On January 28, the FTC released a comprehensive report detailing what the so-called “Internet of Things” is, how it is being used, and how both consumers and businesses can protect themselves. The report defines the Internet of Things as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet,” and that are sold to or used by consumers. The report focuses on consumer privacy and security and offers a variety of recommendations for those companies offering devices that fall within the definition, including that security be a key part of the design process and data collection be limited where possible. The report does not call for new legislation specific to the Internet of Things because the FTC believes such legislation would be premature. The FTC states that it will use existing authority under laws such as the FTC Act, the Fair Credit Reporting Act, the Hi-Tech Act, and the Children’s Online Privacy Protection Act to take actions against Internet of Things products and services as necessary to protect consumers.
CFPB Initiative Results in Free Access to Credit Scores, Agency Pledges to Increase Credit Reporting Enforcement Authority
One year after launching an initiative to improve consumer access to credit reporting information, the CFPB announced on February 19 that at least 50 million Americans now have the ability to directly and freely access their credit scores. As a result of the CFPB’s credit score initiative, over a dozen major credit card issuers have elected to provide free credit reports to their cardholders, and more issuers are expected to follow suit. The initiative was launched to emphasize the significance of monitoring credit scores and to make it easier for consumers to keep themselves informed. CFPB Director Richard Cordray applauded the agency’s efforts to increase transparency in this arena in his prepared remarks for Thursday’s Consumer Advisory Board Meeting, stating that improving both the accessibility and accuracy of credit reports is vital to consumers and credit providers alike. Cordray also alluded that the CFPB intends to leverage its enforcement authority to more closely regulate the credit reporting industry, thereby placing creditors, debt collectors, and other businesses that furnish consumer credit information on high alert. “Using our supervision and enforcement authorities,” Cordray said, “we are already bringing significant new improvements to the credit reporting system − and we are only getting started.”
Special Alert: CFPB Takes Enforcement Action Against “Buy-Here, Pay-Here” Auto Dealer for Alleged Unfair Collection and Credit Reporting Tactics
On November 19, the CFPB announced an enforcement action against a ‘buy-here, pay-here’ auto dealer alleging unfair debt collection practices and the furnishing of inaccurate information about customers to credit reporting agencies. ‘Buy-here, pay-here’ auto dealers typically do not assign their retail installment sale contracts (RISCs) to unaffiliated finance companies or banks, and therefore are subject to the CFPB’s enforcement authority. Consistent with the position it staked out in CFPB Bulletin 2013-07, in this enforcement action the CFPB appears to have applied specific requirements of the Fair Debt Collection Practices Act (FDCPA) to the dealer in its capacity as a creditor based on the CFPB’s broader authority over unfair, deceptive, or abusive acts practices.
The CFPB charges that the auto dealer violated the Consumer Financial Protection Act, 12 U.S.C. §§ 5531, 5536, which prohibits unfair, deceptive, or abusive acts or practices, by (i) repeatedly calling customers at work, despite being asked to stop; (ii) repeatedly calling the references of customers, despite being asked to stop; and (iii) making excessive, repeated calls to wrong numbers in efforts to reach customers who fell behind on their auto loan payments. Specifically, the CFPB alleges that the auto dealer used a third-party database to “skip trace” for new phone numbers of its customers. As a result, numerous wrong parties were contacted who asked to stop receiving calls. Despite their requests, the auto dealer allegedly failed to prevent calls to these wrong parties or did not remove their contact information from its system.
