March 2024 OBA Legal Briefs

  • OBA Feedback
  • FCRA and HR
  • Employees, Social Media, and Ownership
  • Federal Preemption in Question

OBA Feedback

By Andy Zavoina

The OBA has had numerous requests about what can be done when a credit report is accessed on a consumer and that consumer becomes inundated with calls from other lenders competing for the loan or to offer ancillary services. The consumers tend to blame the bank and it is not your fault, but what can be done?

The calls are not new or innovative – just more prevalent in today’s market. This practice known as “event-based trigger marketing,” is legal under the Fair Credit Reporting Act (FCRA) even though it is often an annoyance to the borrower and then to the bank when you have to field complaints. The relationship between the bank and its customer can be harmed because the customer associates the unwanted solicitations with the bank. Bank customers across the country have reported a sharp increase in recent years in various unwanted calls, text messages, emails and other solicitations originating this way.

Based on my personal recent experience after a credit inquiry, many competitors immediately contacted me, the applicant, in hopes they could offer better terms than I already had pending, and the offers continued even after consummation. Further, vendors offering complimentary products began contacting me with references specifically to that recent mortgage loan. In my case it was a mortgage, and the offers (even a year later) are for a home warranty and specifically reference the XYZ Bank’s mortgage. In other cases, the offer may be for an extended car warranty for a recent car loan or a refi with emphasis on skipping a payment or lowering the monthly payment. The solicitations attempt to co-brand off the lender’s good name by referencing the lender and in some cases using the lender’s logo or font style. Unless the reader looks at the fine print, they don’t see the “not affiliated with…” disclaimer to avoid Unfair or Deceptive Acts or Practices (UDAP) or other issues.

We recommend advising your customers it is through no fault of the bank that this is happening and the best way to avoid the contacts is to opt-out at the credit bureau. Banks may even want to be proactive as the advice does little once the horse has left the barn.

There is a website consumers can visit, or they can call 1-888-5-OPT-OUT (1-888-567-8688) that allows individuals to opt out from receiving these calls. The major credit bureaus operate the phone number and website and the standard opt-out is for five years. Using the same contact methods, they can opt out permanently but to do so must sign and return the Permanent Opt-Out Election form (which they get online). Your consumer may be advised to consider that as an option. Calling the opt-out line or visiting the site will only stop prescreened offers that are based on lists supplied by the major credit bureaus. Consumers could continue to receive offers for things like credit and insurance based on lists from other sources. Opting out also won’t end mail from local merchants, religious groups, charities, professional and alumni associations, and companies that the consumer already does business with. To stop mail from groups they must contact each sender directly.

On a related note, in August 2023, the White House announced a crackdown to protect consumers from third party data brokers. CFPB Director Chopra announced plans for new rules that would strictly limit the types of consumer data that may be sold by businesses and ensure that data brokers comply with the FCRA. Note that the recent complaints our bankers have been receiving will not directly benefit from this as the activity is not out of compliance with the FCRA, but it is a start.

There were actually two proposals being discussed. The first of the new rules would make a data broker that sells certain types of consumer data as a “consumer reporting agency.” The CFPB is considering a proposal that would generally treat a data broker’s sale of data regarding, for example, a consumer’s payment history, income, and criminal records as a consumer report, because that type of data is typically used for credit, employment, and certain other determinations. This would trigger requirements under the FCRA for ensuring accuracy and handling disputes of inaccurate information. It would also prohibit misuse of the information.

The second proposal addresses confusion about what is referred to as “credit header data” on a consumer report. The use of personally identifiable information is a necessity to data brokers and this credit header data is on reports sold by the big three bureaus, Equifax, Experian, and TransUnion. This header information includes key identifiers of the consumer, such as their name, date of birth, and Social Security number. The CFPB wants to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit bureaus to impermissibly disclose this sensitive contact information that can be used to identify people who don’t want to be contacted. This is viewed as especially important to survivors of abuse.

