Search auto data

On August 25, the United States District Court for the Northern District of Georgia struck four counts of a complaint filed by the Consumer Financial Protection Bureau because it failed to abide by the Court’s discovery order.

This matter began on March 26, 2015, when the CFPB filed a complaint against 12 debt collectors, four payment processors, and a telephone broadcast service provider for violations of the Consumer Financial Protection Act (“CFPA”).  The CFPB claimed the debt collectors engaged in a scheme to defraud consumers by using threats and harassment to collect “phantom” debts.  According to the complaint, the debt collectors used automated telephone dialers to contact consumers and their family members with false allegations of check fraud and false claims of debt owed.  The CFPB alleged that the debt collectors told consumers that failure to pay the debt would result in a “financial restraining order,” notice to the consumer’s employer of the alleged debt, wage garnishment, and arrest.  According to the complaint, the debt collectors refused to identify to the consumers the issuer of the supposed debt, but attempted to convince the consumers of their legitimacy by providing the consumers’ personal information.  The CFPB further claimed that many of the consumers targeted by the debt collectors did not owe the debt.  The complaint further alleged that the payment processors facilitated the debt collectors’ fraud by enabling the debt collectors to accept payment by consumers’ bank cards when the payment processors were aware the debt collectors were engaging in wrongful conduct.

The CFPB claimed the payment processors violated the CFPA by assisting the debt collectors’ unfair or deceptive conduct (Counts VIII and X) and engaging in unfair acts or practices (Counts IX and XI) for failing to perform reasonable investigations to detect the debt collectors’ unlawful conduct.

In August 2016, the payment processors served the CFPB with a Rule 30(b)(6) deposition notice.  The CFPB objected to the notice, arguing that the Court should not require the CFPB to sit for the deposition for three reasons: (1) the information the payment processors sought in the deposition was already provided by the CFPB in response to the payment processors’ interrogatories; (2) the noticed topics were protected by the law enforcement and deliberative process privilege; and (3) the depositions improperly sought the CFPB’s counsel’s mental impressions and analyses.

The Court rejected the CFPB’s objections but limited the deposition inquiries to factual matters for each allegation against the payment processors.

In April 2017, one of the payment processors took the CFPB’s 30(b)(6) deposition.  Following this deposition, the payment processors objected to the CFPB’s witness’s use of “memory aids” to deliver unresponsive answers to the deposition questions.  They also objected to the CFPB’s use of privilege, preventing the witness from answering questions about the facts underpinning the CFPB’s allegations.  Again, the Court ordered the CFPB to answer questions regarding the facts of its allegations against the payment processors.  According to the payment processors, the CFPB continued to provide nonresponsive answers and to assert privilege when questioned about facts related to its allegations against the payment processors.

In response to the CFPB’s non-compliance with the Court’s order, the payment processors sought sanction on the basis of Rule 11 and Rule 37 to strike the CFPB’s claims against the payment processors.

The crux of the payment processors argument for Rule 11 sanctions was based on the fact that the CFPB filed the complaint against them based on a single month of misleading chargeback data.  The payment processors argued that viewing the account as a whole shows that the payment processors monitored the debt collectors’ account in accordance with industry standards.  The Court denied the payment processors’ motion for Rule 11 sanctions, holding that Rule 11 sanctions are not meant to test the legal sufficiency of the allegations in the pleading, which the payment processors sought to do.

The Court granted the payment processors’ motion for Rule 37 sanctions, holding that the CFPB’s pattern of conduct in willfully ignoring the Court’s order warranted the striking of the claims against the payment processors.  In reaching the decision, the Court referred to the CFPB’s use of memory aids to answer deposition questions, noting that in some instance it took the witness 40 minutes to recite the memory aid without actually answering the payment processors’ questions.  The Court also reviewed the deposition transcript, noting that the CFPB’s counsel claimed privilege on questions related to factual underpinnings of its claims.

The Court dismissed counts VIII through XI of the CFPB’s complaint, thereby dismissing all claims against the payment processors.  The CFPB’s claims against the debt collectors remain.

