Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 1, the FTC announced a proposed rule, which would implement the Economic Growth, Regulatory Relief, and Consumer Protection Act requirement for nationwide consumer reporting agencies (CRAs) to provide free electronic credit monitoring services for active duty servicemembers. The proposal defines the term “electronic credit monitoring service” as a service through which the CRAs provide, at a minimum, electronic notification of material additions or modifications to a consumer’s file and requires CRAs to notify servicemembers within 24 hours of any material change. The proposal notes that CRAs may require that servicemembers provide contact information, proof of identity, and proof of active duty status in order to use the free service and outlines how a servicemember may prove active duty status, such as with a copy of active duty orders. Additionally, the proposal prohibits CRAs from requiring servicemembers to purchase a product in order to obtain the free service or requiring the servicemember to agree to terms and conditions. Comments will be due 60 days after publication in the Federal Register.
On September 19, the California governor signed AB 1859, which requires a credit reporting agency “that owns, licenses, or maintains personal information about a California resident” or a third party that maintains such personal information on behalf of a credit reporting agency to implement available software updates to address security vulnerabilities. Specifically, a credit reporting agency, or applicable third party that knows, or reasonably should know, that a system maintaining personal information is subject to a security vulnerability must, within three days, begin testing for implementation of an available software update, and complete the update no later than 90 days after becoming aware of the vulnerability. The law requires the credit reporting agency to employ “reasonable compensating controls” to reduce the risk of breach until the software update is complete. Additionally, whether or not a software update is available, the law requires the credit reporting agency to keep with industry best practices, including by (i) identifying, prioritizing, and addressing the highest risk security vulnerabilities most quickly; (ii) testing and evaluating compensating controls and how they affect security vulnerabilities; and (iii) requiring, by contract, that third parties implement and maintain appropriate security measures for personal information. The legislation is expected to take effect January 1, 2019.
On September 21, the FTC announced the nationwide availability of free security freezes and one-year fraud alerts, which were authorized under the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA). Specifically, Section 301 of EGRRCPA prohibits a national credit reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also allows parents to obtain a free credit freeze for any of their children who are under 16, and guardians, conservators, and those with a valid power of attorney can obtain a free freeze for the person for whom they have legal authority to act. Additionally, Section 301 extends the duration of the free fraud alert from 90 days to one year. Consumers are required to contact all three nationwide credit reporting agencies to place the security freeze, but only are required to contact one of the three for the fraud alert, as each bureau is obligated to notify the others of a fraud alert.
On September 19, the CFPB released a new Data Point report from the Office of Research titled, “The Geography of Credit Invisibility,” which examines geographic patterns in the prevalence of “credit invisible” consumers, a term for those who do not have a credit record maintained by a national credit reporting agency, or have a credit record that is deemed to have too little or too old of information to be treated as “scorable” by widely used credit scoring models. The report studies whether the geographic location of a consumer’s residence is correlated with the likelihood of remaining credit invisible and aims to “aid policymakers and advance the conversation around potential causes and solutions.” Among other things, the report found:
- credit invisibility may be higher for geographic tracts near universities due to their concentration of adults under 25 who may not have established a credit record yet;
- rural areas have the most credit invisibility per capita;
- consumers are less likely to use a credit card as an entry product to establishing a credit record in rural and low-to-moderate income areas;
- credit invisibility was more prevalent in areas with less internet access as many products are originated through online services; and
- there is little relationship between distance to the nearest bank branch and the occurrence of credit invisibility.
8th Circuit holds employee failed to plead injuries in FCRA suit against employer, law firm, and credit reporting agency
On September 6, the U.S. Court of Appeals for the 8th Circuit held that an employee lacked standing to bring claims under the Fair Credit Reporting Act (FCRA) because she failed to sufficiently plead she suffered injuries. An employee brought a lawsuit against her former employer, a law firm, and a credit reporting agency (defendants) alleging various violations of the FCRA after the employee’s credit report that was obtained as part of the hiring process background check was provided to the employee in response to her records request in a wrongful termination lawsuit she had filed. The district court dismissed the claims against the employer and the law firm and granted judgment on the pleadings for the credit reporting agency. Upon appeal, the 8th Circuit, citing the Supreme Court’s 2016 ruling in Spokeo, Inc. v. Robins (covered by a Buckley Sandler Special Alert), concluded the former employee lacked Article III standing to bring the claims. The court found that the former employee authorized her employer to obtain the credit report and failed to allege the report was used for unauthorized purposes, therefore there was no intangible injury to her privacy. Additionally, the court determined that the injuries to her “reputational harm, compromised security, and lost time” were “‘naked assertion[s]’ of reputational harm, ‘devoid of further factual enhancement.’” As for claims against the law firm and credit reporting agency, the court found that the injury was too speculative as to the alleged failures to take reasonable measures to dispose of her information. Further, whether the credit reporting agency met all of its statutory obligations to ensure the report was for a permissible purpose was irrelevant, as she suffered no injury because she provided the employer with consent to obtain her credit report.