And going full circle back to the original issue of event-based trigger marketing, in February 2024 the ABA Banking Journal reported that the ABA urged Congress to pass legislation to ban the sale of the consumer contact information to lenders who then inundate the consumers with unwanted solicitations. The ABA expressed support for S. 3502 (which was introduced and referred to the Senate Banking Committee) and H.R. 7297 (which has only been introduced so far), both of which would eliminate abusive event-based trigger marketing and limit prescreened credit offers to consumers who actually consent or who have a preexisting relationship with a bank.

So, what can you do today as we await proposals and bills to become effective? In addition to the or call 1-888-5-OPT-OUT (1-888-567-8688) referral which the Federal Trade Commission recommends, the bank can take a proactive posture. If the customer is not looking for new credit or insurance from other than your bank, they may want to opt out for the five-year period or permanently. Again, these apply to prescreening solicitations only.

Additional resources the consumer may consider include the Do Not Call (DNC) list and the Direct Marketing Association (DMA). The National Do Not Call Registry was created to stop unwanted sales calls. It’s free. Consumers can register their home or cell phone number. They need to go to or call 1-888-382-1222 from the phone they want to register.

Consumers may also register at the DMA website, to reduce promotional mail from marketers. It won’t stop all promotional mail, however, and they will have to pay a $4 processing fee, but the registration will last for 10 years. also has an Email Preference Service that lets people get fewer marketing emails. Registration is free and will last for six years. Bear in mind none of these actually stop scammers and marketers who ignore the laws and the opt-outs, DNC list or DMA exclusions.

Banks with these complaints may want to produce a brochure, or web page they make available and can refer customers to, explaining what is happening. If I were creating such a consumer resource, I would hit these thoughts as I have highlighted them here. Certainly, you would want to elaborate on the points below based in whole or in part on the information above to meet your taste.

  1. Why am I getting these calls after applying for a mortgage?
    When a consumer applies for a mortgage, the lender accesses the credit report for the applicants. Because the lender has to have a valid reason to get that credit report, the credit bureau now knows this consumer is looking for a new loan. Credit bureaus have to make money. One way to do this is to sell your contact information to other lenders who make loans similar to what you are applying for. Those lenders approach the credit bureaus and agree to buy a list of prospects on a very regular basis. This allows those other lenders to strike while the iron is hot. This may also facilitate the consumer getting the best deal available if they want to compare terms and pricing. Unfortunately, the lenders buying the lists often do not have a better deal, but go into a hard sale posture. To make matters worse, there may be multiple lenders with the same agreement, which reduces the ability to comparison shop and frustrates you with all the calls, emails and text messages followed by snail mail offers.
  2. I like the terms I’m getting. How do I stop these multiple offers from pestering me?
    Unfortunately the credit bureaus want to make money and legally selling personal data is one way they accomplish that. By getting on the Do Not Call list, the Opt-Out Prescreen list and the Direct Marketing Association opt-out list, you can reduce future contacts. But what is done now, is done. Using voicemail and other filters on the media you use may help reduce the bother, but it will not eliminate it. In some cases, several types of solicitations may be forthcoming for a year or more, so actually getting on the opt-outs now can still help.

FCRA and HR      

By Andy Zavoina

It isn’t common that we in compliance get involved with Human Resources (HR) to check on the controls they use for compliance, but it is time to ensure the checks and balances are all in place. Both of these departments are highly regulated, and, in this case, Compliance should have a stronger grasp of the Fair Credit Reporting Act (FCRA), which is a key crossover regulation between Compliance and HR. I will provide the basic requirements here in the event Compliance has not yet but needs to incorporate HR into its risk assessment and audit calendar. I will say that a part of my FCRA annual audit included a review of the credit bureau bill. It was separated by terminal, so I knew which departments accessed the files. Then it was a case of finding the approved, denied, or withdrawn loan or employment file. One year, I discovered that HR was routinely accessing credit reports for employees being considered for promotion, and this was done without any notice to the employee before or after the decision was made. I considered it adverse if an employee was taken out of the promotable list due to information from the credit report or worse, if action was taken to demote or terminate employment. That had not happened, but the procedure adopted was simply wrong.