On July 10, 2017, the Consumer Financial Protection Bureau issued its long-awaited final rule banning class action waivers in arbitration provisions for covered entities, as well as requiring the covered entities to provide information to the CFPB regarding any efforts to compel arbitration. This rule is of significance to any financial services company that utilizes consumer contracts containing arbitration provisions. The Rule is scheduled to take effect in mid-2018 and will govern contracts executed after that time.

Covered Entities and Products

Section 1028(b) of the Dodd-Frank Act gives the CFPB authority to promulgate regulations that prohibit or impose conditions on arbitration agreements for consumer financial services or products.

On May 5, 2016, the CFPB announced proposed rules that would restrict the ability of financial institutions to enter into mandatory arbitration clauses with consumers, including an outright ban on provisions that would prohibit consumers from pursuing class actions in court. After a period allowing for public comment, the proposed Rule was made final on July 10, 2017.

The Rule will take effect 60 days after July 10, 2017 and will apply only to agreements executed 240 days after the effective date of the rules (the “compliance date”), which will be approximately March 10, 2018.

Subject to certain enumerated exemptions, the Rule applies to most “consumer financial products and services” that the CFPB oversees, including those that involve lending money, storing money, and moving or exchanging money, as well as to the “affiliates” of such companies when the “affiliate is acting as that person’s service provider.”

In particular, according to the CFPB, for a product or service to be covered under the Rule, it must be both of the following:

  • A consumer financial product or service . Generally, this prong of the definition requires that a financial product or service be offered or provided to consumers primarily for personal, family, or household purposes or that it be offered or provided in connection with another financial product or service that is offered or provided to consumers primarily for personal, family, or household purposes.
  • Included in the Rule’s list of covered consumer financial products and services . Generally, the Rule defines covered products and services by reference to particular statutes or regulations. Generally, the list includes extending consumer credit, participating in consumer credit decisions, engaging in certain creditor referral or selection activity for consumer credit, acquiring or selling consumer credit, servicing an extension of consumer credit or collecting a consumer debt arising from a product or service covered by the Rule, extending or brokering certain automobile leases, providing consumers with information derived from their consumer credit file, engaging in credit repair or debt management activities, providing consumer asset accounts including deposit accounts and prepaid accounts, providing remittance transfers, accepting financial data for the purpose of initiating certain payments or card charges, and providing check cashing, check guaranty, or check collection services.

The Substance of the Rule

The Rule contains requirements that apply with regard to a provider’s use of a “pre-dispute arbitration agreement” that is entered into on or after the compliance date. The Rule defines “pre-dispute arbitration agreement” to mean an agreement that is: (1) between a covered person and a consumer; and (2) that provides for arbitration of any future dispute concerning a covered consumer financial product or service. The form or structure of the agreement is not determinative. An agreement can be a pre-dispute arbitration agreement under the Rule regardless of whether it is a standalone agreement, an agreement or provision that is incorporated into, annexed to, or otherwise made a part of a larger contract, is in some other form, or has some other structure.

The Rule prohibits a provider from relying on a pre-dispute arbitration agreement entered into after the compliance date with respect to any aspect of a class action that concerns any covered consumer financial product or service. That prohibition may apply to a provider with respect to a pre-dispute arbitration agreement initially entered into between a consumer or a covered person other than the initial provider, such as debt collectors seeking to collect on the contract or assignees of the contract. The CFPB also specifically stated that the Rule applies to “indirect automobile lenders,” using them as an example of covered entities.

The Rule requires that, upon entering into a pre-dispute arbitration agreement, a provider must ensure that certain language set forth in the Rule is included in the agreement. Generally, the required language informs consumers that the agreement may not be used to block class actions.

The Rule also requires providers that use pre-dispute arbitration agreements to submit certain records relating to arbitral and court proceedings to the CFPB. The requirement to submit these records applies to: (1) specified records filed in any arbitration or court proceedings in which a party relies on a pre-dispute arbitration agreement; (2) communications the provider receives from an arbitrator pertaining to a determination that a pre-dispute arbitration agreement does not comply with an due process or fairness standards; and (3) communications the provider receives from an arbitrator regarding a dismissal of or refusal to administer a claim due to the provider’s failure to pay required filing or administrative fees.