6th Circuit holds that failing to report a trial modification plan can constitute incomplete reporting under FCRA
On August 23, the U.S. Court of Appeals for the 6th Circuit held that a borrower met the requirements necessary for a Fair Credit Reporting Act (FCRA) claim to proceed when two mortgage servicers failed to report the existence of a trial modification plan when reporting the borrower was delinquent to reporting agencies. In 2014, a borrower brought an action against three credit reporting agencies and two mortgage servicers alleging, among other claims, violations of the FCRA due to payments being reported as past due while successfully making payments under a trial modification plan (also referred to as a Trial Period Plan, or “TPP”) and working towards a permanent modification. Regarding the FCRA claim, the 6th Circuit reversed the lower court’s decision granting the servicers’ motion for summary judgment, finding that the borrower met the statutory requirements for an FCRA claim because failing to report the existence of a TPP can constitute “incomplete reporting” in violation of the statute. The 6th Circuit rejected the servicers’ argument that the Home Affordable Modification Program guidelines “encouraged, but did not require” that they report a TPP. The court acknowledged this distinction but noted that “[r]eporting that [a borrower] was delinquent on his loan payments without reporting the TPP implies a much greater degree of financial irresponsibility than was present here.” The court remanded the case to the district court to determine whether the servicers conducted a reasonable investigation after the borrower disputed the reporting.
On August 22, the New York Department of Financial Services (NYDFS) announced an online registration form for credit reporting agencies (CRAs) to comply with the state’s final regulation that requires CRAs with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity regulation. (As previously covered by InfoBytes, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS.) Registration must be complete by September 15 of this year and by February 1 of each successive year for the calendar year thereafter. Under the new regulation, CRAs are also required to comply with New York’s cybersecurity requirements by November 1, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Continuing InfoBytes coverage on NYDFS’ cybersecurity regulation available here.)
On June 27, the U.S. Court of Appeals for the 11th Circuit affirmed summary judgment for a mortgage servicer, concluding that reporting the consumer as delinquent to credit bureaus during a forbearance plan is neither inaccurate nor materially misleading under the Fair Credit Reporting Act (FCRA). According to the opinion, a borrower enrolled in a forbearance plan with her mortgage servicer, which allowed for a “monthly forbearance plan payment” of $25 while the remaining payment balance accrued and became due at the end of the plan. Before the borrower agreed to the plan, a representative for the servicer explained to the borrower that because she was not paying the actual contractual payment under the note, the monthly payments would still be considered late. The mortgage servicer reported the borrower past due for the duration of the plan, and the borrower subsequently filed suit alleging violations of the FCRA. In affirming the lower court’s decision, the appeals court found that while the borrower made timely payments under the forbearance plan, the payments were not the ones she was contractually bound to make under the mortgage note. Additionally, the appeals court found that the borrower did not establish that the forbearance plan legally modified the original note and, therefore, the information the servicer reported to the credit bureaus was not inaccurate and was also not materially misleading “particularly in light of [the servicer’s] additional affirmative statement that [the borrower] was paying under a partial payment agreement.”
On June 25, the New York governor announced the issuance by the New York Department of Financial Services (NYDFS) of a final regulation that requires consumer credit reporting agencies (CRAs) with significant operations in New York to register with NYDFS and to comply with New York’s cybersecurity standard. Specifically, the newly promulgated regulation, entitled “Registration Requirements & Prohibited Practices for Credit Reporting Agencies,” 23 NYCRR 201, requires CRAs that reported on 1,000 or more New York consumers in the preceding year to register annually with NYDFS, beginning on or before September 1, 2018 for 2017 reporting, and by February 1 for every year thereafter. Among other things, the regulation also (i) authorizes the NYDFS superintendent to refuse to renew a CRA’s registration for various reasons, including if the applicant or affiliate of the applicant fails to comply with the cybersecurity regulations; (ii) subjects the CRAs to examination by NYDFS at the superintendent’s discretion; and (iii) prohibits CRAs from engaging in any “unfair, deceptive, or predatory act or practice toward any consumer,” to the extent not preempted by federal law. Additionally, beginning on November 1, the regulation requires every CRA to comply with NYDFS’ cybersecurity regulation, which requires, among other things, covered entities have a cybersecurity program designed to protect consumers’ data and controls and plans to help ensure the safety and soundness of New York’s financial services industry. (Recent InfoBytes coverage on NYDFS’ cybersecurity regulation available here and here.)
According to Governor Cuomo, the oversight of CRAs will help to ensure New York consumers’ information is less vulnerable to the threat of cyber-attacks, stating, “[a]s the federal government weakens consumer protections, New York is strengthening them with these new standards.”
On June 14, the governor of Rhode Island signed S2562, which prohibits consumer reporting agencies from charging a fee for security freeze services, including the placement, removal, or temporary lifting of a security freeze for a consumer. The law also prohibits the charging of a fee in connection with issuing or reissuing a personal identification number that is used by a consumer to authorize the use of his or her credit or to remove the freeze. Previously, Rhode Island allowed credit reporting agencies to charge a fee up to $10 dollars for security freeze services and $5 for reissuances of personal identification numbers, although customers were entitled to a free initial reissuance of their personal identification numbers. The law is effective September 1.
Similarly, on June 8, the governor of New Hampshire signed HB1700, which prohibits a consumer reporting agency from charging a fee to place, remove, or temporarily lift a security freeze. The law also prohibits a consumer reporting agency from charging a fee to issue or replace a consumer’s personal identification number used in connection with the security freeze. The law requires the consumer reporting agencies to place the freeze within three business days after receiving a consumer request, if the consumer makes the request via mail and within 24 hours after receiving a consumer request, if made electronically or by telephone. The law is effective January 1, 2019.