The FCRA imposes several restrictions and disclosure requirements on HR, just as it does loan staff, as to accessing, use and the impact of decisions made based on credit report data. Before HR obtains a credit report, it must give notice to an applicant or employee that it plans to pull a consumer report on them, and that it might use the consumer report information in its employment decisions. HR must also get the applicant or employee’s written approval to obtain the consumer report. The notice and authorization can be on the same page and must be in stand-alone format and not part of an employment application or other document, and it may not include any other authorizations or waivers.

If the bank uses information from the consumer report in its decision to take adverse action against an applicant or employee such as deciding not to hire, or to terminate or demote them, the bank must provide the applicant or employee with a disclosure before the adverse action occurs. This disclosure must contain:

  1. A) A notice that the bank is contemplating adverse action;
  2. B) A copy of the consumer report; and
  3. C) A copy of the publication, “A Summary of your Rights Under the Fair Credit Reporting Act.”

    In addition, the bank must give the applicant or employee a reasonable period of time to respond to the notice of contemplated adverse action. Typically, five business days is the minimum period that is recommended. During this time, the bank should not fill the open job position or take other action that would constitute an adverse employment action against the applicant or employee. If the applicant or employee provides additional information, the bank must consider it, but is not required to reverse the decision. Much like a Reg B Adverse Action is intended to inform an applicant of the reasons for denial so they can correct the deficiencies over time and reapply, this is intended to provide time to correct a deficiency and secure that position which obviously cannot be held open indefinitely. It provides a short window for the applicant to explain or correct obvious errors.

After HR takes adverse action based on a Consumer Report, it must give the applicant or employee notice of the actual adverse employment action. This notice should be in writing and must include:

1) The name, address, and telephone number of the Consumer Reporting Agency that provided the Consumer Report;

2) A statement that the Consumer Reporting Agency did not make the adverse employment decision and cannot give specific reasons for it; and

3) Notice of the applicant or employee’s right to dispute the accuracy or completeness of the information the Consumer Reporting Agency provided, and the applicant or employee’s right to get a free copy of the report from the Consumer Reporting Agency if the applicant or employee asks for it within 60 days.

HR may contend that the necessary forms and disclosures above are all provided by a vendor or the Credit Reporting Agency itself. But these forms could still contain errors or be outdated and therefore should be reviewed for compliance just as loan forms are all reviewed for compliance and accuracy. The bank is still the one liable for deficiencies.

In this particular case the form in question, “A Summary of Your Rights Under the Fair Credit Reporting Act,” which is often referred to as a “Summary of Your Rights” disclosure is in Reg V, 12 CFR Part 1022 from the CFPB under Appendix K. The bank must provide the employee or applicant with a Summary of Your Rights in the form prescribed by the CFPB. We all know forms change from time to time.

In March 2023, the CFPB published an updated “A Summary of Your Rights Under the Fair Credit Reporting Act” form and the required usage begins March 20, 2024. The updated form added verbiage designed to alert the applicant or employee to his or her rights to place a “security freeze” on their credit report from a consumer reporting agency and the contact addresses for certain agencies such as the OCC were updated. This security freeze will prohibit the consumer reporting agency from releasing information in the job applicant’s or employee’s frozen credit report without their express authorization, and the OCC address was changed to include P.O. Box 53570, Houston, TX 77052 instead of the street address at 1301 McKinney. That is one way to know you have the current form; just look for the section using the term “Security Freeze.”

In researching the form for this article, I found many instances of the old form first. Because the new form (linked below) was optional for the last year but is soon to be mandatory (again as of March 20, 2024) it is a last opportunity to ensure your HR department is using the correct version.

New Summary Form linked from the BOL Regulations pages:

Employees, Social Media, and Ownership

By Andy Zavoina

Does your bank outsource its social media work or have one or two enthusiastic employees who just “get it” and love posting on social media on behalf of the bank? If so, this brief article is for you because the bank needs to worry about work product and copyright and ownership of these accounts. If there isn’t a clear path on who owns these social media accounts, there needs to be.

