Thursday, October 6, 2022

August 2022 OBA Legal Briefs

  • COVID coughs up and update
  • FCRA is on the front burner

COVID coughs up an update

by Andy Zavoina

Perhaps your staff is all back in the bank, some are travelling for summer vacation, masks are seen sparsely, and COVID-19 seems to be something viewed only in the rearview mirror. But that does not mean the pandemic is over, or that your pandemic procedures can be put back on the shelf as life moves forward once again. In addition to yet another variant, some things “pandemic” are still in motion and your bank needs to be aware. Your Human Resources department may need a copy of this update if they haven’t seen the information already. You may recall our covering the U.S. Equal Employment Opportunity Commission (EEOC) rules addressing pandemic procedures in the May 2021 Legal Briefs. This is an update to that article.

On July 12, 2022, the EEOC revised the informal guidance (https://www.eeoc.gov/laws/guidance/covid-19-pandemic-and-caregiver-discrimination-under-federal-employment). The EEOC has updated employee testing protocols and any mandates imposed for vaccine requirements as well as a few other related issues. Depending on what your bank was doing, there may be less justification for it today.

The EEOC revised its position on COVID-19 screening of employees. Screening or testing is no longer considered automatically a “business necessity” in order to operate day-to-day as it was at the beginning of the pandemic. Instead, your bank should evaluate your local conditions and individual circumstances to determine if continued screening or testing is justified as a business necessity, or if it is doing so today based on a potentially outdated policy or procedure.

The EEOC guidance provides eight factors to consider in determining whether circumstances indicate continued screening or testing would be considered a business necessity in your bank and branches:

1. The level of community transmission
2. The vaccination status of employees
3. The accuracy and speed of processing for different types of COVID-19 tests deemed acceptable
4. The degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations
5. The ease of transmissibility of the current variants
6. The possible severity of illness from the current variants
7. What types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals)
8. The potential impact on operations if an employee enters the workplace with COVID-19.

Note: many of the terms used above are explained in greater detail with links on the EEOC site linked in this article. In making these assessments, the bank should check the latest CDC guidance as well as other relevant sources and determine whether screening or testing is appropriate for these employees.

If your branches are all in one area, it may be easy to handle them all the same. If, however, they are spread across many miles, it may be appropriate to tailor procedures to the outlying branches separately, based on the local conditions of each branch. In any case it is time to review the policy and procedures followed for the extreme circumstances a pandemic requires and ensure there is flexibility in screening and testing requirements as the threat level has been lowered and there are fewer protections from violations of the Americans with Disabilities Act.

FCRA is on the front burner

by Andy Zavoina

The Fair Credit Reporting Act (FCRA) is shifting to your front burner, at least until you complete a review and ensure your bank is completely compliant. Rarely is a compliance process one that you can “set and forget.” Procedures need controls that provide checks and balances and on occasion we get little reminders that at least some in our industry were slacking, or just plain doing it wrong.

The Consumer Financial Protection Bureau (CFPB) released an Advisory Opinion on July 7, 2022, on the FDCRA and Regulation V. The reality is that the CFPB is extending its authority in this case to emphasize data protection requirements and privacy. On July 26, 2022, we read an enforcement action from the CFPB against Hyundai for – yes – FCRA violations. The enforcement action included some language that alleged Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) in addition to the FCRA and Reg V violations. “Piling on” is seen more often in these enforcement actions and this one cost Hyundai over $19 million.

So, let’s discuss some of the FCRA reminders from the Advisory Opinion and the lessons learned from the enforcement action, so you can review your FCRA practices and ensure compliance is in order.

In fact, the enforcement action carries lessons far beyond the FCRA, as it says a lot about compliance management. In this case, deficiencies were found. But it took years for the fixes to be put in place and therein lies part of problem leading to the penalty. Problems were found, plans were made to address the issues, but it never really got done. “Follow through” is an important part of the compliance management and audit process and it did not work here.

This Advisory Opinion, “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports,” is an interpretation of the existing rules and is not intended to change the law or Reg V, but rather to provide guidance in your efforts to comply with the existing rules. This information should be preserved with your regulatory materials as a future reference for use in audits, training, and development of policies and procedures.

