Yesterday, the FTC announced a settlement with Credit Bureau Collection Services (“CBCS”) and its two principals for alleged violations of the data furnisher provisions of the federal Fair Credit Reporting Act. See Because CBCS is a third-party debt collector subject to the Fair Debt Collection Practices Act, the FTC included follow-on FDCPA claims covering the same subject matter as the FCRA claims.

By our count, this is only the fourth case that the FTC has brought against a data furnisher since the furnisher provisions were added to the FCRA in 1997. Moreover, this is the first case in which the FTC has elucidated in detail what it believes a furnisher is required to do when investigating information that has been disputed by a consumer.


The FTC alleged that CBCS:  

  • Failed to conduct adequate investigations of consumer disputes received from a credit reporting agency, in violation of FCRA § 623(b);  
  • Reported debts to the credit reporting agencies without noting that consumers disputed them, in violation of FCRA § 623(a)(3) and FDCPA § 807(8);  
  • Continued to report debts as owing, even after consumers had provided “proof” that the debt was not theirs or had been paid, in violation of FCRA § 623(a)(1)(B).

The FTC also more generally alleged that CBCS misrepresented to consumers that the consumers owed debts, in violation of FDCPA § 807(2)(A) and FTC Act § 5. Because violations of the FCRA and FDCPA also constitute violations of FTC Act § 5, the FTC also charged CBCS with FTC Act violations.  


This is the first enforcement action in which the FTC has alleged a failure to investigate consumer disputes under FCRA § 623(b). Because this is the only FCRA furnisher obligation that also can be enforced privately, the FTC’s action has particular importance for any lender, insurer or other company that furnishes information to credit reporting agencies.

The FTC alleged that CBCS failed to comply with FCRA § 623(b) in cases where a consumer claims mistaken identity (i.e., that the debt being collected does not belong to the consumer) or claims to be a victim of fraud or identity theft. CBCS maintained specific policies and procedures to address these situations, but the FTC nonetheless held that these policies were so inadequate as to constitute a “knowing” violation of the FCRA.

Where a consumer claimed mistaken identity, CBCS would compare the name, social security number, date of birth, and address in CBCS’s computer database with the information provided by the credit reporting agency on the automated consumer dispute verification form. Where three of the four items matched, CBCS would consider the information to be verified as accurately reported to the CRA. The same procedure was apparently followed for a second, third or fourth dispute on the same basis. If a consumer disputed the information more than four times, the account would be assigned to a supervisor for additional manual investigation. By bringing this action, the FTC is indicating that this policy is so egregiously inadequate under the FCRA that it merits severe civil penalties. (Oddly, the FTC complaint implies that the CBCS policy was particularly ineffective because “CBCS collects accounts that are often old, information in its computer files may not be accurate for a variety of reasons, including incorrect updating of addresses, errors in recording names and information, and problems with the original creditor’s records.” If this were true, however, it would seem that CBSC’s practice of matching at least three of four data elements would result in many accounts being classified as cases of mistaken identity.)

If a consumer disputed a debt by claiming identity theft or fraud, it appears that CBCS would conduct the same review as for a claim of mistaken identity and, if three of the four factors matched and the CBCS file for the consumer did not contain any reference to a prior claim of fraud, CBCS would consider the information reported to the CRA to be verified as accurate. On a second dispute alleging fraud, it appears that CBCS would conduct a full investigation. As many furnishers know, however, claims of identity theft or similar fraud are particularly hard to investigate, precisely because where identity theft is successful, the identifying information in the file will match that of the fraud victim perfectly and the debt in question will appear to belong to the victim. The FTC has long recognized this quandary, and in 2003 advocated for legislation that would permit fraud victims to circumvent the dispute provisions of the FCRA and “block” fraudulent information in their credit records directly with the furnisher. See This provision was enacted into law in 2004. The FTC’s complaint against CBCS does not allege that it failed to honor consumers’ request to block fraudulent or identity theft-related information in their credit records.


The new chairman of the FTC and the new director of the Bureau of Consumer Protection have been outspoken in their desire to ratchet up civil penalties for alleged violations of those laws that permit the FTC to obtain penalties. (Under its organic statute, the FTC Act, the FTC can only obtain civil penalties for repeat violations, but a few laws, including the FCRA and FDCPA, permit the FTC to obtain money penalties for initial violations.)

The $1.1 million penalty and the FTC’s novel theory of liability indicate to us that the FTC is taking a strict enforcement position under the furnisher provisions of the FCRA and obtaining steep penalties to match.