Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 25, the House passed H.R. 435, the “The Credit Access and Inclusion Act of 2017.” The bill would amend the Fair Credit Reporting Act to include a section allowing a person or the Department of Housing and Urban Development to furnish information to credit reporting agencies relating to the payment performance of a residential lease agreement, contract for a utility, or contract for a telecommunications service. The bill does not allow an energy utility to furnish information related to the usage of utility services or information related to an outstanding consumer balance if the consumer has entered into a payment plan and is meeting the obligations of the payment plan. Civil liability for violations of the Consumer Credit Protection Act do not apply to violations of the bill.
On June 8, the Illinois governor approved HB 4095, which amends the Consumer Fraud and Deceptive Business Practices Act to prohibit consumer reporting agencies (CRAs) from charging consumers a fee for placing, removing, or temporarily lifting a security freeze. The act takes effect immediately. The Act also permits a consumer to request a security freeze by phone or electronic means, in addition to a request in writing.
This followed a similar action by the Connecticut governor, who on June 4 signed SB 472 to prohibit CRAs from charging a fee to consumers to place, remove, or temporarily lift a security freeze on a consumer's account. The legislation also, among other things, (i) prohibits CRAs from—as a condition of placing the freeze—requiring that consumers agree to limit their claims against the agency; (ii) increases the length of time that identity theft prevention and mitigation services must be provided to a consumer after a security breach from 12 to 24 months; and (iii) provides that the banking commissioner will adopt regulations that require CRAs to provide it with “dedicated points of contact” to allow the Department of Banking to assist consumers when a data breach occurs. The act takes effect October 1.
On June 6, the Hawaii governor signed HB 2342 to enhance protection of consumer information by expanding the methods consumers may use to request security freezes, and by prohibiting credit reporting agencies (CRAs) from charging consumers a fee to place, remove, or temporarily lift a security freeze on a consumer's credit report or records. Among other things, the act now permits a consumer or a “protected consumer’s representative” to request a security freeze via first-class mail, a telephone call, or through a CRA’s designated secure website, and also preserves the CRA’s ability to lift a security freeze when the freeze was executed due to material misrepresentation by the consumer. When lifting a security freeze, CRAs are required to send written confirmation to the affected consumer within five business days. The act takes effect July 1.
On May 29, the U.S. Court of Appeals for the 9th Circuit affirmed summary judgment for a national credit reporting agency, holding that the company did not violate the Fair Credit Reporting Act (FCRA) in its reporting of short sales executed by the plaintiffs. The decision results from a proposed class action suit alleging that the credit reporting agency violated the FCRA by reporting short sales executed between 2010 and 2011 with code numbers that misreported the data as foreclosures. In September 2016, the lower court found that the credit reporting agency provided creditors with clear instructions on how to interpret the code system and Fannie Mae’s Desktop Underwriter program misinterpreted the “settled” code number “9” as a foreclosure, which was not the credit reporting agency’s fault. In affirming the lower court’s decision, the 9th Circuit held that the credit reporting agency “clearly and accurately disclosed to [consumers] all information that [the company] recorded and retained that might be reflected in a consumer report.” Additionally, the panel noted that the credit reporting agency was not required to report that Fannie Mae mishandled the code data when it became aware of it.
On May 19, the Minnesota governor signed HF1243, which, effective immediately, prohibits credit reporting agencies for charging a fee for the placement, removal, or temporary lift of a security freeze. The law previously allowed for a fee of $5.00. Additionally, effective January 1, 2019, the law authorizes the placement of a security freeze for a protected person – defined by the law as an individual under the age of 16 – if a consumer reporting agency receives a request by the protected person’s representative and certain authentication standards are met. The law also outlines the requirements for removing a security freeze for a protected person.
On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.
On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.
On May 8, Maryland governor Larry Hogan signed HB848, which expands Maryland’s authority over Credit Reporting Agencies (CRAs) by requiring CRAs to develop a secure system to process electronic requests for placing, lifting, or removing a security freeze. Additionally, the law expands the definition of “protected consumer” for purposes of free security freezes to include persons age 85 or older, certain members of the military, and incarcerated individuals. The law also (i) codifies an existing requirement that CRAs register with the Office of the Commissioner of Financial Regulation (OCFR); (ii) allows the OCFR to investigate written consumer complaints against CRAs; and (iii) increases the maximum civil monetary penalty to $1,000 for the first violation and $2,500 for each subsequent violation. The law is effective October 1.
