Fair Credit Reporting Act (FCRA)

A California jury in federal court ruled on Tuesday, June 20, that TransUnion violated the Fair Credit Reporting Act (FCRA) by erroneously linking certain consumers with similarly named terrorists and criminals in the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC’s) database.  The jury awarded statutory and punitive damages in excess of $60 million, which could set a record for the largest FCRA verdict to date.

Initially filed in 2012, plaintiffs alleged that TransUnion willfully violated FCRA by failing to maintain reasonable procedures to assure maximum possible accuracy of the consumer reports it sold, and by failing to provide required disclosures to consumers.  TransUnion offers an add-on service to its standard consumer reports whereby it would check consumers against OFAC’s “Specially Designated Nationals and Blocked Persons List” (SDN), which lists terrorists, drug traffickers, and other criminals.  Companies that do business with individuals on the SDN face strict liability penalties approaching $290,000 per transaction, so companies have a strong incentive to cross-reference the SDN before undertaking certain transactions – depending on the type of transaction and other factors.

The case arose out of so-called “false positives,” whereby TransUnion would find and report a potential match to the SDN but that match would subsequently be found to be erroneous.  For example, lead plaintiff Sergio L. Ramirez was prevented from buying a car in 2011 because TransUnion told lenders that he potentially matched two individuals on the OFAC list.  Ramirez and other class members alleged that TransUnion failed to take reasonable steps, such as also cross-referencing date of birth or other information available on the SDN, before reporting the match on the consumer report.  TransUnion countered that it did all that was feasible for the time period in question to achieve maximum accuracy, as required by FCRA, while still helping its clients comply with OFAC regulations and avoid criminal penalties.

The case provides an interesting example of the competing legal obligations that a company can face under different statutes, and of the need to stay abreast of constantly evolving technology that informs the relevant legal standard.  Determining how to screen potential customers for OFAC compliance and use consumer reports consistent with FCRA depends on a number of factors, including the technology available at the time and the type and scope of transaction at issue.

Kelley Drye’s Export Controls and Sanctions Compliance Group regularly assists clients with obligations in connection with OFAC screening, and Kelley Drye’s Consumer Financial Protection Regulation regularly advises clients on FCRA compliance.    


On September 27th, the Senate Committee on Commerce, Science, and Transportation held a general oversight hearing of the FTC, which covered a multitude of major policy issues and included testimony from Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen, and Commissioner Terrell McSweeny.  Chairman John Thune (R-SD) convened the hearing, joined by Senator Richard Blumenthal (D-CT) who sat in for Ranking Member Bill Nelson (D-FL), who was not in attendance.  Several other Committee members also participated in the hearing, cycling through as schedules permitted on what appeared to be a jam-packed day.  Members in attendance included: Senators Dean Heller (R-NV), Amy Klobuchar (D-MN), Brian Shatz (D-HI), Jerry Moran (R-KS), Steve Daines (R-MT), Dan Sullivan (R-AK), Edward Markey (D-MA), Tom Udall (D-NM), Kelly Ayotte (R-NH), Maria Cantwell (D-WA), and Deb Fischer (R-NE).

The CommSenate Committeeissioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion.  But for members and Commissioners alike, privacy and data security were the clear headline issues of the day.  A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims.  A brief summary of these issues follows.  Continue Reading Senate Commerce Committee Members Air Laundry List of Pressing Issues Including Privacy, Data Security, and FTC Enforcement

While the sudden death of Supreme Court Justice Antonin Scalia creates an immediate vacancy on the bench, it also likely leaves the high court’s docket in limbo on a number of key consumer class actions awaiting the Court’s decision.

Many predict that President Obama will not be able to replace Scalia before the 2016 Presidential election, meaning that the seat may be vacant for the remainder of the term.  Democrats have been urging the President to immediately nominate a successor, with Republicans imploring the President to give that right to the next Commander-in-Chief.  Senate Majority Leader Mitch McConnell has stated that the Senate should not confirm a replacement until after the 2016 election.

Until a successor is confirmed, it means that the Supreme Court will be comprised of four reliable liberals, three reliable conservatives, and one Justice Kennedy, who typically leans to the right but has often acted as the Court’s swing vote.  With only eight justices, it is likely that we will see a number of important cases end in a 4-to-4 split this year, including several key cases relating to consumer class actions.  In the case of a tie, the appeals court decision will be upheld, no precedent will be set, and the Supreme Court traditionally will not issue an opinion.

Here’s a brief rundown of how Scalia’s passing may affect three key consumer class actions in front of the Court this term.