The CFPB will use that information it collects to continue monitoring arbitral and court proceedings to determine whether there are developments that raise consumer protection concerns that may warrant further Bureau action. The CFPB is also finalizing provisions that will require it to publish the materials it collects on its website with appropriate redactions as warranted, to provide greater transparency into the arbitration of consumer disputes.

Practical Significance

The Rule is in direct contradiction of the strong federal policy favoring arbitration. Indeed, the CFPB’s Rule is contrary to with the long-standing federal policy – as repeatedly expressed by the Supreme Court in interpreting the FAA – of enforcing arbitration provisions as written. It is inevitable that the CFPB’s rules will be challenged in court, with the ultimate validity perhaps turning on the quality of the CFPB’s study and analysis of the issues. The Supreme Court may again need to ultimately weigh in. In addition, the term of current CFPB director, Richard Cordray, is scheduled to end in July 2018, and there is possibility he will leave before then. In sum, the issuance of the final rule is very likely not to be the final word.

Troutman Sanders advised clients both within and outside the CFPB’s authority in developing and administering consumer arbitration agreements, and has a nationwide defense practice representing financial institutions and other consumer facing companies in a plethora of types of class actions and individual claims. We will continue to monitor these regulatory developments and any related litigation.

In its fifth annual fair lending report, the Consumer Financial Protection Bureau highlighted redlining, mortgage and student loan servicing, and small business lending as areas of focus for 2017.  CFPB Director Richard Cordray specifically noted these areas for enhanced enforcement actions, describing them as “significant or emerging fair lending risk to consumers.”

“In 2017 we will increase our focus in the areas of redlining and mortgage and student loan servicing to ensure that creditworthy consumers have access to mortgage loans and to the full array of appropriate options when they have trouble paying their mortgages or student loans, regardless of their race or ethnicity,” wrote Patrice Alexander Ficklin, Director of the Office of Fair Lending and Equal Opportunity.  “In addition, we will focus more fully on pursuing our statutory mandate to promote fair credit access for minority- and women-owned businesses.”

According to the Bureau, agency priorities are determined through a risk-based model, incorporating the quality of an institution’s compliance management system, market intelligence, consumer complaints, tips from advocacy groups and government agencies, supervisory and enforcement history, and results from Home and Mortgage Disclosure Act analysis.  After reevaluating these indices of consumer risk, the CFPB has outlined specific points to address in the coming year:

  • Redlining.  The Bureau will continue to evaluate whether lenders have intentionally discouraged prospective applicants in minority neighborhoods from applying for credit.
  • Mortgage and Student Loan Servicing.  The CFPB indicates that it will evaluate whether certain borrowers who are behind on loan payments have greater difficulty reaching a resolution with servicers due to their race, ethnicity, gender, or age.
  • Small Business Lending.  With a Congressional mandate to ensure fair access to credit for women- and minority-owned businesses, the Bureau will take action in the area of small business lending.  The CFPB maintains that action in this area will also enhance the Bureau’s institutional knowledge of credit processes and existing data collection processes, as well as the nature, extent, and management of fair lending risks.

As we have reported, state regulators are also active in these areas.  Over the last 15 years, state attorneys general have grown adept at collectively utilizing their resources to bring major multistate investigations.  We anticipate increased state enforcement actions aimed at industries such as debt buying and collecting, auto finance, service-member lending, payment processing, credit reporting, cybersecurity, information governance, and privacy.

On June 2, Florida Attorney General Pam Bondi announced a settlement with a Jacksonville car dealership, its financing arm, and its president related to allegations that the dealership engaged in misleading business and sales practices.  The consent agreement, filed in the Circuit Court of the Fourth Judicial Circuit for Duval County, Florida, requires the dealership to provide more than $5 million in debt forgiveness to affected consumers. 

According to a complaint filed in 2011, Beach Blvd. Automotive, Inc. and its exclusive financing arm, Beach Blvd. Auto Financing, Inc., engaged in unfair, deceptive, or unconscionable business practices.  Bondi alleged that the dealership used devices to track hundreds of vehicles purchased by Beach Blvd. customers without the customers’ knowledge or consent.  Beach Blvd. later used the tracking devices to repossess vehicles, with some repossessions purportedly occurring even when consumers were current on payments.  According to the complaint, the businesses created fake online profiles using customers’ data, without their knowledge, in order to post positive comments online about the businesses. 

