Fair Credit Reporting Act (FCRA) lawsuits continue to rise with the number of complaints filed in federal courts showing a +5.3% increase in 2020 over 2019. This continues a trend for FCRA litigation as it has consistently shown year-over-year growth since 2010. An issue that garners much attention in FCRA litigation is whether an employer’s disclosure and authorization forms violate the FCRA. Two federal appellate decisions address this issue and provide important guidance for employers on how to draft FCRA disclosure and authorization forms.
FCRA Disclosure and Authorization Forms
Employers that want to obtain a background check report about a job applicant or current employee must comply with the FCRA and provide to the individual a standalone document with a clear and conspicuous disclosure of the employer’s intention to do so, and obtain the individual’s authorization. By way of background, the principal appellate opinion on disclosure and authorization forms is the Ninth Circuit’s Gilberg v. California Check Cashing Stores, LLC, No. No. 17-16263 (January 2019). The Gilberg opinion made clear that any extraneous information in an FCRA disclosure form violates the FCRA’s requirement that the disclosure must be “in a document that consists solely of the disclosure” (the standalone requirement). The employer in Gilberg was found to have violated the standalone requirement by:
- Combining the authorization and disclosure into one document; and
- Including several state-related disclosures in the form.
Two important cases from 2020 that further addressed the requirements and limitations for the content of an FCRA disclosure form were issued by the Ninth Circuit in Walker v. Fred Meyer, Inc., No. 18-35592 (March 20, 2020) and Luna v. Hansen & Adkins Transport, Inc., No. 18-55804, (April 24, 2020).
In Walker v. Fred Meyer, the court indicated that background check disclosures may contain some concise explanatory language, but there is a limit to what is explanatory and what is unlawfully extraneous. Among other allegations, the plaintiff in Walker claimed that the FCRA disclosure violated the standalone requirement because, in addition to mentioning consumer reports, it also mentioned investigative consumer reports (a type of consumer report). The Ninth Circuit rejected this claim and ruled that mentioning investigative background checks in the disclosure does not violate the FCRA’s standalone requirement because investigative consumer reports are a subcategory or specific type of consumer report and as long as the investigative background check disclosures are limited to (1) disclosing that such reports may be obtained for employment purposes and (2) providing a very brief description of what that means.
The Ninth Circuit reviewed the employer’s disclosure in Walker in detail, which consisted of five paragraphs, and held that the first three paragraphs did not violate the standalone requirement, but that the last two paragraphs did because they may pull the individual’s attention away from their privacy rights protected by the FCRA. Here are the offending paragraphs in their entirety:
“You may inspect GIS’s files about you (in person, by mail, or by phone) by providing identification to GIS. If you do, GIS will provide you help to understand the files, including communication with trained personnel and an explanation of any codes. Another person may accompany you by providing identification.”
“If GIS obtains any information by interview, you have the right to obtain a complete and accurate disclosure of the scope and nature of the investigation performed.”
The plaintiff in Walker also claimed that the language of the employer’s authorization form, which was in a separate document was confusing and underscored the confusing and distracting nature of disclosure form, thus violating the FCRA’s standalone requirement. The Ninth Circuit rejected this argument because it found that the authorization form is not relevant to the FCRA disclosure form’s standalone requirement where the authorization is not included in the disclosure and is in a separate authorization form.
In Luna v. Hansen, the plaintiff claimed that the FCRA’s physical standalone requirement for hard-copy forms was a temporal one, i.e., the disclosure form should be presented to the individual separate from all other employment-related forms. The plaintiff in Luna had received one packet containing all forms. The Ninth Circuit rejected this argument and held that as long as the background check disclosure itself is in a standalone form, it can be presented with and at the same time as other employment documents.
Given the steady uptick in FCRA litigation, it is advisable for employers to review their FCRA disclosure and authorization forms on at least a yearly basis, or whenever important appellate opinions are issued, to ensure compliance with the FCRA. The attached forms from the Gilberg and Walker opinions provide clear examples of what to avoid in FCRA disclosure forms. In general, the guidance provided in the above-referenced opinions indicate that:
- background check disclosure forms may contain some concise explanatory language, but there is a limit to what is explanatory and what is unlawfully extraneous;
- background check disclosure forms may be presented at the same time as other materials, including application materials, as long as the background check disclosures are on a separate form; and
- language in a separate authorization form has no impact on the disclosure form’s compliance with the FCRA standalone requirement.
Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. No recipient should act, or refrain from acting, based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.