Case: Spokeo Inc. v Robins (Docket No. 13-1339)
Issue: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, but alleges a private right of action based on a bare violation of a federal statute.
Outcome in a split:  Plaintiff’s win – would make a bare violation of a federal statute sufficient to confer Article III standing, thereby making it easier for plaintiffs to move forward in litigating cases alleging statutory violations. Continue Reading Scalia’s Death Leaves High Court in Limbo on Three Key Consumer Class Actions

The CFPB recently initiated an enforcement action against General Information Services (GIS) and its affiliate, e-Background-checks.com, Inc. (BGC) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to implement required safeguards while providing background screening reports to employers about job applicants. The CFPB found that certain background screening reports provided by GIS and BGC contained inaccurate information and that the entities failed to adequately protect against those inaccuracies as required under FCRA.

The CFPB made three primary allegations:

  • Failure to employ reasonable procedures to assure maximum possible accuracy. The CFPB alleged that GIS and BGC failed to follow reasonable procedures to assure maximum accuracy, including by failing to have written procedures for researching public records information for consumers with common names or who use nicknames, allowing employees to exercise discretion in determining whether a record matched the consumer in question, and failing to use consumer dispute data to identify the root causes of accuracy errors.
  • Failure to meet the requirements of section 1681k of FCRA. The CFPB alleged that GIS and BGC failed to comply with FCRA section 1681k, which requires furnishers of consumer reports for employment purposes to either: (1) notify the consumer at the time the information is reported, or (2) maintain “strict procedures” designed to ensure that the information is complete and up to date. The CFPB alleged that the procedures employed by respondents did not even meet the “reasonable” standard under section 1681e(b), much less the “strict” standard required for providers of consumer reports for employment purposes.
  • Failure to exclude non-reportable information from background checks. The CFPB additionally alleged that respondents failed to take sufficient steps to exclude certain dated information that cannot be included in consumer reports under FCRA. Specifically, GIS and BGC allegedly failed to ensure that civil suits and judgments and records older than seven years were excluded from reports, thus illegally including such information in the consumer reports. The order requires the companies to pay $10.5 million in redress to affected consumers and a $2.5 million civil monetary penalty. Respondents are also required to implement a comprehensive audit program, revise their compliance procedures, and retain an independent consultant to review and assess the companies’ policies and procedures for ensuring compliance with FCRA.

The order requires the companies to pay $10.5 million in redress to affected consumers and a $2.5 million civil monetary penalty. Respondents are also required to implement a comprehensive audit program, revise their compliance procedures, and retain an independent consultant to review and assess the companies’ policies and procedures for ensuring compliance with FCRA.

The FTC announced today that Certegy Check Services, Inc. will pay $3.5 million to settle allegations that Certegy violated the Fair Credit Reporting Act (FCRA) by failing to follow proper dispute procedures and failing to use reasonable procedures to maximize the accuracy of consumer report information. Certegy is one of the nation’s largest check authorization service companies, and must comply with FCRA as a consumer reporting agency.

In the complaint, the FTC charged Certegy with failing to comply with FCRA section 611 by “attempt[ing] to shift the burden of conducting a reinvestigation to consumers rather than fulfilling its legal obligation to reinvestigate disputed information.” Additionally, the FTC alleged a violation of FCRA section 612(a)(2), which requires consumer reporting agencies to provide consumers with free annual file disclosures within 15 days of a request, and a violation of FCRA’s obligation to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of consumer report information.

In addition to the $3.5 million penalty, the settlement also provides for broad injunctive relief that requires Certegy to undertake additional steps above and beyond FCRA requirements to ensure the accuracy of consumer reports.

Today the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and Department of Justice (“DOJ”) filed a brief supporting the constitutionality of the Fair Credit Reporting Act (“FCRA”).  FCRA limits the use of credit report information, protecting the privacy of the information, and establishes procedures for correcting mistakes in credit reports.  The brief addresses a provision of FCRA (§ 1681c) that bars a credit reporting agency (“CRA”) from disclosing individuals’ arrest records or other adverse information that is more than seven years old.

The government filed the brief in King v. General Information Services, Inc., which is pending in the Eastern District of Pennsylvania District Court.  The defendant argues that the FCRA provision is an unconstitutional restriction of free speech.  Contrary to that position, the government argues that the provision satisfies the applicable Central Hudson test for restrictions on commercial speech and should not be invalidated, despite the U.S. Supreme Court’s recent ruling in Sorrell v. IMS Health Inc.  The brief concludes, “The law directly advances the government’s substantial interest in protecting individuals’ privacy and is no more extensive than necessary to protect that interest while also accommodating businesses’ competing interest in obtaining complete information about people to whom they are considering offering a loan, an insurance policy, or a job.”

The brief demonstrates the cooperation expected between the FTC and CFPB as they jointly enforce FCRA.  In July 2011, the FTC issued “40 Years of Experience with the Fair Credit Reporting Act,” a staff report “to share [the FTC’s] extensive experience with the CFPB and the public through a summary of its key interpretations and guidance” developed through its 40 years of enforcing FCRA.  Companies subject to FCRA should continue to watch for coordination between the agencies as the enforcement roles evolve.

