sourced data on COVID-19. The system will provide doctors and other clinicians with the ability to document how patients are responding to possible COVID-19 treatments. For doctors and other clinicians interested in contributing this information, HHS has shared a link here.
  • On April 21, a policy of enforcement discretion was announced by the Office of the National Coordinator for Health Information Technology, the Centers for Medicare & Medicaid Services, and HHS Office of Inspector General. The enforcement discretion is aimed to allow compliance flexibilities regarding the implementation of the interoperability final rules.
  • On April 22, New York Governor Andrew M. Cuomo and Mike Bloomberg announced a contact-tracing program aimed to control the infection rate of COVID-19, namely by “prevent[ing] the spread of a virus by using testing to confirm if someone has COVID-19, interviewing that person to identify people they may have been in contact with during their illness and during the few days before symptoms began, reaching out to their contacts to alert them to their risk of infection and then referring contacts to medical providers and asking non-ill people to stay home for 14 days to be sure they don’t spread COVID-19 to others.” According to the announcement, several countries, such as Germany, Singapore, and South Korea, effectively have used contact tracing amid the COVID-19 outbreak and, as a result, have been able to re-open for business quicker and have experienced fewer deaths and lower rates of infection.

For an overview of contact-tracing applications in use or in development around the world and a discussion relating to the privacy issues to consider, see our Law360 article, “Privacy Guidelines for COVID-19 Contact-Tracing App Makers.”

  • On April 22, a coalition of 27 attorneys general, including those from Massachusetts and California, called on telecom companies to keep phones and broadband connected for the duration of the COVID-19 pandemic.

On April 23, HHS announced an upcoming action by the Centers for Disease Control and Prevention to provide resources for state and local jurisdictions to support those playing a “vital role in protecting Americans throughout the COVID-19 pandemic, by reporting and analyzing surveillance data, [and] tracing the spread of the virus[.]”

Earlier this year, the Consumer Financial Protection Bureau created a Taskforce on Federal Consumer Financial Law to “examine the existing legal and regulatory environment facing consumers and financial services providers and report to [the Bureau] its recommendations for ways to improve and strengthen consumer financial laws and regulations.” To assist the Taskforce, the Bureau recently issued a request for information, asking the public to submit comments on several topics by June 1, 2020. The Bureau’s request presents a unique opportunity for interested parties to shape recommendations that could lead to a wholesale overhaul of key, federal consumer finance laws.

In its request, the Bureau asks a series of questions about the market for consumer financial products and services, with a particular emphasis on certain markets such as automobile financing, credit cards, consumer reporting, debt collection and settlement, electronic payments, and mortgage origination and servicing. The Bureau groups its questions into a few categories that it hopes will shed some light on how well financial markets are functioning for consumers. Those categories include questions related to:

  • Expanding access to financial resources and exploring potential obstacles to financial inclusion;
  • Current and future topics regarding protection and use of consumer data;
  • Regulations that the Bureau writes and enforces;
  • Costs and benefits of overlapping federal and state supervision and enforcement responsibility with respect to financial institutions; and
  • Performance of consumer protection.

In its request for information, the Bureau notes that every statutory and regulatory change creates costs for consumers and industries as they adjust to new rules. Thus, the Taskforce is most interested in learning about changes that would provide the most marginal benefits when compared to the marginal costs.

Like most industries today, consumer finance services businesses are being significantly impacted by the novel coronavirus (COVID-19). Troutman Sanders and Pepper Hamilton have developed a dedicated COVID-19 Resource Center to guide clients through this unprecedented global health challenge. We regularly update this site with COVID-19-related news and developments, recommendations from leading health organizations, and tools that businesses can use free of charge. Additionally, this Thursday at 4:00 p.m. EDT, Troutman Sanders will host a webinar to discuss credit reporting in light of COVID-19. Click here to register for the webinar.

