chevron-down Created with Sketch Beta.

The Business Lawyer

Spring 2024 | Volume 79, Issue 2

Fair Credit Reporting Act Update—2023

Andrew M Smith and Lucy Bartholomew

Fair Credit Reporting Act Update—2023
iStock.com/towfiqu ahamed

Jump to:

Abstract

The Consumer Financial Protection Bureau (“CFPB”) and the Federal Trade Commission (“FTC”) continue to be active under the Fair Credit Reporting Act (“FCRA”), issuing agency guidance and enforcement actions targeting the consumer reporting industry.

This past year also brought several significant appellate court decisions.

Introduction

The Consumer Financial Protection Bureau (“CFPB”) and the Federal Trade Commission (“FTC”) continue to be active under the Fair Credit Reporting Act (“FCRA”), issuing agency guidance and enforcement actions targeting the consumer reporting industry. This past year also brought several significant appellate court decisions.

Regulatory Developments

During the period covered by this Annual Survey, the CFPB and the FTC have sharpened their focus on the credit reporting industry. The CFPB issued a substantial report on the tenant screening industry, and both agencies jointly issued a Request for Information on this industry, which signaled additional regulation and enforcement. In addition, the CFPB issued an advisory opinion on eliminating “facially false data” from consumer reports.

Tenant Screening Developments

Background screening has been a significant area of focus for both the CFPB and FTC during the past year. In November 2022, the CFPB released two reports on the tenant screening industry: (i) a Tenant Background Checks Market Report (the “Tenant Screening Market Report”), which is based on “analysis of data from industry research, legal cases, academic research, the CFPB’s market monitoring, and other third-party sources”; and (ii) a Consumer Snapshot of Tenant Background Checks, which is based on a review of more than 24,000 consumer complaints and results from a focus group with forty-four renters. In releasing these reports, the CFPB highlighted background checks “filled with largely unvalidated information of uncertain accuracy or predictive value.” In response to these issues, the CFPB promised to coordinate with the FTC “to hold tenant screening companies accountable for having reasonable procedures to assure accurate information in the consumer reporting system.”

The CFPB’s reports summarized a number of perceived issues, including inaccurate or misleading information in tenant screening reports and obstacles that consumers face when trying to correct these errors. The Tenant Screening Market Report also suggested that tenant screening reports are of “questionable relevance” given the lack of rental payment history, indicating that “credit history does not directly measure—and is therefore an inherently limited predictor of—one’s likelihood to pay rent and be a responsible tenant.” In the reports and accompanying release, the CFPB criticized the lack of accessibility, noting that renters often pay the fees for tenant screening reports but face obstacles in obtaining copies of these reports and submitting corrections. The Tenant Screening Market Report devoted significant attention to the rise of customized rental risk scores and automated screening, and described risks associated with the lack of transparency and validation of these products. The CFPB also expressed concern with the potential for risk scores and decision recommendations to “mask[] inaccuracies” in the underlying data and to “obfuscate the underlying reasons for adverse rental application decisions.”

In February 2023, both the CFPB and the FTC issued a Request for Information on background screening issues impacting individuals seeking rental housing. In the press release accompanying the request, the agencies described the “range of challenges” facing renters, including shortages of affordable housing and rising rent amounts. CFPB Director Rohit Chopra stated, “Error-ridden background checks are increasingly used by corporate landlords to deny housing to Americans,” and promised to “continue to work [with the FTC] to protect the integrity of our credit reporting system from sloppy background check companies.” The agencies plan to use the information received in response to the Request for Information to “inform enforcement and policy actions under each agency’s jurisdiction.”

The Request for Information included over forty questions, some with multiple subparts. The questions cover tenant screening generally, criminal records, eviction records, and the use of algorithms in tenant screening. The majority of the questions seek to collect information about the tenant screening and housing industry. Many suggest that the agencies are considering broader protections, including additional disclosures to tenants and limited English proficiency consumers, restrictions on application-related fees, and exclusions of certain records from appearing on screening reports. The Request for Information also solicits information about housing providers’ consideration of sources of income, including housing vouchers or other public assistance, and the potential impact of tenant screening practices on historically underserved populations. The final topic covers algorithms in tenant screening, including the types of algorithms and models used, the testing and validation of those algorithms, and consumers’ ability to dispute the outputs of the model. The agencies received over 600 comments in response to this Request for Information.

