The Consumer Financial Protection Bureau (“CFPB”) has been increasingly active under the Fair Credit Reporting Act (“FCRA”), making rules, issuing advisory opinions, and taking enforcement action. CFPB Director Rohit Chopra has likened consumer reporting agencies to “surveillance companies” and has said that enforcement of the FCRA will be one of the CFPB’s highest priorities:
Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data . . . . While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.
In the meantime, the Federal Trade Commission (“FTC”) continues to be active in enforcing the FCRA, bringing a first-of-its-kind case under the FCRA’s Red Flags Rule. And, the private plaintiffs’ bar continues to bring individual and class actions against consumer reporting agencies, companies that use consumer reports, and companies that provide information to consumer reporting agencies, resulting in important court opinions defining rights and obligations under the FCRA.
During the period covered by this Annual Survey, the CFPB has made a new FCRA rule and also has been active in issuing formal regulatory guidance under the statute.
The CFPB issued a rule prohibiting consumer reporting agencies from furnishing consumer reports with adverse information about victims of severe human trafficking or sex trafficking, as required by the Debt Bondage Repair Act. The purpose of the Debt Bondage Repair Act and the CFPB’s Human Trafficking Rule is to assist human trafficking survivors who have suffered financial abuse at the hands of traffickers, who may intentionally destroy victims’ credit history to prevent employment, access to credit on fair terms, and the ability to locate affordable housing.
The CFPB’s Human Trafficking Rule defines the “trafficking documentation” that survivors may submit to consumer reporting agencies (both nationwide and specialty) to identify and remove adverse consumer reporting information resulting from human trafficking. Consumer reporting agencies must make available mailing addresses and a website address to allow consumers to submit trafficking documentation, and they must accept submissions through the same channels used for disputes under section 611 of the FCRA. Nationwide consumer reporting agencies are also required to establish a toll-free telephone number dedicated to addressing submissions from victims of human trafficking.
If a human trafficking survivor submits the required trafficking documentation, “a consumer reporting agency may not furnish a consumer report containing any adverse item of information concerning a consumer that resulted from a severe form of trafficking in persons or sex trafficking.” Specifically, consumer reporting agencies must block the adverse information within four business days after receiving the consumer’s trafficking documentation, and must make a final determination regarding the completeness of the trafficking documentation within twenty-five business days. Consumer reporting agencies can only decline or rescind a block of adverse information if it cannot confirm the identity of the survivor, the adverse items cannot be identified, or the survivor is unable to provide proof of a victim determination. Consumer reporting agencies are also required to send notices informing consumers of the final determination regarding the block, and must attach a copy of the victim’s consumer report based upon the revised file (if applicable). The final Human Trafficking Rule became effective on July 25, 2022.
The CFPB has issued advisory opinions relating to data matching standards required by the accuracy and permissible purpose provisions of the FCRA and an interpretive rule regarding preemption of state laws by the FCRA.
Rohit Chopra was sworn in as director of the CFPB on October 12, 2021. Three weeks later, in one of his earliest acts of office, the CFPB issued an advisory opinion interpreting the FCRA to prohibit the practice of matching consumer report information to an individual solely through the matching of names (i.e., “name-only matching”). The advisory opinion defines name-only matching as a process by which “a consumer reporting agency uses only first and last names to determine whether a particular item of information relates to a particular consumer, without using other personally identifying information such as address, date of birth, or Social Security number.” The FCRA requires consumer reporting agencies to use reasonable procedures to assure maximum possible accuracy of consumer information, and the advisory opinion makes clear that the CFPB believes that name-only matching procedures do not assure maximum possible accuracy of consumer information. The use of relatively weak data matching procedures, including name-only matching logic, is not new, and in the past several years the FTC has brought multiple enforcement actions—particularly against tenant and employment background screening firms—alleging that the practice violates the FCRA’s accuracy requirements.
The advisory opinion is careful to indicate that it does not create a safe harbor for consumer reporting agencies that match on more than name alone, indicating that name combined with date of birth could also lead to mistaken identity and may not be a reasonable procedure to assure maximum possible accuracy of consumer information. The CFPB also emphasized that Black, Hispanic, and Asian communities are most likely to be disproportionately affected by name-only matching because there is less surname diversity compared to the white population.