JLM Couture is a company dealing in bridal gowns, bridesmaid dresses and the like. Like a bank or any other business, JLM sees value in a social media following. In this case JLM had a contract employee who managed, among other things, social media for the company. In JLM Couture, Inc. v. Gutman, the company and the designer had an employment contract. This contract was detailed and addressed most of their relationship, but not social media accounts. As you will imagine, there was a parting of the ways and a lawsuit that has gone on for over two years.

The case has gone from federal district court to the 2nd Circuit and back again. One issue was for work product and who owned the social media the employee was doing for JLM.

When the relationship ended, JLM claimed ownership of the designer’s Instagram, TikTok and Pinterest accounts. They argued that she created them in her capacity as an employee and it was a work product. Gutman argued that she created them in her personal capacity, they were registered in her name, and she did not pass ownership to JLM by agreeing to use her accounts to market JLM’s products. Part of JLM’s argument was that ownership passed because a provision in their contract with Gutman which provided that all “designs, drawings, notes, patterns, sketches, prototypes, samples, improvements to existing works, and any other works conceived of or developed by [the designer] in connection with her employment with the Company involving bridal clothing, bridal accessories and related bridal or wedding items,” are works for hire and the exclusive property of JLM.

Originally, the federal district court gave JLM control and created a six-factor test that it developed specifically for social media ownership disputes. On appeal, the 2nd Circuit disagreed with this methodology and ruled that traditional property law principles would apply. The 2nd Circuit noted that if Gutman created the accounts using her personal information and for her personal use, then she is the owner of the accounts. Gutman could have transferred ownership to JLM by contract but noted that transferring rights to content posted on the account is different from transferring ownership.

Some lawyers would potentially read this differently, as the 2nd Circuit did when it said the social media did not qualify as “other works” because under the general principle of contract interpretation “the ordinary meaning of general terms at the end of a list must be interpreted to embrace only objects similar in nature to those objects enumerated by the preceding specific words.” In this case, the items listed are closely related to fashion design and are things that might be sold to the public, but social media accounts are far separate from those.

My read on the case is that one party felt it could broadly interpret the agreement it had with an employee and say the company owned these accounts. But legally that was not as clearly stated as JLM believed. More than two years of lawyer costs and court fees have been billed and the case goes on. Social media accounts your bank feels it owns have value and should be in the bank’s name and tied to bank-owned email accounts and paid for (as necessary) by the bank. They should not be in an employee’s name just because that employee opened the account. Postings should not be mixed between personal and business purposes unless they are the same.

In my area, a successful high school athletic director and head football coach enjoyed many years of success with his team. Early on in these successful seasons he convinced the school board that they needed a new identity, and they became known as the “Bulldawgs” or the “Dawgs” for short, they play at Bulldawg Stadium, and he tweaked the logo that is virtually everywhere. But winning seasons don’t last forever, and the coach and school have parted ways. As he collected his severance, he reminded them that he would be generous and allow them to use the name and logo he copyrighted but only for a brief time. After that they could change it or license the rights from him. We will have to see how that goes, but years of litigation are not really an option and should not be for your bank either.

Federal Preemption in Question

By Andy Zavoina

The dual banking system we enjoy provides that banks can, in general, choose to be chartered as a national or a state bank. This choice leads to determining who a bank’s primary regulator will be and what laws and regulations will apply to it. National banks still have to follow some state laws and state banks still have to follow some federal laws, so it is never “all or nothing” but there are advantages to and disadvantages to each.

National banks are still subject to many applicable state laws such as those affecting contracts, property rights, and debt collection, when those state laws do not conflict with the purpose of a federal law. Nonetheless, federal law preempts state laws that interfere with the powers of national banks. The doctrine of federal preemption is grounded in the Supremacy Clause of Article VI of the Constitution and the Supreme Court has held that, “under the Supremacy Clause . . . any state law, however clearly within a State’s acknowledged power, which interferes with or is contrary to federal law, must yield.” The Supreme Court held that the National Bank Act of 1864 (NBA) preempts state laws that “significantly interfere” with a “national bank’s exercise of its powers.” In some cases, a federal law explicitly says it will preempt others and in some cases this is implied. The Office of the Comptroller of the Currency (OCC) is the primary regulatory agency to oversee national banks and it has taken a broad view of the preemptive effects of the NBA.