This Advisory Opinion applies to Credit Reporting Agencies (CRA) as providers of credit reports as well as users of those reports. Our emphasis here is on the latter but we must also appreciate the former and be aware that changes could result from this. As it relates to the Advisory Opinion, 604(a)(3) of the FCRA is consumer-specific and requires a CRA to ensure that only a specific consumer’s data is released when a credit report is requested. This data protection rule provides that John A Smith’s credit information should not be released when John A Smith Jr.’s file is accessed. It seems some CRAs have been lax in matching up just a name instead of several data points such as a Social Security number, date of birth or addresses to better narrow down the file actually requested.

As to name only matching, one CRA stated when providing a consumer report: “This record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject.” That disclaimer sends up several red flags. This is a problem for the CRA as the provider of the report and for the bank as a user of the report. The Advisory Opinion makes it clear that any disclaimer from the CRA that the file “could” have someone else’s information is not sufficient to protect them from penalties resulting from the release of this information. It also does the bank no good to have information on John A Smith when it is Junior who is applying for a loan. Similarly, if the bank requested the file on John A Smith instead of Junior, it would have violated the FCRA because it had no permissible purpose to request that file. And because the bank’s contract with the CRA will require it only requests files when it has a permissible purpose, that contract would be violated.

Congress enacted the FCRA with particular goals, including, “to ensure f air and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” There were concerns that the contents of a credit file were not kept confidential. The FCRA is intended to protect the individual’s privacy by controlling both the collection and dissemination of credit information. The CFPB is respecting the privacy goals of the FCRA with its Advisory Opinion.

Section 604 of the FCRA is, “Permissible purposes of consumer reports,” and it identifies an exclusive list of “permissible purposes” under which a CRA can release the credit report including in accordance with the written instructions from the consumer to whom the report relates and for purposes relating to credit, employment, and insurance. Let’s place emphasis here on the fact that the consumer has to authorize the bank to request this report from the CRA and the fact that this is an exclusive list, meaning these are the only reasons allowed. Obviously if there is another person’s information in the file, which contributes to a violation. Among the key reasons a bank would access this includes, 604(a)(3)(A),” in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer,” and, “(F) otherwise has a legitimate business need for the information (i) in connection with a business transaction that is initiated by the consumer; or (ii) to review an account to determine whether the consumer continues to meet the terms of the account.” These are the direct banking issues. This section includes other reasons such as employment and insurance as well. Paragraph (F) seems broad with its use of having a legitimate business need and to review an account. In fact, these are not as broad as some lenders or collectors may think as the purposes can be narrow.

There is A LOT of content in the FCRA that cannot be covered here today. Suffice it to say that when the CFPB took the FCRA regulation from the Federal Reserve it inherited the consumer protection provisions. When you research the FCRA, be sure to look at what the FRB retained https://www.bankersonline.com/regulations/12-222-000 as well as what the CFPB has ownership of (https://www.bankersonline.com/regulations/12-1022-000), and the FCRA itself (https://www.bankersonline.com/regulations/fcra-000). The last link includes a link to a document, “FTC Staff Report – July 2011”. The FCRA and Reg V do not have an Official Staff Commentary with explanations and interpretations. But there were guidance opinions issued by the Federal Trade Commission (FTC) as it had a key role in FCRA oversight and enforcement.

One of the major changes to the FCRA was the FACT Act which provided the FTC with specific rulemaking authority. The FTC issued more than 430 opinion letters to act as compliance guidance. This 117-page document assembles many of these opinions to act as a proxy for a Commentary. This is a must read for FCRA compliance as it defines the difference between using a credit report for a loan request, and then also using it to prequalify the consumer for another loan product. Such a use violates the permissible use requirements as access was not granted for that cross-sale. These are the nuggets you will find in this booklet. It may be 11 years old as of this writing, but the information there is still pertinent.