Eight months later, in July 2022, the CFPB followed up with another advisory opinion on the issue of name-only matching. This time, however, rather than highlighting poor matching procedures as an accuracy issue, the CFPB stated that insufficient procedures to match a consumer to consumer report information can result in a consumer reporting agency providing a report to an entity without a permissible purpose, and that disclaimers about “insufficient matching procedures” do not “cure” a permissible purpose violation. The advisory opinion also states that consumer reporting agencies are prohibited from providing multiple credit reports as “possible matches,” since the requester only has a permissible purpose to obtain a consumer report about a single individual. The CFPB emphasized that obtaining a consumer report on an individual under false pretenses or providing a consumer report to an unauthorized individual could result in criminal liability.
On June 28, 2022, the CFPB released an interpretive rule affirming the FCRA’s “limited preemption of state laws” and emphasizing the flexibility that states have to enact laws that are more prohibitive than the FCRA.
The FCRA sets out a complex scheme of federal preemption with several different categories of preemption. Some of these categories are quite broad. For example, “[n]o requirement or prohibition may be imposed under the laws of any State . . . with respect to the exchange of information among persons affiliated by common ownership.” In addition, no state may impose a requirement with respect to certain categories of consumer disclosures, or with respect to the frequency with which free credit reports must be given to consumers. Slightly more inscrutable are the provisions that prohibit states from imposing requirements “with respect to any subject matter regulated under” specific FCRA provisions, or imposing requirements “with respect to the conduct required by the specific provisions” of FCRA sections. For everything else not covered by these enumerated categories, states may make rules, as long as those rules are “not inconsistent” with the FCRA.
The Interpretive Rule describes states’ “broad authority” to regulate credit reporting and explains that state laws are not preempted by the FCRA unless they are “inconsistent” with the FCRA or fall within “narrow” categories of preemption. Although it makes broad statements about states’ expansive ability to legislate and the narrowness of federal preemption, ultimately the Interpretive Rule’s conclusions are quite limited. The Interpretive Rule concludes that states may regulate whether and when information about medical debt, landlord-tenant disputes, and arrest records may be furnished to consumer reporting agencies, but state laws that limit the amount of time that such information may appear in a consumer’s file would be preempted. It also suggests that states can require consumer reporting agencies to provide information required by the FCRA in languages other than English.
On July 26, 2022, the CFPB announced an enforcement action against Hyundai Capital America (“Hyundai”) for furnishing inaccurate account and delinquency information to consumer reporting agencies. The consent order requires a nearly $20 million payout in penalties and redress, and is the largest CFPB enforcement action against a data furnisher to date. The settlement also includes a novel unfairness claim and is the first FCRA furnisher enforcement action that provides for consumer redress.
In the consent order, the CFPB alleged that Hyundai violated multiple sections of the FCRA. First, Hyundai allegedly failed to correct and update information determined to be inaccurate or incomplete through internal audit reports, including delinquency information, original loan amounts, date of first delinquency (“DOFD”), and payment ratings. Hyundai also allegedly failed to update consumers’ accounts following the resolution of a dispute when the company’s credit furnishing technology overrode manual corrections made in response to consumer disputes, thereby reintroducing erroneous information into consumers’ credit reports. In addition, the company allegedly did not have policies and procedures in place to ensure that tradelines resulting from identity theft were not subsequently furnished to credit bureaus.
The consent order includes a separate allegation that Hyundai engaged in an unfair act or practice when it failed to “appropriately assign ownership of furnishing-related processes”; “prioritize identified consumer reporting-related risks”; and adequately invest in technology and monitoring. According to the consent order, these alleged failures were likely to cause substantial consumer injury (i.e., credit report errors), which could not be avoided by consumers, and provided no offsetting benefits to consumers or to competition. This allegation appears to be a novel use of unfairness. The causal link between any of the above alleged procedural failures and actual, cognizable consumer injury is speculative and, under existing law and practice, would not support an unfairness claim.