The Request for Information follows a broader “whole-of-government” effort summarized in a January 2023 Blueprint for a Renters Bill of Rights issued by the White House. This Blueprint set forth non-binding “common sense” principles for tenant protections, which include “access to safe, quality, accessible and affordable housing” and “education, enforcement, and enhancement of renter rights.” Of note, the Blueprint referenced the CFPB and the FTC’s Request for Information and stated that the FTC has committed “to take action against acts and practices that unfairly prevent consumers from obtaining and retaining housing,” and that the agency would use the information received through the request for information process for “use in enforcement and policy actions.” The Blueprint also summarized the CFPB’s recent advisory opinions regarding matching procedures and permissible purpose, which were covered in the previous Annual Survey, and the tenant screening reports discussed above. According to the Blueprint, the CFPB has committed to “identify[ing] guidance or rules that it can issue to ensure that the background screening industry adheres to the law, and coordinate law enforcement efforts with the FTC to hold tenant background check companies accountable for having reasonable procedures to ensure accurate information in the credit reporting system.” Other agencies, including the U.S. Department of Housing and Urban Development, the FTC, the Federal Housing Finance Agency, and the U.S. Department of Agriculture, promised to work with the CFPB to release “best practices” regarding tenant screening reports, which will cover clear communication to applicants regarding use of the reports, associated fees, rights to challenge and correct inaccurate information, and Fair Housing Act (“FHA”) issues.

CFPB Advisory Opinion on “Facially False Data”

In October 2022, the CFPB issued an advisory opinion regarding “facially false data,” which sets forth an expectation that consumer reporting agencies identify and remove “facially false data” or “junk data” from credit reports. These expectations follow from section 607(b) of the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy” of the information they collect and report. The Bureau believes that this statutory requirement encompasses a duty for consumer reporting agencies “to screen for and eliminate logical inconsistencies, to prevent the inclusion of facially false data in consumer reports.”

In the advisory opinion, the CFPB described two categories of the types of logical inconsistencies that consumer reporting agencies should eliminate in consumer reports. First, the CFPB described “inconsistent account information or statuses,” which involve “tradelines with account statuses or codes that are plainly inconsistent with other information reported for that same account, such that, if included in a consumer report, at least one item of information therein would necessarily be inaccurate.” The Bureau provided a number of examples, including accounts with paid in full status, but which also reflect a balance due; original loan amounts that increase over time; and derogatory information that predates an earlier report that did not include the derogatory information. The advisory opinion also focused on the illogical reporting of the date of first delinquency and the categories of information that cannot be included in a consumer report under section 605(a) of the FCRA. Illogical dates of first delinquency may include, for example, dates reported for an account where the records reflect no delinquency (e.g., a history of timely payments); dates that post-date a charge-off date; and a date that predates the account open date (for non-collection accounts).

The second category of logical inconsistencies in the advisory opinion involves illogical information relating to consumers. One example of this kind of illogical inconsistency occurs when a consumer report includes “impossible” information about consumers, such as when a tradeline lists a date of account opening, or another relevant date, which is in the future, or when that relevant date predates the consumer’s date of birth. The advisory opinion also provided a second example involving information about consumer accounts that is “plainly inconsistent” with other reported information, including, for example, if all tradelines are reporting ongoing payment activity, but one tradeline contains a “deceased” indicator. In these situations, the CFPB expects consumer reporting agencies to identify and eliminate the inconsistency in the consumer report, and, more proactively, to prevent the inclusion of this kind of inaccurate information from appearing on consumer reports in the first place.