Back to the Advisory Opinion itself. The CFPB places emphasis on the use of consumer reports and the circumstances under which they may be accessed – “and no other.” It drives this home by reminding the reader that Section 620 carries with criminal liability for any employee or officer of a CRA who knowingly and willfully provides an unauthorized report. This triggers two points which need to be mentioned. First, this could cause some CRAs to tighten up controls and requirements that users must follow so that the CRA can comply. Second, if the bank were to release this information to another party, it could be deemed to be acting as a CRA and now it would be subject to these penalties as well. That is why the bank must ensure staff be aware of when credit reports may be accessed and for what purposes.

FCRA section 604(f) provides that “a person shall not use or obtain a consumer report for any purpose unless” the consumer report “is obtained for a purpose for which the consumer report is authorized to be furnished under [FCRA section 604]” and “the purpose is certified in accordance with FCRA section 607 by a prospective user of the report through a general or specific certification.” FCRA section 619 imposes criminal liability on any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses. I remember early in my banking days when there was an incident of single person in the loan area looking at credit reports of customers who had asked her out. Certainly, that would not be an authorized use and if the credit report was pulled for that purpose, well in today’s FCRA environment that would have to be a terminable offense.

Having a permissible purpose is at the core of the FCRA’s protections. When a credit report is provided to unauthorized persons and for unauthorized purposes the consumer can suffer harm in a number of ways. It is an invasion of one’s financial privacy and as the Advisory Opinion puts it, this is a “reputational, emotional, physical and economic harm.” That’s from the CFPB, I will not try to interpret each. Suffice it to say, these harms are on the record and violations may include these points in the justification of a penalty. Take each seriously. There are some examples cited which explains some of the reasoning. “For example, in a case that resulted in a 2006 settlement with a consumer reporting agency, the FTC alleged that the agency violated the FCRA’s permissible purpose provisions by providing consumer reports to persons without a permissible purpose, resulting in at least 800 cases of identity theft. More recently, in 2020, a group of companies and individuals settled Bureau allegations that they obtained consumer reports without a permissible purpose when they obtained consumer reports for use in marketing debt relief services. Also in 2020, a mortgage broker settled FTC allegations that it used consumer reports for other than a permissible purpose when, in response to negative reviews on a website, it publicly posted information it had obtained from a consumer report about the reviewer.”

Recognizing the importance of permissible purposes, when was the last time staff with access to credit reports, being accessed or in credit files, were reminded of the requirements and the potential penalties for unauthorized access? A resource for teaching includes a booklet published by the CFPB in 2020, “List of Consumer Reporting Companies “ as it includes not just who is considered a CRA and therefore a major part of this topics discussion, but information for a consumer on who can see their credit reports, how to review them for free, how to dispute information and more on uses such as for credit, employment, check screening and more. (https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-companies-list.pdf). This is good information for staff to be aware of as a banker and a consumer. Staff should be trained on this topic before they are granted access to credit reports just as tellers get Bank Secrecy Act training before operating a teller drawer on their own. It could be a requirement in the vendor contract with your CRAs and based on the Advisory Opinion, it may be something these vendors emphasize in the future as well.

Under 604(a)(3)(A) of the FCRA, a CRA may provide a consumer report “to a person which it has reason to believe . . .  intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or 18 15 U.S.C. 1681b(a).review or collection of an account of, the consumer.” Similarly, FCRA section 604(a)(3)(F) permits a CRA to provide a consumer report “to a person which it has reason to believe . . . has a legitimate business need for the information . . . in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.” These are a few of the teachable points which deserve emphasis.

Note one particular phrase, “reason to believe.” The CFPB is directing this to users of consumer reports who lack a permissible purpose and want to rely on this as justification. The Advisory Opinion specifically rejects some judicial decisions that have applied a “reason to believe” standard to FCRA Section 604(f)’s permissible purpose requirement for users. Instead, the CFPB used a plain language approach to impose a prohibition on using a consumer report without a justifiable permissible purpose. The “reason to believe” standard will not provide an excuse for innocent mistakes. The CFPB appears to be taking a strict liability approach to permissible purpose requirements. With a high risk of enforcement by all federal agencies and state attorneys’ general who have been reminded, and almost invited by the CFPB to join in enforcement actions, plus the ability for private plaintiffs to obtain significant monetary relief, banks are advised to practice risk management and mitigate this with training.