In addition, the A.G. alleged that Beach Blvd. Automotive, Beach Blvd. Auto Financing, and the companies’ president, John O. King, attempted to collect non-existent debt from consumers and threatened to use force to repossess vehicles.  The A.G. further contended that the three defendants increased consumers’ monthly car payments by adding optional items to sales transactions without consumers’ knowledge.  The complaint also alleged that Beach Blvd. Automotive failed to honor promised warranties and delayed servicing vehicles until their warranties expired, and then refused to service the vehicles. 

“Nearly 80 consumers filed complaints with our office, and our priority in this case is to return money to harmed consumers through restitution and to halt any fraudulent business practices,” Bondi said in a statement. 

The consent agreement requires the three defendants to modify their business practices and provide its customers with more than $5 million in debt forgiveness.  In addition, the terms of the agreement prohibit Beach Blvd. Automotive and Beach Blvd. Auto Financing from providing information to credit reporting agencies for those consumers whose accounts are covered under the consent agreement.  The agreement also requires Beach Blvd. Automotive to pay $2,500 to cover certain binder deposits made by consumers.  Beach Blvd. Automotive must also pay more than $280,000 in attorneys’ fees and costs. 

A copy of the consent agreement is available here.

 

The Federal Trade Commission and the National Highway Traffic Safety Administration are teaming up to hold a workshop on June 28, 2017 related to privacy and security issues posed by connected vehicles.  The FTC has requested that comments related to this issue be submitted online or by mail by May 1.

“Connected vehicles” include most modern vehicles that are equipped with some form of wireless technology.  In some cases, this wireless technology may enable a vehicle to communicate with another vehicle, known as vehicle-to-vehicle (“V2V”) communication, or with the roadway infrastructure.  As we reported in our annual edition of Data Privacy: The Current Legal Landscape, the NHTSA is currently considering mandating V2V communications for new light consumer vehicles.

“Autonomous vehicles” are a subset of connected vehicles and include those vehicles in which a critical safety control or function is performed without human intervention.  Automating these controls and functions can reduce or eliminate the traditional human-error component of driving a vehicle, but can also present other problems.  For example, the sheer amount of personal and sensitive data, like geographic location and driver communication data, could be targeted by hackers.  Therefore, securing this data from vulnerabilities will be a key component of emerging connected vehicle technology.  It is these issues and more that the FTC and NHTSA would like to explore more during their workshop.

Specifically, the FTC and NHTSA would like to address – and have requested information on – the following:

  • What data is collected, stored, transmitted and shared by connected vehicles;
  • How data collection can be a benefit;
  • What challenges may be encountered with the technology;
  • Self-regulatory standards that may be employed; and
  • How privacy and security will be addressed by various key sector participants, including vehicle manufacturers, technology companies, and government agencies.

The Cyber Security, Information Governance & Privacy team at Troutman Sanders monitors developments related to connected devices and vehicles, and routinely advises clients on best practices, developing security standards, and addressing new and emerging threats.

 

The Federal Trade Commission has released its annual summary of consumer complaints for 2016, contained in the FTC’s latest Consumer Sentinel Network Data Book.  The FTC compiles the report annually based on complaints received by the Consumer Sentinel Network.  Complaints include those made directly by consumers to the FTC, as well as complaints received by state and federal law enforcement agencies, national consumer protection organizations, and non-governmental organizations.

Complaints from consumers concerning debt collection were the most numerous, with “imposter scams” and “identity theft” comprising the second- and third-largest categories of complaints, respectively.  Complaints regarding credit reporting also remained in the top 10.

The complaint categories making up the top 10 areas of consumer complaints are:

Number of Complaints Received Percentage of All Complaints Received
Debt Collection 859,090 28
Impostor Scams 406,578 13
Identity Theft 399,225 13
Telephone and Mobile Services 292,155 10
Banks and Lenders 143,987 5
Prizes, Sweepstakes and Lotteries 141,643 5
Shop-at-Home and Catalog Sales 109,831 4
Auto-Related Complaints 94,673 3
Credit Bureaus, Information Furnishers and Report Users 49,679 2
Television and Electronic Media 49,546 2

 

As in 2015, Florida, Georgia, and Michigan were the top three states for fraud and other complaints, while Michigan, Florida, and Delaware had the most identity theft complaints.