The advisory opinion covered facially false data for minors in great detail. The CFPB is concerned about minors, including minors in foster care, who are not legally permitted to enter into contracts, and who may be more exposed to identity theft risk. To better protect this population, the CFPB expects consumer reporting agencies to have policies, procedures, and internal controls to identify and prevent the reporting of illegitimate credit transactions for minors. The Bureau acknowledges that some types of credit transactions may be legitimate for minors, including student loans and credit card authorized user accounts, or in the case of emancipated minors.

Enforcement Actions Concerning Credit Reporting

Phoenix Financial Services

In June 2023, the CFPB entered into a consent order with Phoenix Financial Services (“Phoenix”), a medical debt collector. Under the terms of the consent order, Phoenix agreed to pay a $1.675 million civil penalty for FCRA violations. The violations alleged by the CFPB provide useful guidance regarding the FCRA duties of companies that furnish data to consumer reporting agencies.

The CFPB alleged that the debt collector “failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information it furnished to [c]onsumer [r]eporting [a]gencies” by failing to follow its own policy with respect to periodic reviews of a randomly selected sample of information furnished to consumer reporting agencies. The CFPB also alleged that Phoenix violated the FCRA by failing to (i) “review historic dispute trends . . . to identify practices or activities that could compromise the accuracy or integrity of furnished information,” (ii) consider implementing standard procedures, (iii) verify random samples of information that the debt collector provided to consumer reporting agencies, and (iv) review historical records relating to accuracy or integrity of furnished information.

With respect to dispute handling, the CFPB alleged that Phoenix “failed to conduct reasonable investigations of consumer disputes” as required by FCRA section 623(b) by relying only on information obtained from its client healthcare providers when the debts were originally placed for collection, and by failing to supplement that information as needed. Phoenix allegedly matched identifying information furnished to consumer reporting agencies against identifying information in its own system of record. The CFPB indicated that this was inadequate, for example, in a “not my account” dispute (where the consumer is arguing that she did not incur the debt), or a dispute about account performance. The CFPB also stated that policies and procedures should not instruct employees to treat each dispute independently to ensure that the furnisher reviews prior communications with the consumer, and that policies and procedures should instruct employees to make requests of the original creditor or other third parties to confirm the accuracy of information under dispute. The CFPB alleged that Phoenix routed 30 percent of indirect disputes to an automated dispute resolution program—depending on the dispute reason—which merely compared information furnished to consumer reporting agencies with information in Phoenix’s system of record; did not review other information in Phoenix’s possession, such as information about prior disputes; and did not require disputes routed to the automated program to be escalated to an employee. The CFPB also alleged that Phoenix did not have a sufficient number of employees and contractors to handle the volume of disputes received—individual employees and contractors handled hundreds of disputes per day, spending “mere seconds on average to resolve each dispute.”

Litigation Developments

Disputes of “Legal” Versus “Factual” Information Under the FCRA

In Milgram v. Chase Bank, the plaintiff ’s employee fraudulently opened credit card accounts in the name of the plaintiff ’s business and purchased tens of thousands of dollars of goods and services for her own use. The plaintiff disputed the charges, but defendant Chase Bank found that the rogue employee had acted with apparent authority, if not actual authority, and that the plaintiff owed the money. The plaintiff disputed the fraudulent charges on her credit report as inaccurate, and Chase Bank verified the information as accurate when it investigated the dispute, which prompted the plaintiff to sue the bank under FCRA section 623(b), alleging that the bank’s investigation of plaintiff ’s dispute was not reasonable.