In addition, the CFPB alleges that the auto dealer violated the Fair Credit Reporting Act by (i) providing inaccurate information to credit reporting agencies; (ii) improperly handling consumer disputes regarding furnished information; and (iii) not establishing and implementing “reasonable written policies and procedures regarding the accuracy and integrity of the information relating to [customers] that it furnishes to a consumer reporting agency.” Specifically, the CFPB alleges that, since 2010, the auto dealer did not review or update its written furnishing policies, despite knowing that conversion to its third-party servicing platform had led to widespread inaccuracies in furnished information. Also, the consent order alleges that the auto dealer received more than 22,000 credit disputes per year, including disputes regarding the timing of repossessions and dates of first delinquency for charged-off accounts, but nevertheless furnished inaccurate information. Read more…
On October 28, the CFPB released the fifth edition of its Supervisory Highlights report. The report highlighted the CFPB’s recent supervisory findings of regulatory violations and UDAAP violations relating to consumer reporting, debt collection, deposits, mortgage servicing and student loan servicing. The report also provided updated supervisory guidance regarding HMDA reporting relating to HMDA data resubmission standards. With respect to consumer reporting, the report identified a variety of violations of FCRA Section 611 regarding dispute resolution. The report noted findings of several FDCPA and UDAAP violations in connection with debt collection, including: (i) unlawful imposition of convenience fees; (ii) false threats of litigation; (iii) improper disclosures to third parties; and (iv) unfair practices with respect to debt sales. For deposits, the report identified several Regulation E violations found, including: (i) error resolution violations; (ii) liability for unauthorized transfers; and (iii) notice deficiencies. The report outlines four main compliance issues identified in the mortgage servicing industry: (i) new mortgage servicing rules regarding oversight of service providers; (ii) delays in finalizing permanent loan modifications; (iii) misleading borrowers about the status of permanent loan modifications; and (iv) inaccurate communications regarding short sales. Finally, the report outlines six practices at student loan servicers that could constitute UDAAP violations: (i) allocating the payments borrowers make to each loan, which results in minimum late fees on all loans and inevitable delinquent statuses; (ii) inflating the minimum payment due on periodic and online account statements; (iii) charging late fees when payments were received during the grace period; (iv) failing to give borrowers accurate information needed to deduct loan interest payments on tax filings; (v) providing false information regarding the “dischargeable” status of a loan in bankruptcy; and (vi) making debt collection calls to borrowers outside appropriate hours.
On October 2, the Eleventh Circuit affirmed a district court’s decision refusing to compel arbitration sought by a servicer in a dispute with a borrower over the terms of a loan agreement. Inetianbor v. Cashcall, Inc. No. 13-13822 (11th Cir. 2014). In Inetianbor, the plaintiff and the servicer had a dispute as to whether the borrower had satisfied his obligations under the terms of the loan agreement. When the borrower refused to pay amounts the servicer believed it was due, the servicer reported the purported default to the various credit agencies. The borrower sued the servicer who subsequently moved to compel arbitration under the terms of the loan agreement. The loan agreement’s forum selection clause required any dispute be resolved in arbitration by the Cheyenne River Sioux Tribal Nation (the “Tribe”). The Tribe, however, declined to arbitrate the dispute. The district court allowed the suit to proceed in federal court on the grounds that the arbitral forum was not available to hear the dispute. On appeal, the Eleventh Circuit affirmed the district court’s refusal to compel arbitration. The Eleventh Circuit held that the forum selection clause was integral to the loan’s arbitration provision. Because the arbitral forum was unavailable to hear the dispute, arbitration was not an option under the terms of the agreement and the district court was correct in refusing to compel arbitration.
On August 20, the CFPB announced a consent order with a Texas-based auto finance company to address alleged deficiencies in the finance company’s credit reporting practices. The company offers both direct and indirect financing of consumer auto purchases, and, according to the CFPB, specializes in lending to consumers with impaired credit profiles. In general, the CFPB took issue with the finance company’s alleged failure to implement policies and procedures regarding the accuracy and integrity of information furnished to consumer credit reporting agencies (CRAs) and alleged deceptive acts in the finance company’s representations regarding the accuracy of furnished information.
The CFPB’s action specifically alleged that the finance company violated the Fair Credit Reporting Act (FCRA) by providing inaccurate information to credit reporting agencies regarding how its borrowers were performing on their accounts, including by: (i) reporting inaccurate information about how much consumers were paying toward their debts; (ii) reporting inaccurate “dates of first delinquency,” which is the date on which a consumer first became late in paying back the loan; (iii) substantially inflating the number of delinquencies for some borrowers when it reported borrowers’ last 24 months of consecutive payment activity; (iv) informing CRAs that some of its borrowers had their vehicles repossessed, when in fact those individuals had voluntarily surrendered their vehicles back to the lienholder. The CFPB claims this activity took place over a three-year period, even after the company was made aware of the issue. The CFPB believes the company furnished incorrect information to the CRAs on as many as 118,855 accounts.