The bank is a user of consumer reports and must ensure that it does not violate consumer privacy by obtaining consumer reports when it lacks a permissible purpose. From the CFPB, “For example, in 2018 a company settled Bureau allegations that it violated FCRA section 604(f) when its agents obtained consumer reports for consumers who were not seeking an extension of credit from the company and the company had no other permissible purpose for the consumer reports it obtained. In some instances, for example, the company’s agents initiated credit applications for the wrong consumer by incorrectly inputting consumer information into the company’s application system or by selecting the wrong consumer from a list of possible consumers identified in the system. When these applications were initiated in error, the company obtained a consumer report for a consumer with respect to which it had no permissible purpose, violating the FCRA’s permissible purpose provisions and the privacy of the consumers that were the subject of those reports, and also generating an inquiry on the consumers’ credit reports.” Making a choice from a list of possible customers and ensuring that the correct identifying information is input will help prevent violations and inadequate controls.

Hyundai Capital America

What are the ramifications of non-compliance? Let’s look at a Consent Order between Hyundai Capital America and the CFPB. This may seem like an extreme case, but there are lessons here that extend beyond the FCRA, and this is a good case to discuss with management and potentially your board.

On July 27, 2022, prompted initially by numerous consumer complaints over credit reporting problems, the CFPB investigated Hyundai for FCRA and Reg V. It expanded into UDAAP as well.

Violations cited indicated Hyundai:

1. Failed to promptly update and correct information it furnished to CRAs that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information, in violation of the FCRA, 623(a)(2).
2. Furnished information about severely delinquent and charged-off accounts but failed to provide the “date of first delinquency” (623(a)(5)) which is a key date because it triggers several FCRA requirements.
3. After determining its reporting was inaccurate as to consumer accounts, failed to correct or delete it.
4. Lacked reasonable procedures to respond to notifications from CRAs indicating information Hyundai provided was the result of identity theft and therefore must be blocked from a victim’s credit report. It violated 623(a)(6) by reporting this information after notices from consumers without any validation process.
5. Failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs, or to consider and incorporate the guidelines in Appendix E (in the CFPB’s Reg V link, App. E is “Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies”)

Note, while cited as a violation, the FCRA and Reg V do not explicitly require a policy and procedure for the FCRA. It could be argued however, that there was a genuine need by Hyundai based on the array of violations and lack of direction provided by management and the board.

Some of the above were cited a second time as violations of the Consumer Financial Protection Act (CFPA) which incorporates UDAAP. It was noted Hyundai used ineffective manual processes and systems containing known logic errors to furnish information to CRAs and therefore willfully violated the FCRA.

The “relevant period” for this action is cited as January 2016 through March 2, 2020. That’s going back nearly 7 years ago, however, evidence of problems as you will read date back to 2013. The “affected consumers” refers to those with inaccurate information that they were 30 or more days past due.

To establish a foundation here are some figures used in the consent order.

• Hyundai services approximately 2 million customers and has assets in excess of $45 billion as of 2021.

• The credit reporting format was Metro 2, which is very common in the finance industry.

• Inaccurate payment histories were reported 8.7 million times across 2.2 million accounts.

• In approximately 570,000 instances, Hyundai inaccurately inserted codes showing delinquent or no payments in the payment history.

• Due to coding errors related to lease accounts, in 1.4 million instances, payment history codes indicating that the consumer’s payment history was disputed by the consumer or that no data were available when neither of these things was true. This error affected the entire lease portfolio.

• When credit reporting disputes were made, a manual tradeline correction could be made, but then the auto-reporting systems overrode the corrections and reinserted the errors.

• In over 537,000 instances across more than 168,000 accounts, Hyundai furnished date of first delinquency (DOFD) information regarding consumer accounts that Hyundai itself had determined was inaccurate.

• Compounding the problem, Hyundai delayed fixes for errors affecting the DOFD reporting for nearly a year due to prioritization of allotted resources for the new credit furnishing system planned for release over the then-existing systems that were being replaced.