The top categories of complaints often frame the FTC’s priorities for the upcoming year.  Troutman Sanders LLP will continue to monitor FTC regulatory and enforcement activity in each of these categories.

The National Highway Traffic Safety Administration and the Department of Transportation have issued a Notice of Proposed Rulemaking for autonomous and connected cars.  The NPRM “proposes to establish a new Federal Motor Vehicle Safety Standard” under 40 CFR 571 to mandate vehicle-to-vehicle (V2V) communications for new light vehicles and to standardize the message and format of V2V transmissions.  The V2V communications focus heavily on the use of “short-range radio communications (DSRC)” devices to transmit “Basic Safety Messages (BSM)” about a vehicle’s speed, heading, brake status, and other vehicle information to surrounding vehicles, and receiving the same information from them.”  The NHTSA claims that without such a protocol, the auto industry itself will be unable to move forward together meaningfully.

The NPRM is critical for the cybersecurity industry and all those who intend to enter into connected cars as it describes a proposal for a new paradigm of data communications that will have important and persistent privacy implications.  First, the proposal is for vehicles to deploy “omnidirectional radio signals that provide 360 degree coverage along with the ability to ‘see’ around corners and ‘see’ through other vehicles,” supplemented by information from other nearby vehicles.  Vehicles would communicate parameters such as speed, heading, trajectory, and other information, under the BSM protocol proposed – all of which is relatively weather-proof due to the nature of DSRC.  Second, using DSRC allows the industry to leverage off of existing technologies, thus allowing for earlier and more widespread deployment than other proposals.  The NHTSA and DOT hope that the use of more readily-adaptable technologies such as DSRC will allow for wider and quicker industry support and adoption of their proposal, in turn helping to save lives and ensure public safety.

There are a number of critical proposals of which privacy professionals need to take note:

  • The NHTSA “proposes to exclude from V2V transmitting information that directly identifies a specific vehicle or individual regularly associated with a vehicle, such as owner’s or driver’s name, address, or vehicle identifying numbers, as well as data ‘reasonably linkable’ to an individual,” citing to the Federal Trade Commission.
  • The “NHTSA proposes [that] V2V devices sign and verify their basic safety messages using a Public Key Infrastructure digital signature algorithm … for BSM transmission and the signing of BSMs.”
  • The “NHTSA proposes to mandate requirements that would establish procedures for communicating with a Security Credential Management System to report misbehavior; and learn of misbehavior by other participants.”
  • The “NHTSA proposes that V2V equipment be ‘hardened’ against intrusion (FIPS-140 Level 3) by entities attempting to steal its security credentials.”
  • “V2V systems would be required to be designed from the outset to minimize risks to consumer privacy.”  The publication also imposes a number of other requirements on manufacturers.

In addition to the peer-to-peer BSM communications, the NHTSA is requesting comments for two innovative proposals for V2V device credentialing, both of which would complement the use of PKI.  The first approach is the Federated Security Credential Management model, which envisions a system “established, funded, and governed primarily by one or more private entities – possibly a consortium of automobiles and V2V device manufacturers.”  It would include the following functions in the issuance, management, and revocation of short-term certificates for vehicle transmissions: (1) SCMS managers; (2) registration authorities (RAs); (3) root certificate authorities (Root CAs); (4) intermediate certificate authorities (Intermediate CAs); (5) pseudonym certificate authorities (PCAs); (6) linkage authorities (LAs); (7) misbehavior authorities (MAs); (8) location obscurer proxies (LOPs); and (9) request coordination.  Each of these functions are envisioned to be part of a system wherein certificate management entities (CMEs) would manage short-term certificates for participating vehicles, with both centralized CMEs and federated CMEs.