The consent order requires the company to pay a $2.75 million penalty to the CFPB. In addition, the finance company must: (i) review all previously reported accounts for inaccuracies and correct those accounts or delete the tradeline; (ii) arrange for consumers to obtain a free credit report; and (iii) inform all affected consumers of the inaccuracies, their right to a free consumer report, and how consumers may dispute inaccuracies. The order also directs the company to sufficiently provide the staffing, facilities, systems, and information necessary to timely and completely respond to consumer disputes in compliance with the FCRA.
Bankruptcy Court Refuses To Dismiss Class Suit Claiming Bank’s Credit Reporting Practices Violated Bankruptcy Code
On July 22, the U.S. Bankruptcy Court for the Southern District of New York rejected a bank’s motion to dismiss a putative class action adversary proceeding alleging that certain of the bank’s credit reporting practices violated U.S. bankruptcy law. In re Haynes, No. 11-23212, 2014 WL 3608891 (S.D.N.Y. Jul. 22, 2014). The named plaintiff-debtor alleged that the bank charged off and sold his debt, which was subsequently discharged in bankruptcy, but failed to correct his credit report that listed the debt, post-discharge, as being only “charged off,” rather than being “discharged in bankruptcy.” The bank moved to dismiss for failure to state a claim, arguing that because it sold the debt pre-bankruptcy, it did not have an obligation under the FCRA or Sections 727 and 524(a) of the Bankruptcy Code to correct the debtor’s credit report. The court denied the bank’s motion on the grounds that (i) the bank continues to have an economic interest in the debt—notwithstanding its sale—because the bank continues to receive a percentage payment of the proceeds of each debt repaid to it and forwarded to the debt’s purchaser; and (ii) by failing to correct the credit reports, the bank is enhancing its purchasers’ ability to collect on the debt.
On May 22, the Federal Reserve Board repealed its Regulation DD, which implements TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued rules implementing them. The Board also finalized amendments to the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of FCRA. Generally, the Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The revision excludes from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The repeals and Red Flags rule amendments take effect June 30, 2014.
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone. Read more…
Federal Reserve Board Proposes To Repeal Duplicative Regulations Amend Identity Theft Red Flags Rule
On February 12, the Federal Reserve Board proposed to repeal its Regulation DD, which implements the TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued interim final rules implementing them. The Board also proposed to amend the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of the FCRA. Generally, the Indemnity Theft Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The proposed revision will exclude from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The Board will accept comments on the proposal for 60 days from publication in the Federal Register.
On February 4, the U.S. Court of Appeals for the Ninth Circuit held that a plaintiff’s claim against a data broker alleged to have published inaccurate information about him has standing by virtue of the alleged violation of his statutory rights and need not demonstrate injury. Robins v. Spokeo, Inc., No. 11-56843, 2014 WL 407366, (9th Cir. Feb. 4, 2014). The district court held that the plaintiff failed to allege an injury in fact because his claims that the inaccurate information harmed, among other things, his ability to obtain employment did not sufficiently allege any actual or imminent harm. Applying its own precedent established in a long-running RESPA case that the U.S. Supreme Court declined to review in 2012, the court held that the violation of a statutory right usually is a sufficient injury to confer standing and that statutory causes of action do not require a showing of actual harm. The court determined that violations of statutory rights created by FCRA are concrete injuries that Congress can elevate to the status of legally cognizable injuries and are therefore sufficient to satisfy Article III’s injury-in-fact requirement. Further, the plaintiff adequately pled causation and redressability because (i) an alleged violation of a statutory provision caused the violation of a right created by that provision; and (ii) FCRA provides for monetary damages to redress the violation. The court reversed the trial court and remanded.
On November 22, the CFPB released findings of a study the Bureau conducted on the impact of certain deposit regulations on the day-to-day operations of banking institutions, focusing on compliance costs related to checking accounts, traditional savings accounts, debit cards, and overdraft programs. The study collected information from seven banks about activities related to compliance with regulations implementing the Truth in Savings Act, the Electronic Fund Transfer Act, the financial privacy requirements of the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act (Regulations DD, E, P, and V, respectively), as well as FCRA’s adverse action requirements, which are not implemented by regulation. According to the Bureau, compliance costs were concentrated in the Operations, Information Technology, Human Resources, Compliance, and Retail functions, and banks incurred the most substantial costs complying with rules related to authorization rights, error resolution requirements, disclosure mandates, and advertising standards.
