On April 29, 2021, the FTC announced a $20 million settlement with Vivint Smart Home, Inc. (Vivint), a national seller of in-home security and monitoring systems, based on violations of the Fair Credit Reporting Act, the FTC Act, and the Red Flags Rule. Per the FTC, the settlement is the largest one to date for an FCRA case.

Vivint is well-known for employing a large commission-based door-to-door sales force. According to the allegations of the FTC complaint, its door-to-door sales practices exposed the company to liability. In order to complete a “new customer registration,” a Vivint sales representative must request and obtain from a credit reporting agency a consumer report to evaluate the creditworthiness of the potential customer. The FTC’s complaint details two methods employed by Vivint’s sales representatives to qualify an otherwise unqualified consumer to purchase a product.

First is a process known as “white paging,” whereby a Vivint sales representative would use the White Pages app to find another consumer with the same or a similar name and then use that consumer’s credit history to qualify the prospective unqualified customer. The second was to add co-signers by asking the unqualified customer to provide the name of someone they knew who had acceptable credit, such as a relative. The third-party’s credit history would then be used to qualify the prospective unqualified customer and the third-party would be added as a co-signer without their knowledge. According to the FTC, Vivint was aware of these practices but did not take meaningful steps to curb them. In fact, Vivint allegedly terminated many sales representatives for misconduct but rehired some of them shortly thereafter.

Based on these practices, the FTC alleged Vivint violated the FCRA’s permissible purpose requirement by obtaining individuals consumer reports without their permission and because “circumventing credit score limitations on software is not a permissible purpose under the FCRA.”

Some of the unqualified customers would default on their Vivint account. Vivint, in turn, would provide the unknowing third-party co-signer’s information to its debt buyer. The FTC noted many of the co-signers complained of being the victims of identity theft after being contacted by Vivint’s debt collectors. As such, in addition to the FCRA violations, the FTC Complaint alleged Vivint violated the Red Flags Rule by failing to establish any identity theft prevention programs.

Although Vivint did not admit or deny the allegations of the FTC Complaint, it reached a settlement with the FTC agreeing to pay a $15 million civil penalty and an additional $5 million to compensate injured consumers. In addition to the monetary settlement, Vivint agreed to, among other things, implement training programs and create an identity theft prevention program.