The consent order imposes both conduct and monetary relief. With respect to conduct relief, Hyundai is subject to the CFPB’s standard conduct provisions, including the requirements to comply with applicable laws and develop a compliance plan. The consent order also includes one unique conduct provision that requires Hyundai, on a monthly basis, to examine its Metro 2 errors before providing the Metro 2 file to any consumer reporting agency. This provision also would require Hyundai to “suppress all reporting of affected accounts until such time as they are corrected.” While not explicit, this provision suggests the CFPB’s endorsement of suppression when a furnisher cannot ensure that accounts will be correctly reported.
With respect to monetary relief, the consent order requires Hyundai to pay a $6 million civil money penalty and provide $13.2 million in redress to affected consumers. There is no indication in the consent order of how the redress payments will be determined. Redress payments are generally based on the monetary value of the alleged injury resulting from the alleged law violations, which, in this case, may include inaccurate reporting, systemic overriding of manually corrected information, or failure to block tradeline information resulting from identity theft.
Vivint Smart Home (“Vivint”) sold home security systems door-to-door and also offered retail installment contracts and other financing directly to consumers. The FTC took enforcement action against Vivint, alleging that its salespeople violated the FCRA through a practice known as “white paging,” where a salesperson obtains a credit report on an individual other than the person applying for credit, in order to qualify the otherwise not creditworthy applicant. The FTC alleged that this practice violated the permissible purpose restrictions of the FCRA, which prohibit any person from obtaining a consumer report without a permissible purpose. In this case, the salesperson would have a permissible purpose to obtain a consumer report in connection with a credit application by the consumer who is the subject of the report, but the salesperson instead obtained a consumer report about an entirely unrelated individual with the same or a similar name. By relying on the credit history of an unrelated person, the salesperson could qualify an otherwise unqualified applicant for credit.
The FTC also alleged that this practice amounted to identity theft—defined as any fraud committed using another person’s means of identification without authorization—and Vivint allegedly violated the FTC’s Red Flags Rule under the FCRA, which requires creditors like Vivint to maintain an Identity Theft Prevention Program. According to the FTC, Vivint failed to maintain a written program designed to detect, prevent, and mitigate identity theft; failed to provide any training or monitoring of its sales force; and did not follow up on prior allegations of identity theft against the company. The FTC obtained $20 million in civil penalties and redress for these violations.
Over the period covered by this Annual Survey, there have been some important appellate court decisions defining rights and obligations under the FCRA. Although these cases all dealt with the duties of consumer reporting agencies under the statute, they nonetheless have broader application, insofar as they address standing to sue, as well as the showing required to recover monetary damages under the FCRA. All of these decisions resulted in favorable outcomes for the defendant consumer reporting agencies.
In TransUnion LLC v. Ramirez, the Supreme Court held that, under the “case or controversy” requirement of Article III of the Constitution, a plaintiff must allege a “concrete injury” to sue in federal court, even where there is a clear violation of the underlying statute. The fact that Congress has granted a statutory right to sue is “instructive” but not dispositive of standing.
For an injury to be concrete, it must be the same type of injury as courts have “traditionally” recognized as providing a basis for a lawsuit, including physical harm, monetary harm, or certain types of intangible harms, such as harms to reputation. Applying this standard, the Court concluded that individuals about whom TransUnion had reported incorrect derogatory information to third parties had suffered “concrete” injury, such as a potential harm to their reputation, but those who simply had incorrect information in their “file,” i.e., where TransUnion had not reported that information to any third party, were not sufficiently injured to maintain a federal lawsuit. The plaintiffs had also alleged that TransUnion had violated the FCRA by failing to provide all of the information in their file in a single disclosure, but rather had provided two disclosures. Here too, the Court held that there was no cognizable injury because the plaintiffs failed to allege any actual harm stemming the format of the mailings. According to the Court, plaintiffs did not allege that they failed to receive any required information; they argued only that it was not properly formatted.