• An inaccurate DOFD may be particularly problematic for consumers because use of the DOFD field in the Metro 2 format reflects the existence of an ongoing delinquency and the date itself shows how recently the delinquency occurred, both of which could negatively affect a consumer’s credit profile if the DOFD field is inaccurate.

• In tens of thousands of instances, Hyundai reported an inaccurate DOFD, which changed from month to month due to system issues, making some delinquencies appear more recent than was accurate.

• For thousands of delinquent accounts, they failed to furnish any DOFD at all.

• In over 2.2 million instances for over 1.2 million accounts, they furnished inaccurate amounts as to the highest credit or original loan amount.

• After furnishing the correct original loan amount (a field that should not change), they furnished increased amounts for the “original loan amount,” making it appear that a consumer had taken out a larger loan than they had actually taken out.

• In over 2.9 million instances on more than 189,000 accounts, they reported consumers’ accounts as delinquent, but also reported there was no amount past due

• For paid accounts, more than 17,000 reported a negative payment rating that was inaccurate.

• In at least 29,000 instances for approximately 3,900 accounts, they failed to report a DOFD where it reported other information instead, such as the accounts were placed for collection, charged-off, or at least 120 days delinquent.

The issue in this case is that Hyundai repeatedly furnished information to CRAs knowing it to be inaccurate. The company was making little attempt to correct the errors. A basic tenant of the FCRA is that a creditor is not required to report accounts but must report accurately when they do. In an audit report in March 2013, it was determined that required data in the Metro 2 fields was not always fully complete, accurate, or consistently reported. These appeared to be systemic logic issues and Hyundai lacked subject matter experts or a process to ensure accuracy and integrity of data reported. The audit also identified issues relating to the processing, monitoring, and tracking of direct disputes between processing units, and those policies and procedures reviewed as current did not accurately reflect actual practices.

When deficiencies are found compliance management systems call for a response that should be agreed upon as suitable, and a timeline under which corrective actions should occur. This is how repeat violations are avoided. In this case the corrective actions were going to be coordinated with an outside consulting firm. Hyundai initiated a “Credit Bureau Project” in July 2015, more than two years after the audit noted problems.
Completion of the Credit Bureau Project occurred in June 2016 for its vehicle retail installment portfolio and in February 2017 for its vehicle lease portfolio. However, the logic changes failed to address or resolve some of the issues identified in the 2013 audit, and created new, additional problems for both portfolios.

In October 2017, Hyundai began working on a different project to address credit report furnishing logic issues. It started work on a “next generation system” to support credit report furnishing across both lease and retail portfolios as one system. The rollout for this new system was not planned to occur until 2020.

In January 2018, the internal audit team concluded that its furnishing and dispute management controls remained unsatisfactory. It cited the same 2013 errors that remained unresolved. Additionally, there were other issues across its legacy credit report furnishing systems.

The 2018 audit also found that one upgrade to the company’s furnishing systems caused almost 18,000 consumers who were paid-in-full on their retail installment contracts to be erroneously reported as delinquent because Hyundai still lacked an adequate test environment for accuracy and logical consistency before the data was released to CRAs. In internal emails they acknowledged that this error may have caused significant drops in consumers’ credit scores.

As work continued on the “next generation system,” from 2017 until its rollout in March 2020, upgrades to the legacy credit report furnishing systems were deprioritized, and, as a result, many issues identified in the 2013 and 2018 audits, were not resolved until 2020.

So, for a period of years inaccurate information was reported and consumers were harmed as a result. Lower credit scores may have prevented a consumer from borrowing, borrowing at a preferred rate, obtaining a home loan or receiving promotional offers for which they may have qualified. Hyundai lacked policies and procedures that would have provided much needed guidance. Correcting errors and reducing harm to consumers was moved to a lower priority and the problems only grew.

In addition to many added compliance and reporting requirements, Hyundai was ordered to pay a $6 million civil penalty and at least $13.2 million in restitution to current and former customers as well as to take steps to correct all inaccurate account information.