Diagram 1

As the NHTSA’s figure above shows, few CMEs should handle central functions, whereas many CMEs can compete and handle non-central functions.  The CMEs with central functions would likely need to work with the NHTSA and be subject to future rulemaking.  Notably, by dividing identifying information among different CMEs – centralized and federated – the hope is that safety is achieved with little compromise of security and personally identifiable information.  The NHTSA compares its proposed paradigm to that of the multi-stakeholder Internet Corporation for Assigned Names and Numbers (“ICANN”).[1]

As an alternative to SCMS, which has single security certification roots, the NHTSA is also considering a Vehicle Based Security System (“VBSS”).  The major difference is in the “generation of short-term certificates.”  The NPRM states, “The SCMS approach relies on individual vehicles to periodically request pseudonym certificates from infrastructure-based entities (most notably a Pseudonym Certificate Authority, or PCA) which in turn generates and signs short-term certificates.  Vehicles then download batches of certificates which are used to digitally sign BSM messages.  In contrast, the VBSS concept calls for delegating this authority to individual vehicles, and as a result the communications with the infrastructure are reduced.”

diagram 2

A number of functions required under SCMS are thereby eliminated, and the whole process is simplified.  Instead, “VBBS establishes a Group Manager/Group Managers (GM) to provide credentials that make it possible for each vehicle to act as a [subordinate] certificate authority – an entity that can generate short-term certificates.  …  All member signing keys for a particular group are associated with a single group certificate.”  The NHTSA indicated that the VBBS is further behind SCMS currently because “while Group-based signature schemes are an active area of research they are evolving and much less mature than other cryptography systems.”

[1] 49 CFR 571, p. 232-237.

The Consumer Financial Protection Bureau has released a new tool designed to help the public track consumer lending trends as well as identify future risks.  The tool, available on the CFPB website, is called “Consumer Credit Trends,” and it currently tracks originations of mortgages, credit cards, auto loans and student loans.  Within each of those categories, a user can see the data broken down by origination activity, borrower risk profile (credit score levels), lending by neighborhood income level, and lending by borrower’s age.  The CFPB states that they will use this data to “monitor conditions in consumer credit markets, analyze the effects of regulatory interventions, and to conduct research into issues affecting consumers.”

Although the Bureau does not provide specifics as to the data itself, it states that the data is from a nationally representative sample of credit records from one of the top three national credit repositories.  Before providing the information to the CFPB, the repository stripped the data of any information that could identify a particular consumer’s identity.

The CFPB has stated that it plans to update the information in the tool regularly and provide analysis on trends and findings.  The CFPB’s findings in this first release of data include:

  • An increase in mortgage lending between August and October 2016, compared to one year previously;
  • An increase in credit card lending this year, including a large increase in low-income neighborhoods;
  • A slight decline in auto loans, as compared to the same period last year (however, this decline was predominantly among higher risk consumers);
  • Continued historically high percentages of auto lending to consumers over 65 years old; and
  • A slight decrease in originations of student loans, compared to the same period in 2015.

In a press release about the new tool, CFPB Director Richard Cordray stated, “This critical information will help us identify and act on trends that warn of another crisis or that show credit is too constricted.”  The CFPB plans to eventually expand the tool to include other consumer credit products as well as information on credit applications, delinquency rates, and consumer debt levels.

Troutman Sanders will continue to monitor this tool, as well as the CFPB’s analysis of this data.

On December 14, the parties in Mey v. Frontier Communications Corp. filed a motion for preliminary approval of a settlement of a Telephone Consumer Protection Act class action.

According to the Complaint, Frontier, a telephone company that offers voice, broadband, satellite video, and wireless internet data access for individuals and small businesses, uses telemarketing to generate sales.  Frontier supposedly called the named plaintiff on two occasions in 2013.  Plaintiff claims that the calls were made using an automatic telephone dialing system to telephone numbers that were on the national Do Not Call Registry.

After more than three years of litigation, the parties reached a class settlement.  The settlement class consists of all persons within the United States to whom Frontier, or any party acting on Frontier’s behalf, since August 20, 2009: (a) initiated more than one telemarketing call within a 12-month period to any number on the national Do Not Call Registry; and/or (b) initiated one or more telemarketing calls [to any number] assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call.

The class consists of 36,219 unique telephone numbers.  The settlement class will share an $11 million common fund, with each class member to receive at least $90 and the balance of the fund to be divided on a percall basis to class members who received multiple calls.