To help you keep abreast of relevant activities, below is a breakdown of some of the biggest COVID-19-driven events at the federal and state levels to impact the consumer finance services industry this past week:

Federal Activities

State Activities

Privacy and Cybersecurity Activities

Federal Activities:

– On April 1, the Consumer Financial Protection Bureau issued “a non-binding general” policy statement regarding the Fair Credit Reporting Act and Regulation V in light of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The policy statement primarily emphasizes:

  • The need for furnishers to follow the reporting requirements of the CARES Act regarding certain COVID-19-impacted loans; and
  • The CFPB’s intent to provide regulatory relief regarding the FCRA’s statutory investigation timeframe.

Click here for more analysis.

– On March 31, the CFPB published an online guide for consumers seeking financial relief options for mortgage and rent payments in light of COVID-19, with a particular focus on the CARES Act. The guide offers a consumer-friendly explanation of the relevant provisions, focusing on: (1) what major mortgage relief options are available, (2) who qualifies, (3) how to obtain relief, and (4) what to do upon receiving relief. Click here for more analysis. Additionally, the CFPB issued a “video on how struggling homeowners can obtain mortgage forbearance if their finances are impacted due to the COVID-19 pandemic.”

– On April 1, the United States Department of Housing and Urban Development (HUD) instructed mortgage servicers to offer forbearance in accordance with the CARES Act. The announcement provides additional guidance regarding Home Equity Conversion Mortgages and credit reporting.

– On April 1, HUD issued a mortgagee letter regarding the “[Federal Housing Administration]’s Loss Mitigation Options for Single Family Borrowers Affected by the Presidentially-Declared COVID-19 National Emergency in Accordance with the CARES Act.”

– On March 31, the Federal Housing Finance Agency announced several loan processing flexibilities from Fannie Mae and Freddie Mac designed to help their customers, including:

  • Allowing desktop appraisals on new construction loans;
  • Allowing flexibility on demonstrating construction has been completed (alternative to the completion report);
  • Allowing flexibility for borrowers to provide documentation (rather than requiring an inspection) to allow renovation disbursements (draws); and
  • Expanding the use of power of attorney and remote online notarizations.

The Federal Trade Commission and the Federal Communications Commission sent joint letters “to three companies providing Voice over Internet Protocol (VoIP) services, warning them that routing and transmitting illegal robocalls, including Coronavirus-related scam calls, is illegal and may lead to federal law enforcement against them.”

– The FTC issued a press release on March 31 entitled, “Data Shows Jump in Coronavirus-related Complaints from Consumers.”

– Financial services providers are asking the FCC to issue a declaratory ruling stating that calls to consumers placed by financial institutions and related to COVID-19 fall within the “emergency purposes” section of the Telephone Consumer Protection Act. Click here for more analysis.

– The Financial Industry Regulatory Authority, Inc., Securities and Exchange Commission, and CFPB sent warning alerts to consumer-investors of COVID-19-related scams. Click here for more analysis.

State Activities:

– 36 states have now issued orders closing non-essential or non-life sustaining business operations. All of the remaining states have issued some sort of restrictions on the operations of businesses. Consumer financial services businesses should look closely at these orders to ensure their operations remain compliant. Click here to access the COVID-19 Resource Center which maintains an up-to-date map showing the states with business restriction orders in place.

-Within the past week, states have taken additional actions to clarify the impact of the existing business restrictions, issue new related orders, or restrict certain business activities. These actions include:

  • Hawaii’s Division of Financial Institutions issuing guidance allowing licensed companies  “with physical locations in the State of Hawaii to reduce office hours or temporarily close offices during” the State’s “Emergency Period.”
  • Illinois’s Department of Financial and Professional Regulation issuing a statement providing guidance to licensed debt collectors and debt buyers relaxing statutory guidelines which mandate that collection actions only take place at their registered addresses. Click here for more analysis.
  • Massachusetts Attorney General issuing a Frequently Asked Questions document for emergency regulation 940 CMR 35.00. Some of the topics addressed include the definition of debt collector and communications by debt collectors and creditors.
  • Montana Governor issuing an order placing limitations on evictions and foreclosures.
  • Pennsylvania Attorney General launching the “PA CARE Package” to provide consumers additional relief during COVID-19.
  • Texas’s Joint Financial Regulatory Agencies issuing guidance on emergency measures for home equity lenders regarding COVID-19.
  • Washington Governor and the state’s Department of Financial Institutions announcing a moratorium on evictions and guidance to companies servicing mortgages to urge “them to work with homeowners adversely impacted by COVID-19, including payment forbearance for those who need it.”