The report identifies the compliance-related activities that entailed the highest costs across business functions and suggests that “authorization rights” (i.e., opt-ins and opt-outs) and error-resolution requirements are the most costly to administer. The report also discusses the potential for the study—which the Bureau characterizes as representing “some of the most rigorous information currently available” on compliance costs—to advance research on the cost of compliance, influence the ultimate understanding of regulatory impacts on consumers and markets, and inform the CFPB’s ongoing efforts to avoid unnecessary compliance costs. The Bureau states that estimating the operational effects of consumer financial services regulation alone has “limited value to policymaking” and is mainly helpful in determining the impact of a specific regulation on product pricing and availability or market structure and competition. The Bureau concluded that research on the effects of regulations will remain an ongoing priority, but it will nevertheless continue to address problems observed in the marketplace — “mindful that, whatever the costs of regulation, the costs of not regulating adequately can be even larger.”
The full report, Understanding the Effects of Certain Deposit Regulations on Financial Institutions’ Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions, is available here.
On October 4, the CFPB and the FTC filed an amicus brief in a Fair Credit Reporting Act (FCRA) case pending in the Ninth Circuit. The brief argues that the seven-year period during which a criminal arrest can be reported starts on the date of the arrest and, contrary to the district court’s decision, is not extended by a subsequent dismissal of the charges. The brief notes that FCRA previously provided that the seven-year reporting period ran “from the date of disposition [i.e., dismissal], release, or parole,” but that Congress repealed that specific provision in 1998, replacing it with the general FCRA rule that the reporting period begins when the adverse event occurs. The brief notes that Congress prescribed a different rule from some categories of information—for example, the seven-year period for reporting that a delinquent account was placed with a collection agency begins 180 days after the commencement of the delinquency that immediately preceded the collection activity.
The brief relies heavily on the FTC’s summary of staff interpretations that it issued as part of its staff report, 40 Years of Experience with the Fair Credit Reporting Act (2011), just before the Dodd-Frank Act transferred primary enforcement authority for FCRA from the FTC and gave the CFPB general rulemaking powers under FCRA. The FTC and CFPB argue that the district court erroneously relied on the FTC’s 1990 Commentary on FCRA, which did not reflect the 1998 amendments. The extensive reliance on the 40 Years Report in the brief is significant because it reflects an endorsement of the authoritativeness of that report by the CFPB, at least as to the particular issue raised in this case.
On September 30, California enacted AB 1220, which extends protections under the state’s consumer reporting law. Under the federal Fair Credit Reporting Act, a consumer reporting agency may not prohibit a user of a consumer credit report furnished by the agency from providing a copy of the report to a consumer, upon the consumer’s request, if the user has taken adverse action against the consumer based upon the report. AB 1220 adopts the same prohibition, and also makes it unlawful for a consumer reporting agency to dissuade, or attempt to dissuade a user from providing the report. Further, the bill allows state and local law enforcement authorities to bring a civil action for a civil penalty up to $5,000 against a violating consumer reporting agency.
On September 4, the CFPB issued Bulletin 2013-09, which addresses a furnisher’s obligations in connection with a dispute forwarded to it by a consumer reporting agency (CRA). The Fair Credit Reporting Act (FCRA) generally requires a CRA to notify and provide information to a furnisher when a consumer disputes information provided by the furnisher to the CRA. In turn, the furnisher must conduct an investigation, review all relevant information, and respond appropriately. The CFPB’s guidance provides that compliance with the FCRA requires the furnisher to: (i) maintain a system reasonably capable of receiving from CRAs information regarding disputes, including supporting documentation; (ii) conduct an investigation of the disputed information, including information forwarded by the CRA and the furnisher’s own information with respect to the dispute; (iii) report the results of the investigation to the CRA that sent the dispute; (iv) provide corrected information to every nationwide CRA that received the information if the information is inaccurate or incomplete; and (v) modify or delete the disputed information, or permanently block the reporting of the information if the information is incomplete or inaccurate, or cannot be verified. Furnishers should consider whether these processes need to be integrated into their Compliance Management Systems.