The Frontier settlement is the latest in a string of recent TCPA class action settlements affecting a wide range of industries.

The Consumer Financial Protection Bureau has continued to address FCRA-related compliance issues in its most recent Supervisory Highlights publications from March and June 2016.  The Supervisory Highlights once again reiterate the importance of FCRA compliance for a broad spectrum of FCRA-regulated entities, including mortgage originators, furnishers of consumer information, and nationwide specialty consumer reporting agencies (NSCRAs).

June 2016 Highlights

The CFPB’s June Highlights focused on FCRA requirements in the mortgage origination context.  Specifically, CFPB examiners found that one or more institutions took adverse action based on information in consumer reports but failed to provide the required FCRA disclosures.  15 U.S.C. § 1681m(a) requires a specific adverse action notice when adverse action is taken based on information contained in a consumer report.  Specifically, the notice must include: (1) the name, address, and telephone number of the CRA furnishing the report; (2) a statement that the CRA did not make the decision to take the adverse action; (3) statement of the consumer’s right to obtain a free copy of a consumer report from that CRA; and (4) statement of the consumer’s right to dispute with the CRA the accuracy or completeness of information contained in the consumer report.

Examiners noted that the cause of the violations was linked to a lack of appropriate training and inadequate policies and procedures.  The institutions were directed to revise their training policies and procedures to ensure that employees were providing FCRA-required information on the adverse action notices.  A link to the June 2016 publication can be found here.

March 2016 Highlights

CFPB examiners conducted compliance reviews at certain depository institutions to determine whether the institutions were complying with their furnisher-specific obligations under the FCRA and its implementing Regulation V.  The reviews focused on furnishers that provide consumer information to NSCRAs.

Furnishers of consumer information are required to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information they furnish and are also required to promptly update information that is determined to be incomplete or inaccurate.

Examiners found that certain furnishers had policies and procedures generally pertaining to FCRA furnishing obligations, but that they “failed to have policies and procedures addressing the furnishing of information related to deposit accounts.”  Examiners also found that one or more of the furnishers “lacked processes or policies to verify data furnished through automated internal systems.”  While certain furnishers had automated systems to inform the NSCRAs when an account was paid in full or when a balance reached zero, the furnishers did not have controls to check whether that information was actually furnished.  Thus, CFPB supervision directed the furnishers to establish and implement policies and procedures to monitor the automated functions of its deposit furnishing process.

On a related-issue, examiners found that when consumers had paid charged off accounts in full, certain furnishers would update their systems of records to reflect the payment, but would not update the change in status from “charged off” to “paid-in-full” and send the update to the NSCRAs.  The examiners concluded that “[n]ot updating an account to paid-in-full or settled-in-full status could adversely affect consumers’ attempts to establish new deposit or checking accounts.”

With respect to data quality, examiners found certain internal inconsistencies in linking identifying information to consumer records.  These inconsistencies, in some instances, resulted in incorrect information being associated with a consumer’s files.  Therefore, CFPB supervision directed further development and implementation of internal processes to “monitor, detect, and prevent the association of account closures to incorrect consumer profiles, and to notify affected consumers.”

Finally, the examiners reviewed certain NSCRAs and focused on their systems and processes used to oversee and approve furnishers.  Examiners identified certain weaknesses in their systems for credentialing furnishers prior to allowing those furnishers to supply consumer information to the NSCRAs.  The breakdown in processes included failing to follow their own policies and procedures for issuing credentials, failing to implement a timeframe for furnishers to submit required documentation, and failing to maintain adequate documentation in line with their applicable policies and procedures to demonstrate the steps taken to approve a furnisher during the credentialing process.  A link to the March 2016 publication can be found here.

* * * * * * *

These recent Supervisory Highlights show the CFPB’s continued interest and supervision over nuanced areas of FCRA compliance.  Companies that are required to comply with the FCRA should review their written policies and procedures to ensure not only that the policies and procedures are up to date but also that the policies and procedures are being appropriately implemented and followed by employees.  Troutman Sanders Financial Services Litigation team has substantial experience in providing FCRA compliance advice.