– Numerous states also have taken steps to facilitate or provide guidance regarding the use of online notarization:

– New York Assembly Member Félix Ortiz has introduced a bill that would freeze various forms of consumer debt and obligations for 90 days, including student loans, mortgages, auto loans, credit card payments, and utility payments.

– The Receivables Management Association International (RMAI) reached out for clarification regarding Nevada’s Department of Business & Industry (DBI) notice that collection agencies were non-essential businesses subject to the closures announced by the Governor’s emergency directive. The DBI provided an email response to the RMAI which suggests that accepting consumer-initiated communications/payments does not violate the DBI’s order for licensed out-of-state collectors to “cease collection efforts.”

– In response to the Massachusetts Attorney General issuing emergency regulation 940 CMR 35.00 instituting a prohibition on debt collectors making outbound debt collection calls or pursuing other debt collection practices as a result of COVID-19, the Association of Credit and Collection Professionals launched a “Grassroots Campaign” to have the order rescinded.

Privacy and Cybersecurity Activities:

– Federal regulators continue to issue privacy and information security guidance to businesses affected by COVID-19. New guidance includes:

  • On April 3, the Financial Crimes Enforcement Network issued “Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic.”
  • On April 3, the FTC and FCC warned businesses against “routing and transmitting illegal robocalls, including Coronavirus related scam[s].”
  • On April 2, the Office of Civil Rights at the United States Department of Health and Human Services announced it would not impose certain penalties for violations of certain provisions of the Health Insurance Portability and Accountability Act Privacy Rule.

– The International Association of Privacy Professionals (IAPP) continues to issue guidance to businesses affected by COVID-19, including:

The IAPP issued a Data Protection Authorities resource guide, providing links to information relating to data processing and COVID-19. The guide includes information from the United States, European Union, and other countries.

On March 13, two days after the World Health Organization announced that the coronavirus (“COVID-19”) outbreak could be characterized as a pandemic, the White House declared the outbreak a national emergency.

In response, the Consumer Data Industry Association (“CDIA”) provided guidance for lenders and creditors who report information about consumers whose accounts are impacted by COVID-19. Specifically, the CDIA pointed to two scenarios that have “been available for many years and [are] designed to be flexible to accommodate the many different ways creditors help their customers.” Under the first scenario, outlined in FAQ 45 of the Credit Reporting Resource Guide, the account is placed in forbearance and reported as current, provided that no payments are due during the forbearance period, with a special comment of “CP” to indicate that the account is in forbearance. Under the second scenario, outlined in FAQ 58, the account is reported as current with a special comment “AW” to indicate that the account is affected by a natural or declared disaster.

To supplement the guidance provided in FAQ 45 and FAQ 58, the CDIA issued a fact sheet on March 22 that is more tailored to the current situation, “to provide information on the systems in place to minimize or eliminate the negative credit impact of extreme events like a natural disaster or pandemic.” This fact sheet points to the joint statement of all five federal banking agencies (the Board of Governors of the Federal Reserve System, the Consumer Financial Protection Bureau, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency) and the Conference of State Bank Supervisors to “encourage financial institutions to meet the financial needs of customers and members affected by the coronavirus.

In this fact sheet, the CDIA explains the first thing that a consumer who is impacted by COVID-19 should do is contact his or her lender or creditor because “lenders and creditors typically offer forbearance or deferred payment programs.” The CDIA explains that “when a consumer is placed into a forbearance plan, a deferred payment plan, or some other special abatement program, credit reporting codes have been created by the credit bureaus to make sure that the consumer’s credit is not treated negatively.” (emphasis added). The CDIA emphasizes that “in many cases, a consumer will be reported as ‘paid as agreed.’”