In the dissent, Justice Thomas, joined by Justices Breyer, Sotomayor, and Kagan, wrote that the majority misunderstands the Court’s precedent, and that individuals enforcing a private right, as opposed to a duty broadly to the community, have standing to sue even without a showing of actual damages. In other words, “a statute that creates a private right and a cause of action gives plaintiffs an adequate interest in vindicating their private rights in federal court.” The dissent claimed that the majority opinion goes further than any prior precedent: “never before has this Court declared that legislatures are constitutionally precluded from creating legal rights enforceable in federal court if those rights deviate too far from their common-law roots.” The dissent also maintained that, even under the majority’s reading, those consumers who had incorrect information in their file, but with no report of that information to third parties, nonetheless had standing to sue because of the high risk that a report of that information would be made to third parties. The dissent stated that this likelihood that the erroneous information would eventually be reported to a third party constituted “a degree of risk sufficient to meet the concreteness requirement.”
The dissent also noted an irony in the majority opinion: the more demanding standard for maintaining a lawsuit in federal court would result in plaintiffs bringing these federal claims in state court going forward. The Ninth Circuit decision on standing in Tailford v. Experian Information Solutions, Inc. was one such case. As presaged by the TransUnion dissent, the procedural posture was upside down. The plaintiff originally filed her case in state court, the defendant consumer reporting agency successfully removed it to federal court, and on her motion for remand, the plaintiff argued against standing in the federal court, while the defendant consumer reporting agency argued that plaintiff had suffered an actual injury. The underlying alleged violation was the same as TransUnion, failure to provide a file disclosure, but the Ninth Circuit distinguished TransUnion by finding that the alleged violation here was an outright failure to provide information, rather than a procedural violation in the formatting of the disclosure. The Tailford court then held that the defendant consumer reporting agency was not statutorily required to disclose the information in question, as alleged by the plaintiff, and held that the plaintiff therefore had failed to state a claim on which relief can be granted, dismissing the complaint.
Under the FCRA, plaintiffs can recover actual damages for “negligent” violations of the statute and statutory damages of $100 to $1,000 for each “willful” violation of the statute. To prove a negligent violation, a plaintiff must show that the defendant acted pursuant to an objectively unreasonable interpretation of the FCRA. To prove a willful violation, a plaintiff must show knowing disregard or the reckless violation of a standard. Both of these standards were addressed by the Ninth Circuit in Moran v. Screening Pros, LLC, in which the court held that the defendant consumer reporting agency had not acted negligently or willfully in relying on an erroneous, but reasonable, interpretation of the law. The defendant introduced evidence that its interpretation was consistent with industry norms, and that it had relied on FTC commentary which had not been formally withdrawn, despite the fact that intervening statutory amendments had made it obsolete, and which was the only authoritative source on point. The Ninth Circuit affirmed summary judgment for the defendant consumer reporting agency, holding that “we cannot say, nor could any other reasonable fact finder, that on this record Defendants violation . . . was negligent, much less willful.”
The Second Circuit also has recently addressed the standard for monetary relief under the FCRA in Shimon v. Equifax Information Services LLC. The plaintiff consumer disputed public record information in his credit report, and he alleged that the defendant consumer reporting agency had failed to notify the “furnisher” of the information of his dispute, and further had failed to provide him with disclosure of the “source” of the public record information, as required by the FCRA. In both cases, the defendant argued that the information was received from a vendor, and that it was reasonable for a consumer reporting agency to construe these provisions to “exclude its own contractor charged with gathering public records on the agency’s behalf,” and that it could not have acted negligently or willfully if its actions are supported by a reasonable interpretation of the law. The plaintiff then claimed that, to rely on this defense, the agency must demonstrate “that it actually adopted these legal positions” before it took the allegedly unlawful actions. The Second Circuit disagreed, and joined the Third, Eleventh, and Seventh Circuits in holding that a defendant’s subjective intent is irrelevant to a finding of negligence or willfulness, and that a defendant is not required to show that it “actually and contemporaneously adopted a particular statutory interpretation” to assert this defense.
With a new director at the CFPB having stated that he is committed to actively administering and enforcing the FCRA, the next couple of years should be active for consumer reporting agencies, companies that use consumer reports, and companies that provide information to consumer reporting agencies. However, this new law enforcement vigor may run into headwinds from a federal judiciary that, as seen in the cases discussed in this year’s Annual Survey, seems increasingly inclined to give the benefit of the doubt to commercial firms faced with the challenges of complying with an arcane, and sometimes tortuous, statutory framework.