One question that is currently being posed is to what degree does a state’s law have to “significantly interfere” to  be overridden by a federal law?

In a case with the decision still pending, Bank of America N.A v. Riffard is one of two we will discuss arguing preemption. In this case, Bank of America believed the Wisconsin Consumer Act (WCA) did not apply to it. Jean-Pierre Riffard had two separate credit cards from Bank of America and defaulted on the monthly payments on each account. Bank of America sued Riffard for breach of contract due to his nonpayment. Riffard argued the case should be dismissed because Bank of America never provided him with notice of his right to cure before accelerating his debt and suing him, as required by the WCA. Bank of America argued the NBA preempts the WCA.

The WCA is a state law that regulates consumer credit transactions and debt collection. Under section 425 of the WCA, a creditor must give a consumer notice of any default on a credit account and an opportunity to cure the default.

The Wisconsin circuit court hearing the case agreed with Bank of America but noted there are differing results from the court on this matter. The Eastern District of Wisconsin held the WCA provision is not preempted in Boerner v. LVNV Funding LLC (2019). Contrary to this the Western District of Wisconsin held the WCA is preempted in Lako v. Portfolio Recovery Associates (2021). In Lako, the district court concluded “the WCA goes beyond debt collection and sets conditions on the lending relationship between the creditor and the borrower.” The court also noted in Lako the WCA not only prohibits the debt collection, but also acceleration of the debt until state required notices are made.

Last November the case was heard by the Wisconsin Court of Appeals. Riffard characterized the WCA’s notice-to-cure provisions as debt collection rules that are not preempted while briefs in support of Bank of America argued that applying cure notice requirements to national banks would subject them to each state’s regulatory requirements and defeat the NBA’s purpose of having a uniform regulation for national banks.

On February 27, 2024, the Supreme Court of the United States (SCOTUS) heard oral argument in Cantero v. Bank of America, N.A. In this case the question is whether the NBA preempts a New York statute requiring banks to pay interest on mortgage escrow accounts. The 2nd Circuit ruled that the application of the New York statute to national banks is preempted by the NBA, and this reversed a lower district court ruling.

The OCC has provided preemption regulations for the benefit of national banks so that each can rely on these rules and choose not to comply with many of a state’s consumer protection regulations. As SCOTUS contemplates this Cantero case, if it does not believe the NBA preemption applies to the New York law, it will directly call into question the validity of the OCC’s preemption regulations. This would mean that all national banks should then reconsider any preemption laws it is taking advantage of which could also be questioned and determine whether the bank must now comply with those state consumer protection laws and regulations. If SCOTUS provides an adverse ruling to Bank of America, it could be adverse to all national banks and trigger a wave of actions by state Attorneys General as well as private litigation against national banks based on violations of state consumer protection laws and regulations, as in the Riffard case. Would these actions be limited to a SCOTUS decision date forward, or be retroactive and open to many class action cases? There is no crystal ball that could force the probable causes and effects of such an action, but in researching this article I did come upon an October 12, 2000, article in The Oklahoman addressing one charter switch by the then new Peoples Bank of Oklahoma. The article stated, “Within 30 days, the bank… had virtually doubled its monthly income. Its lending limit had climbed from 15 percent to 30 percent of its capital. In addition, the bank’s annual regulatory fees had dropped significantly.

“We’ll save six or seven thousand dollars a year just on the fees we pay,” board member Randy Wright said. “That’s almost a month’s income. With a small bank like ours, every dime counts.” The article went on to point out, “For Peoples Bank, the decision to convert was purely financial.”

For other banks, like Arvest – which converted four banks this summer – the change had less to do with economics. “We eliminated two regulators. We did it to simplify things,” said Neil Schemmer, chief executive officer of the recently converted Arvest Bank in Norman. “Until this summer, all but five of the 16 banks in Arvest’s holding company were state-chartered banks,” Schemmer said. “Now, all but one are.” There may be many reasons for banks to make charter choices. If there are fewer NBA protections, that may affect banks’ consideration of a national bank charter choice.