However, the reporting guidance remains vague, and reporting accounts as affected by natural disasters could introduce a number of operational complexities that have not been addressed, including how to determine whether a consumer’s account is in fact affected by the current pandemic. Unlike natural disasters such as flooding, hurricanes, or earthquakes, there is no approximate geographical boundary that can provide circumstantial data.

Nonetheless, the overarching message from the CDIA is that there are ways to avoid reporting accounts as past due if the accounts are delinquent as a result of the COVID-19 pandemic, but that the consumer remains responsible to first reach out to the lender or creditor. We will continue to monitor for additional reporting guidance during this unprecedented time.

Applying the definition of an automatic telephone dialing system required by the recent Eleventh Circuit decision Glasser v. Hilton Grand Vacations Co., LLC, Judge Charlene Honeywell from the United States District Court for the Middle District of Florida held in Northrup v. Innovative Health Ins. Partners, LLC, et al., that the Twilio texting platform does not qualify as an ATDS.

Plaintiff John Northrup brought a claim for violation of the Telephone Consumer Protection Act, on behalf of himself and a purported class, regarding a text message sent to his cellular telephone number. Defendants filed a motion for summary judgment arguing that the platforms used to send the text message to Northrup – 212CRM and Twilio – do not qualify as an ATDS because they do not have the capacity to generate random or sequential numbers. Defendants pointed to information in the record showing that the texting platforms “use prepared lists of numbers provided by a user” to send text messages.

Northrup argued, before the decision in Glasser, that the Court should follow the Ninth Circuit’s reasoning in Marks “that a telephone dialing system that dials from a prepared list of phone numbers rather than numbers it generates may still be an ATDS.” Northrup also argued that the Court should look to the 2003, 2008, and 2012 Federal Communications Commission rulings when interpreting the definition of an ATDS.

In light of Glasser, the Court disregarded Northrup’s arguments and relied on “undisputed record evidence showing that 212CRM and Twilio cannot generate random or sequential numbers” to grant summary judgment in favor of the defendants.

The Court also analyzed the human intervention necessary to send the text messages at issue. The Court found the following sequence of events constituted sufficient human intervention to “make[] the two devices fall outside of the definition of an ATDS[:] defendant employee navigates to 212CRM and logs in; defendant employee uploads spreadsheet containing customer data; defendant employee manually edits the spreadsheet; defendant employee types content of message to be sent; defendant employee sets sending interval; and defendant employee clicks ‘send.’”

The Northup decision is the first summary judgment ruling to rely on Glasser and dismiss claims under the TCPA. Moreover, the decision is a significant win for Twilio and its customers who use the text messaging platform to contact consumers.

In Johnson v. Comodo Group, the United States District Court for the District of New Jersey denied the defendant’s motion for summary judgment on two key issues in a claim asserting violations of the Telephone Consumer Protection Act, finding that a predictive dialer qualifies as an automatic telephone dialing system under the statute and the TCPA’s prohibition against the use of prerecorded or artificial voice messages, including recorded messages that are played by a live caller on the called party’s voicemail.

Defendant Comodo Group, Inc., made sales calls on behalf of an affiliated company that is in the business of selling encryption keys that enable website owners to securely transfer data to and from their customers. Encryption keys of this type, known as Secure Sockets Layer (“SSL”) Certificates, contain information regarding their expiration dates and the identities of their users. Comodo used an automated program to search the internet for expiring SSL Certificates and added the users to a database from which it would place sales calls.

Plaintiff Michael Johnson alleges that during May and June 2016, Comodo called him seven times using an ATDS and left prerecorded messages on his voicemail on three occasions. Based on these actions, he asserts claims under the TCPA on behalf of himself and a nationwide class of people who received similar calls.

Comodo moved for summary judgment, arguing the telephone system that it uses is a predictive dialer that does fall within the definition of an ATDS. The statute defines an ATDS as “equipment which has the capacity – (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C. § 227(a)(1). Comodo argued, rather than producing numbers using a random or sequential number generator, a predictive dialer is a system that can store pre-programmed telephone numbers or receive numbers from a computer database and then call those numbers.