Chase Bank argued that it could not be held liable under the FCRA for failing to investigate what was essentially a disputed legal question—i.e., whether the rogue employee acted with apparent authority—because the FCRA only requires investigation of factual issues, such as whether a consumer was delinquent on her account. The CFPB appeared as an amicus, stating that “the district court held that a consumer cannot prevail on a FCRA claim by raising disputed legal questions as part of the dispute process instead of pointing to factual inaccuracies within the credit report.” The CFPB cited to several cases holding that the FCRA does not require furnishers or consumer reporting agencies to resolve “legal” disputes, and requires only investigation of “factual” disputes. The CFPB argued that these cases were wrongly decided, because the FCRA does not distinguish between “factual” and “legal” disputes, indicating that both must be investigated, and that drawing lines between these two types of disputes is very hard to do—many disputes are “mixed questions of fact and law.” The Eleventh Circuit has never addressed the “factual” versus “legal” question, and it sidestepped the issue yet again by rejecting the plaintiff ’s claim that the bank had failed to conduct a reasonable investigation, because the plaintiff had not explained why the bank’s investigation was inadequate or what the bank should have done differently with respect to its investigation.

New Standard for “Accuracy” in the Third Circuit: The “Reasonable Reader” Standard

In Bibbs v. Trans Union, the plaintiffs alleged that the defendant consumer reporting agency produced and disseminated inaccurate consumer reports by including a notation in the reports indicating that a closed account with a $0.00 balance was 120 days past due. The plaintiffs argued that an account that is closed cannot simultaneously be 120 days past due, that the information is therefore inaccurate, and thus that the defendant consumer reporting agency violated FCRA section 607(b), which requires consumer reporting agencies to establish reasonable procedures to assure maximum possible accuracy of information in consumer reports. The defendant responded that the “120 days past due” notation was accurate. It was a “Pay Status” field, which represents the last known status of an account that has been closed and paid.

Under the FCRA, consumer reporting agencies are required to maintain reasonable procedures to ensure the maximum possible accuracy of the information in consumer reports. The Third Circuit held that to state a claim under this provision, a plaintiff must first allege that information in a consumer report is inaccurate. The court then held that, even if information in the consumer report “is technically correct, it may nonetheless be inaccurate if, through omission, it creates a materially misleading impression.”

In other words, it is the impression of creditworthiness that a reader or user of a consumer report takes away from a consumer report that determines whether the information in the consumer report is accurate. The Bibbs court adopted what it referred to as a “reasonable reader” standard to make this accuracy determination—i.e., to determine whether information in the consumer report is accurate, the court would determine how a reasonable reader would have comprehended the information. The court further explained that when “applying the reasonable reader standard to determine the accuracy of an entry in a [consumer report, a court] must make such determination by reading the entry not in isolation, but rather by reading the report in its entirety.” Applying this standard, the court held that the information in question—i.e., the “Pay Status” notation on a paid-off account—was accurate, because the consumer report contained multiple conspicuous statements reflecting that the accounts were closed and that “a reasonable interpretation of the reports in their entirety is that the Pay Status of a closed account is historical information.”

Because this information was accurate, the Bibbs court similarly dismissed the plaintiffs’ claim that the consumer reporting agency had not reasonably investigated their disputes of this information. The court held that to bring an action under FCRA section 611 alleging that a consumer reporting agency failed to investigate a dispute of information in a consumer report, the plaintiff must first show that the information was in fact inaccurate. The Third Circuit thus joined “the weight of authority in other circuits,” holding that “without a showing that the reported information was in fact inaccurate, a claim brought under [section 611] must fail.”

No Immunity for Consumer Reporting Agencies Under the Communications Decency Act

In Henderson v. Source for Public Data, the plaintiffs sued the defendant website operator (“Public Data”) alleging that it was a consumer reporting agency that had failed to comply with the FCRA obligations to provide consumers with a copy of their own records, to obtain certain certifications from employers before providing them with employment background screening reports, and to maintain proper procedures to ensure the accuracy of information in consumer reports. The district court held that Public Data was immune from FCRA liability under section 230 of the Communications Decency Act, which provides that that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Public Data collects public record information, formats that information into a database, and publishes that database on the website PublicData.com. The plaintiffs alleged that the defendant failed to provide to them copies of the information that it had on file about them, and at least one plaintiff alleged that he was denied employment because the defendant provided inaccurate criminal history information to his prospective employer.