Earlier this week, the Federal Trade Commission (“FTC”) and the Federal Reserve Board issued proposed amendments to the Risk-Based Pricing Rule (“Rule”) that would require creditors to disclose credit score information when a credit score is used to set or adjust credit terms. The proposed changes would implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act and become effective July 21, 2011.

The Rule, promulgated under the Fair Credit Reporting Act, currently requires creditors to send a risk-based pricing notice if, based on the consumer’s credit report, the creditor provides materially less favorable credit terms than the most favorable terms it provides to a substantial portion of other consumers. A recipient of the notice can obtain a free credit report to check its accuracy.

The proposed amendments would require credit score disclosure if a credit score is used to make the determination, add content to the notices, and provide new model notices. There will be a 60-day comment period once the proposal is published in the Federal register.

FTC Commissioner Julie Brill spoke about the new Consumer Financial Protection Bureau (“CFPB”) during a keynote address she delivered at the International Association of Privacy Professionals Second Annual Conference on December 7th. While describing how Congress enacted the Fair Credit Reporting Act (“FCRA”) to protect consumers’ personal information, Brill stated that the FTC and CFPB “need to make sure our current rules continue, in this technologically advanced age, to protect consumers’ rights under the FCRA.” Given that the FTC already has several staff members involved in setting up the CFPB, it is no surprise that the FTC plans to work in tandem with the CFPB to enforce existing consumer protection laws and to understand new uses of data in connection with such efforts.

During the address, Brill also outlined the major components of the FTC’s preliminary staff report on privacy, "Protecting Consumer Privacy in an Era of Rapid Change” which includes a proposal for a Do Not Track mechanism that would permit consumers to control their tracking preferences at every website they visit. For a more detailed discussion of the FTC’s Report, including the concepts behind Do Not Track, please click here to read the Kelley Drye client advisory.

In Andrews v. Equifax Information Services LLC, No.: C-08-0817, 2010 U.S. Dist. Lexis 38020 (W.D. Wash. Mar. 30, 2010), plaintiff filed suit against Equifax after it allegedly “mixed up” her information with that of another individual of the same name and disseminated that information to third parties. Plaintiff alleges that this “mix up” was caused by Equifax’s failure to follow reasonable procedures to ensure maximum possible accuracy of the information it reported as well as its failure to re-investigate her disputes, both of which are required by FCRA.

FCRA requires claims to be brought within two years after the plaintiff discovers the violation or within five years after the date the violation occurs. Invoking the former provision, Equifax argued that it was entitled to dismissal because the plaintiff had discovered the alleged violations more than two-years before she filed suit in May 2008. Equifax cited record evidence that plaintiff had called in 2004 and 2005 to dispute information in her credit file that she believed was inaccurate. Equifax contended further that it sent plaintiff the results of its investigation into her disputes on three occasions, the last of which was in late November 2005. According to Equifax, because these results contained the inaccurate information forming the basis of her FCRA allegations, plaintiff had discovered the violation more than two years before filing suit.

The Western District of Washington denied the motion, rejecting the argument that plaintiff’s knowledge of inaccurate information in her credit report put her on notice of Equifax’s alleged FCRA violation. “FCRA is not a strict liability statute,” said the court. Indeed, a credit reporting agency can escape liability under FCRA for an inaccurate credit report as long as it shows it followed reasonable procedures in generating it. Therefore, inaccurate information in a credit report, standing alone, cannot violate FCRA. According to the court, to obtain dismissal, Equifax had to show something more. Specifically, it had to produce sufficient evidence tying the investigation reports it provided to the plaintiff with plaintiff’s discovery of the precise violations alleged in the lawsuit. This, according to the court, it failed to do.

Continue Reading FCRA Claims Against Major Credit Reporting Agency Survive Statute of Limitations Challenge

Businesses have until July 1, 2010 to comply with the new rules and guidelines under the Fair and Accurate Credit Transactions Act (“FACTA”), which amended the Fair Credit Reporting Act (“FCRA”), adopted by the Federal Trade Commission nearly a year ago relating to information provided to credit reporting agencies. Many know FACTA as the statute that allows consumers to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies (Equifax, Experian, and TransUnion), or the Act that contains provisions to help reduce identity theft. These new guidelines are designed to increase the accuracy and integrity of the information that furnishers provide to credit reporting agencies. The rules, in turn, require furnishers to establish reasonable written policies and procedures that implement the guidelines. The policies and procedures that furnishers are required to establish will vary depending on the “nature, size, complexity, and scope of each furnisher’s activities.” 16 C.F.R. § 660.3(a).

The rules also provide consumers an additional avenue to challenge the accuracy of information used to generate their credit rating. Historically, consumers were encouraged to deal with the credit reporting agency about the accuracy of such information. Under the new FACTA rules, furnishers are now required, in most cases, to investigate disputes that are submitted directly to them by consumers regarding the accuracy of information that furnishers provided to a credit reporting agency.

Click here to review the final inter-agency rules and guidelines.