On April 1, 2020, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a non-binding general policy statement (“Policy Statement”) regarding the Fair Credit Reporting Act (FCRA) and Regulation V in light of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act).
The CFPB’s Policy Statement highlights furnishers’ responsibilities and informs consumer reporting agencies (“CRAs”) of the Bureau’s flexible supervisory and enforcement approach during this pandemic. The Bureau intends to consider the circumstances that entities face as a result of the COVID-19 pandemic and their good faith efforts to comply with statutory and regulatory obligations as soon as possible.
The Bureau believes that this flexibility will help furnishers and CRAs to manage the challenges of the current crisis. Below are examples of the flexibility the Bureau intends to provide in the consumer reporting system.
Furnishing consumer information impacted by COVID-19: The Bureau reiterates its prior guidance encouraging financial institutions to work constructively with borrowers and other customers affected by COVID-19 to meet their financial needs. While companies generally are not legally obligated to furnish information to CRAs, the Bureau encourages them to continue doing so despite the current crisis. Furnishers’ providing accurate information to CRAs produces substantial benefits for consumers, users of consumer reports, and the economy as a whole. The CARES Act, a section of which amends the FCRA, generally requires furnishers to report as current certain credit obligations for which furnishers make payment accommodations to consumers affected by COVID-19 who have sought such accommodations from their lenders. Many furnishers are or will be offering consumers affected by COVID-19 various forms of payment flexibility, including allowing consumers to defer or skip payments, as required by the CARES Act or voluntarily. Such payment accommodations will avoid the reporting of delinquencies resulting from the effects of COVID-19. The Bureau supports furnishers’ voluntary efforts to provide payment relief, and it does not intend to cite in examinations or take enforcement actions against those who furnish information to CRAs that accurately reflects the payment relief measures they are employing.
Disputes: The FCRA generally requires that CRAs and furnishers investigate disputes within 30 days of receipt of the consumer’s dispute. The 30-day period may be extended to 45 days if the consumer provides additional information that is relevant to the investigation during the 30-day period. The Bureau is aware that some CRAs and furnishers may face significant operational disruptions that pose challenges in the investigations. For example, some CRAs and furnishers may experience reductions in staff, difficulty in taking disputes, or lack of access to necessary information, rendering them unable to investigate the disputes within the timeframes the FCRA requires. Furnishers include a wide variety of businesses that vary in size and sophistication and can range from small retailers to very large financial services firms, each of which will face unique challenges due to the COVID-19 pandemic. In evaluating compliance with the FCRA as a result of the pandemic, the Bureau will consider a CRA’s or furnisher’s individual circumstances and does not intend to cite in an examination or bring an enforcement action against a CRA or furnisher making good faith efforts to investigate disputes as quickly as possible, even if dispute investigations take longer than the statutory timeframe. The Bureau reminds furnishers and CRAs that they may take advantage of statutory and regulatory provisions that eliminate the obligation to investigate disputes submitted by credit repair organizations and disputes they reasonably determine to be frivolous or irrelevant. The Bureau will consider the current constraints on furnishers’ and CRAs’ time, information, and other resources in assessing if such a determination is reasonable.
Regulatory requirements: The Policy Statement is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authorities. It is therefore exempt from the notice and comment rulemaking requirements under the Administrative Procedure Act pursuant to 5 USC 553(b).
Resources for consumers and small businesses facing the impacts of the COVID-19 pandemic are available on the Bureau’s website at https://www.consumerfinance.gov/coronavirus/.
Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.
The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.
The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.
Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.
- Read Scherzer International’s first bulletin about the invalidation of the Safe Harbor privacy framework
- Read the European Commission’s guidance about data transfers issued in November 2015
- Read the European Commission’s press release about the Privacy Shield
- Read the Working Party’s statement issued on February 3, 2016 about the Privacy Shield
- Read the U.S. Department of Commerce fact-sheet about the Privacy Shield
Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.
Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.
Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.
International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).
What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.
Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.
For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.
Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.
On June 12, 2013, the Federal Trade Commission (the “FTC”) issued revised guidance designed to help businesses comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or “red flags” of identity theft. The guidance outlines which businesses – financial institutions and some creditors – are covered by the Rule and what is required to protect consumers from identity theft.
The FTC enforces the Red Flags Rule with several other agencies. Its guide has tips for organizations under FTC jurisdiction to determine whether they need to design an identity theft prevention program, and can help businesses spot suspicious patterns and prevent the costly consequences of identity theft.