In denying Comodo’s motion, the Court noted that there is a split in authority on this issue, both across the nation and within the District of New Jersey; but it followed the Ninth Circuit’s decision in Marks v. Crunch San Diego, LLC, in determining that the predictive dialer used by Comodo qualifies as an ATDS under the TCPA.

Further, in addition to its argument regarding the calling system used, Comodo asserted that the messages it left do not violate the TCPA because the statute only prohibits prerecorded messages that are played by a computer or machine without human intervention, and played to a live person. Though during the calls at issue, a sales agent was on the line and pressed a button to play a message on Johnson’s voicemail. The Court rejected these arguments, holding that the statute does not make any distinction between prerecorded messages played by a human and those played by a machine. It further held that messages left on voicemail are subject to the TCPA in the same way as messages that played directly to the person called.

Although the District of New Jersey permitted Johnson’s case to go forward, its decision does not resolve the overall debate as to precisely what qualifies as an ATDS. We will keep monitoring and reporting on this issue as the law continues to evolve.

On January 23, the United States Court of Appeals for the Sixth Circuit affirmed the dismissal of the class action complaint filed by plaintiff Muhammad M. Butt against FD Holdings, LLC d/b/a Factual Data in the case styled, Butt v. FD Holdings, LLC, d/b/a Factual Data. A copy of the Court’s opinion can be found here.

Butt previously had filed a petition for Chapter 7 bankruptcy. Butt’s attorney who filed the instant Fair Credit Reporting Act putative class action was the same attorney who represented Butt in the bankruptcy proceedings. Butt’s counsel failed to identify one of Butt’s creditors – Mayflower Auto Transport – as an unsecured creditor in Butt’s bankruptcy schedules, or otherwise identify Mayflower in the bankruptcy documents. Butt subsequently was granted a Chapter 7 discharge, though Mayflower did not receive any certificate of notice of the discharge, given how Mayflower was not specifically identified as one of Butt’s creditors in the bankruptcy proceedings.

After the bankruptcy discharge, Butt applied for a home loan. FD Holdings provided a credit report on Butt to the lender. The credit report listed the judgment filed in the Mayflower action. Butt’s home loan application allegedly was declined based on the Mayflower judgment.

Butt then filed a putative class action alleging that FD Holdings violated Section 1681e(b) of the FCRA by allegedly providing the lender with inaccurate information regarding Butt’s supposed discharged debt to Mayflower. FD Holdings filed a motion to dismiss, arguing that: (1) the credit report provided to the lender was accurate; (2) FD Holdings followed reasonable procedures in producing the report; and (3) Butt did not suffer any injury.

The United States District Court for the Eastern District of Michigan granted FD Holdings’ motion on all three grounds. The Court found that “Plaintiff’s counsel failed in his obligation” to list Mayflower as Butt’s creditor in the bankruptcy documents. “Thus, because of Plaintiff’s counsel’s negligence, there was no listing in the Bankruptcy Court Matrix that the Mayflower debt would have been cancelled – that Mayflower had been discharged as a creditor, prior to his mortgage application to [the lender].” The Court held that “Plaintiff cannot convert his own negligence in the Bankruptcy proceedings into grounds for an individual or class action claim against FD Holdings for not having reasonable procedures…It was Plaintiff’s counsel’s failure to follow the required procedures in the Bankruptcy Court that caused his client’s credit request in this case to be initially denied.” Finally, the Court found that “[a]ny injury suffered by Plaintiff resulted from his attorney’s negligence;” thus, Butt lacked standing to pursue his claim.

Butt then appealed to the Sixth Circuit. The Sixth Circuit affirmed the district court’s judgment, holding that the case should be dismissed on standing grounds. Specifically, the Sixth Circuit held that “[a]ny injury that Butt conceivably suffered was . . . self-inflicted,” and “thus has failed to demonstrate that he has standing to bring this case.”

We will continue to monitor the case for any further appellate proceedings.