The Fourth Circuit reversed the lower court to hold that Public Data was not entitled to immunity under section 230. To begin, the court held that the claims regarding failure to provide consumers with a copy of their record and failure to obtain certain certifications from employers did not implicate section 230 at all, “because those claims do not treat [Public Data] as a publisher or speaker of information.” The court stated that to be entitled to immunity from liability under section 230, a defendant must be subject to a claim seeking to hold the defendant responsible as the publisher or speaker of information. The court recognized, however, that the only way to be a consumer reporting agency subject to the FCRA requirements in question is to publish information about personal characteristics for the purpose of determining eligibility for credit, insurance, employment, or other transactions. In other words, the only way to assert an FCRA claim against Public Data would be to allege that it is a “publisher or speaker of information.” But for the publication of information, there would be no FCRA liability for failure to obtain employer certifications or provide consumers with their records. The court, however, rejected the “but-for” argument, analogizing these facts to Erie Insurance Co. v. Amazon.com, Inc., which held that Amazon was not protected by section 230 in a products liability suit, even though the publication of information—i.e., the operation of the Amazon.com website—was a but-for cause of the harm. The court held that because the allegations regarding employer certifications and disclosure of consumer records do not seek to impose liability on Public Data as a speaker or publisher, Public Data was not immune from those claims under section 230.

The Henderson court held further that the claims regarding failure to maintain procedures to ensure accuracy should apply to Public Data, because it is in fact an information content provider. Under section 230, an interactive computer service is not liable for “information provided by another information content provider,” but in this case, held the court, Public Data was providing the content in question. Relying on prior opinions holding that an interactive computer service can be responsible for content if it “directly and materially contribute[s] to what made the content unlawful,” the court held that the plaintiffs had alleged enough facts to show that the defendant’s own actions contributed in a material way to what made the content at issue inaccurate and therefore improper.

Tenant Screener Is Not Responsible for Landlord’s Decision; No Private Cause of Action Under Regulation V

Connecticut Fair Housing Center v. Core Logic Rental Property Solutions was an action against a consumer reporting agency that provides tenant screening reports to landlords and property management companies to assist them in making decisions about prospective tenants. The plaintiffs alleged that the consumer reporting agency violated the FHA in connection with rental decisions that discriminated against the plaintiffs based on disability, national origin, and race. The court held that any rental decisions were made by the housing provider, and that the consumer reporting agency “does not decide whether an applicant is qualified for housing; rather, the decision lies with the housing provider alone.”

The plaintiff alleged further that the consumer reporting agency violated the FCRA and Regulation V by failing to provide the plaintiff with a copy of his consumer reporting file. Consumer reporting agencies are generally required to provide consumers with a copy of their consumer reporting file upon request, and so-called “nationwide specialty consumer reporting agencies,” such as tenant screening agencies operating on a national basis, have additional requirements to provide file disclosures free of charge. These requirements are in the FCRA and Regulation V, and the plaintiff claimed that the defendant consumer reporting agency violated both the statute and the rule. The court held, however, that the regulation does not confer a private right of action, citing to authority that “a regulation, by itself, may not create a private right of action.”

Relying on the statute, however, the court held that plaintiff could pursue his claim for failure to provide a file disclosure. The plaintiff was a disabled individual under a conservatorship, and his conservator had requested that the consumer reporting agency provide him with a copy of his consumer report as required by the FCRA. The defendant agency had a policy of not disclosing consumer reports to conservators, only disclosing consumer reports to individuals with a power of attorney for the consumer in question. The plaintiff, however, was “non compos mentis” and legally unable to grant a power of attorney. Therefore, it was impossible for his conservator to obtain a copy of the plaintiff ’s consumer report file. Although a consumer reporting agency is permitted to establish reasonable requirements for proper identification before providing a consumer report to a requestor, the court held that defendant agency violated the FCRA by imposing an impossible condition on obtaining a file disclosure, and that this violation was willful and subject to statutory damages, because “it was objectively unreasonable for [defendant] to think that setting a condition entirely blocking a consumer’s ability to exercise their right to their consumer report is a fair reading of the FCRA disclosure requirements.”

    Authors