On May 2, the U.S. Court of Appeals for the 7th Circuit affirmed four district court decisions granting summary judgment in favor of consumers who alleged a debt collector violated the Fair Debt Collection Practices Act (FDCPA) by communicating debts to credit reporting agencies without indicating the debts were disputed. According to the opinion, the debt collector sent the four consumers a debt validation notice regarding an alleged credit card debt. More than 30 days later, a local legal aid organization sent the debt collector’s general counsel a notice of representation for each of the four consumers, noting, “the amount reported is not accurate.” After the attorney letters were sent, the debt collector reported the debts to the credit reporting agencies. The consumers each filed a separate action in district court alleging a violation of the FDCPA, and each district court granted the consumer summary judgment, finding the debt collector did not handle the letters properly. In the consolidated appeal, the 7th Circuit agreed with the district courts, holding that the actions of the debt collector were “a clear violation of the statute” as each attorney letter stated the amount was inaccurate and the debt collector still reported the debts without noting they were disputed. While the panel noted that there is no clear definition of “dispute” under the FDCPA, the court concluded, “there is simply no other way to interpret [the] language” of the attorney letter, rejecting the debt collector’s “bona fide error defense.”
On April 30, three Democratic Senate Banking Committee members released a report addressing publicly available complaints the CFPB received regarding the 2017 data breach announcement by a national credit reporting agency. In a letter to the CFPB, which accompanied the release of the report, the Senators encouraged the Bureau to “hold [the credit reporting agency] accountable and act quickly and decisively to protection the millions of consumers harmed by the breach.” Additionally, the Senators make a plea for the CFPB to continue to keep consumer complaints public, citing to recent remarks by Mulvaney that the database would soon be removed from public view. According to the report, within six months of the data breach announcement—which reportedly affected 143 million American consumers—the CFPB received over 20,000 complaints against the company. Of the 20,000 complaints, the issues consumers mentioned include (i) “improper use of a credit report after the breach”; (ii) “incorrect information on credit report”; (iii) “[Company]’s inadequate assistance in resolving problems after the breach”; and (iv) “[Company]’s credit monitoring services, fraud alerts, security freezes, and other identity theft protection products.” The report also cites to specific narratives from consumer complaints that were available through the CFPB’s consumer complaint database.
District court grants partial summary judgment, rules bank did not violate federal and state fair credit reporting laws
On April 25, the U.S. District Court for the Northern District of California granted a bank’s partial motion for summary judgment, holding that a Fair Credit Reporting Act (FCRA) disclosure and authorization form (disclosure form) completed by the plaintiff as part of the bank’s background check hiring process did not violate federal and state fair credit reporting laws. The plaintiff—who brought the proposed class action suit following the bank’s decision not to hire plaintiff following an offer of employment that was contingent upon a satisfactory background check—asserted claims under the FCRA, the California Investigative Consumer Reporting Agencies Act (ICRA), and the California Consumer Credit Reporting Agencies Act (CCRA), including that (i) the disclosure form was not a standalone document; (ii) the disclosure did not accurately identify the investigative consumer reporting agency; and (iii) the bank failed to comply with CCRA disclosure requirements.
Addressing whether the disclosure form, which “appeared as a separate and distinct web page separated from the rest of the documents,” violated the FCRA, the court ruled that because it “was a stand-alone document that contained no extraneous information or liability waiver” it was in compliance. The court also determined that the bank did not violate the ICRA because it was only required to disclose the agency it engaged to provide an investigative consumer report, not the various sources the agency itself may have used when conducting its investigation. Finally, the court ruled that the plaintiff’s argument that the disclosure form failed to comply with the CCRA lacked merit because—although the bank could not apply an exemption under state law to the section allegedly violated—the bank’s disclosure form complied with the CCRA’s disclosure requirements, and furthermore, the bank was not required to disclose the reasons for requesting the report nor the “various repositories” of information the disclosed source used when compiling the report.
On April 2, a state court judge denied a credit reporting agency’s motion to dismiss claims for violations of state data security regulations. The court stated that while the “mere existence of data breach” does not translate into violations of the state data security regulations, the Massachusetts Attorney General plausibly suggests that the company violated such regulations by knowing of certain vulnerabilities and failing to properly address them. As previously covered by InfoBytes, Massachusetts was the first state to file an action against the credit reporting agency after its September 2017 announcement of a data breach which affected over 143 million consumers.