Recent Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) activity reflects an increase in scrutiny of companies that supply or "furnish" information to consumer reporting agencies (CRAs) as required by the Fair Credit Reporting Act (FCRA). Data furnishers, including merchants, debt collectors, and lenders, can reduce supervision and enforcement risk by avoiding the common mistakes the FTC and CFPB have identified in their recent enforcement announcements.
Overview of Data Furnisher Obligations under the FCRA
The FCRA and its Furnisher Rule (Regulation V) generally require companies that furnish consumer information to CRAs to maintain policies and procedures designed to (1) ensure that the information they report to CRAs is accurate, and (2) allow consumers to dispute, directly with the furnisher, information they believe is inaccurate. The law also requires furnishers to investigate consumer disputes forwarded by the consumer reporting companies. As part of that investigation, furnishers are responsible for reviewing all relevant information provided with the disputes, including documents submitted by consumers.
Failure to comply with the FCRA may result in enforcement by the FTC, CFPB, federal banking agencies, and state governments. The FCRA provides for maximum penalties of $3,500 per violation in the case of lawsuits brought by the FTC, while the CFPB may seek up to $1,000,000 for each "knowing" violation. Consumers may also bring class actions under the FCRA, and claim statutory damages of $100 to $1,000 for each "willful" violation of a clearly established statutory obligation.
Highlights of Supervisory and Enforcement Developments
- FTC Enforcement Actions. The FTC has a long history of enforcement under the FCRA. Most recently, in FTC v. Tricolor Auto Acceptance Corporations, LLC (Sept. 17, 2015), the FTC brought a case against Tricolor Auto Acceptance, a loan servicer for an affiliated auto dealer that regularly furnished information to credit bureaus. According to the FTC, Tricolor provided CRAs with details about 11,635 separate consumer accounts but did not have required policies and procedures in place to ensure the accuracy and integrity of the information provided to the CRAs. In addition, the FTC alleged that when consumers disputed the accuracy of the information with Tricolor, the company didn't honor its obligations under the Furnisher Rule. Rather, according to the FTC, the company simply passed the disputes on to a CRA without investigating and reporting back to consumers. The FTC settlement included a civil penalty of $82,777, and required the company to implement written policies and procedures and to investigate consumer disputes.
- CFPB Bulletins and Supervisory Highlights. The CFPB has issued a number of bulletins and reports summarizing Supervisory Highlights that provide a roadmap of the FCRA issues that are most likely to trigger an investigation or enforcement action.
- On September 4, 2013, the CFPB issued Bulletin 2013-09, warning data furnishers that they face potential disciplinary action if they do not properly review information submitted to the credit bureaus in conjunction with consumer disputes of credit report information. The Bulletin was released around the same time that the CRAs made changes to the e-OSCAR dispute handling system, which allowed information submitted by consumers with disputes to be imaged and forwarded to furnishers for their review. This Bulletin specifically addresses furnishers' obligations to "review all relevant information provided with the disputes, including documents submitted by consumers." A July 2013 Bulletin (2013-08) warns companies that they need to be careful whenever making statements concerning the impact of paying a debt on a consumer's credit score, credit report, or creditworthiness. The CFPB is concerned that these statements, such as telling consumers that paying a debt would improve their credit score, may be deceptive.
- In the Spring 2014 Supervisory Highlights, the CFPB commented on a data furnisher, who instead of investigating a consumer dispute, directed the CRA to delete the account from the consumer's credit report. The CFPB directed the data furnisher to investigate all future disputes it receives regarding information it has furnished to CRAs and not simply delete the trade lines.
- CFPB Enforcement Activity. In addition to providing regulatory guidance, the CFPB has brought several enforcement actions against furnishers. In an enforcement action against a large credit card bank, the CFPB alleged that the bank violated the FCRA when it created a system for handling disputes received directly from consumers that failed to report to the CRAs that previously reported information was being disputed. Once it concluded its investigation of the dispute, the bank either asked the CRAs to delete the information, or reported the information to the CRAs without indicating the dispute. The CFPB also took action against an auto finance company that allegedly failed to fix known flaws in a computer system that was providing inaccurate information to CRAs. Here, it appears actual consumer harm was not relevant to the CFPB's analysis for assessing the civil money penalty. The CFPB ordered the company to pay a $2.75 million fine, fix its errors, and change its business practices. In another action against a debt collector, the CFPB alleged that the collector violated the FCRA when it failed to investigate disputes unless and until consumers produced specific documents or other proof to support their dispute.
The increase in scrutiny of data furnishers is a reminder to companies subject to the FCRA to review their policies and procedures for compliance with the statute, its implementing regulation, and recent FTC and Bureau enforcement actions and guidance. A starting point for review would include the following:
- establishing, implementing, and updating (when necessary) written policies and procedures regarding the accuracy and integrity of information furnished to a CRA;
- monitoring and testing compliance with the law, policies, and procedures as part of a robust compliance management system;
- training staff on the investigation process and tailoring consumer disclosures accordingly;
- monitoring and overseeing vendors involved in providing financial products and services, including credit reporting systems; and
- remediating compliance deficiencies promptly.
Recent enforcement and regulatory activities signal the FTC's and CFPB's expectations regarding data furnishing. All furnishers of data to CRAs should consider evaluating their own controls in light of these purported expectations and the law.