Scherzer Blog

U.S. Supreme Court case offers window into CFPB’s position on the FCRA

The U.S. Supreme Court has agreed to hear a closely followed case involving the Fair Credit Reporting Act (the “FCRA”) that will have great significance on privacy law. In connection with this case, the Consumer Financial Protection Bureau (CFPB) offered a glimpse of its stance on the FCRA in an amicus brief recently filed with the U.S. Supreme Court.

In 2012, the Bureau took over the enforcement reins of the FCRA from the Federal Trade Commission (FTC). Since then, the industry has watched for signs on how the Bureau would tackle its new job, with few clues. But in an amicus brief filed jointly with the Solicitor General in Spokeo v. Robins, the CFPB weighed in, taking a consumer-friendly position on the statute.

The dispute began when Robins claimed that Spokeo ran afoul of the FCRA. The spokeo.com site allows users to obtain information about other individuals like address, phone number, employment information, and economic data such as mortgage value and investments. Robins sued after finding incorrect information about himself on the site, alleging that Spokeo was a consumer reporting agency (CRA) under the FCRA and sold “consumer reports” but failed to comply with the various statutory requirements by neglecting to assure the maximum possible accuracy of the information reported on its site and failing to provide notice of statutory responsibilities to purchasers of its reports.

Relying on Section 1681n of the FCRA, which grants consumers a cause of action against an entity that negligently or willfully violates “any requirement imposed

[under the FCRA] with respect to [that] consumer,” Robins filed a putative class action. A federal district court dismissed the suit for a lack of standing but the Ninth Circuit Court of Appeals reversed. The federal appellate panel held that Robins sufficiently alleged an injury in fact because Congress created a right of action to enforce a statutory provision, demonstrating intent to create a statutory right.

Spokeo petitioned the U.S. Supreme Court to take the case. The CFPB filed the amicus brief, siding with the plaintiff and arguing that the justices should deny the writ of certiorari. The Bureau argued to the Court that the statutorily created cause of action found in the FCRA satisfied the injury required for Article III standing. While recognizing that Congress does not have unlimited power to define the class of plaintiffs who may sue in federal court, the CFPB said the legislature “may grant individuals statutory rights that, when violated, confer standing, and the clear language of the FCRA did just that.”

“FCRA thus grants an individual consumer a statutory entitlement to be free from a CRA’s actual dissemination of inaccurate information about him when the CRA fails to employ ‘reasonable procedures’ to assure the information’s accuracy,” according to the CFPB’s brief. A CRA’s willful failure to follow reasonable procedures to ensure that an accurate report about a consumer is disseminated violates a ‘requirement imposed under [FCRA] with respect to [that] consumer.’ It is also a concrete and particularized injury to the consumer because it involves the actual, specific, and non-abstract act of disseminating information about the particular consumer.” This reading – recognizing a legally protected interest in consumer privacy – “is particularly salient in modern-day society given the proliferation of large databases and the ease and rapidity with which information about individuals can be transmitted and retransmitted across the Internet,” the CFPB added, as “public dissemination of inaccurate personal information about the plaintiff is a form of ‘concrete harm’ that courts have traditionally acted to redress, whether or not the plaintiff can prove some further consequential injury.”

Read the CFPB’s amicus brief in Spokeo v. Robins here.

Read the opinion of the U.S. Court of Appeals for the Ninth Circuit here.

 

June 12th, 2015|FCRA, Judgment|

New law limits credit checks for New York City employers

New York City has joined the growing list of employers placing limits on credit checks. On April 16, the City Council overwhelmingly voted in favor of a bill prohibiting the use of credit checks in most employment situations. Mayor Bill De Blasio signed the legislation on May 6, amending the city’s Human Rights Law to make the use of credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice. Set to take effect on September 3, 2015, the law will have a sizable impact on employers in New York City. A review of current policies and procedures to determine if any exceptions apply is key, while employers with a statewide presence should consider whether to continue credit checks in other locations where they remain legal.

As defined by the law, “consumer credit history” means an individual’s credit worthiness, credit standing, credit capacity, or payment history, as indicated by: (a) a consumer credit report; (b) credit score; or (c) information an employer obtains directly from the individual regarding (1) details about credit accounts, including the individual’s number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries, or (2) bankruptcies, judgments or liens. The law further provides that “a consumer credit report shall include any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.”

Importantly, employers are prohibited not just from the request or use of credit history for applicants, but also from using credit history as a factor in employment decisions for current employees in “compensation, or the terms, conditions or privileges of employment.”

When initially introduced, the proposal featured no exceptions to the ban on credit checks. But over the course of the past year, limited exceptions were added to the bill. As enacted, the legislation permits the use of credit checks for prospective employees of broker-dealers who must register with the Financial Industry Regulatory Authority (FINRA) as well as for police officers and other public officials in a position involving a “high degree of public trust.” Additional exceptions allow a review of credit history when required by state or federal law or regulations; for positions when an employee must possess a security clearance or has “regular access” to intelligence or national security information; for non-clerical positions with access to “trade secrets;” for computer security positions when the employee’s duties include the ability to modify digital security systems; and for employees with signing authority over third-party funds or assets greater than $10,000 or fiduciary responsibility to an employer with the authority to enter into financial agreements of $10,000 or more.

The law permits individuals to file a complaint of discrimination with the New York City Commission on Human Rights within a one-year period or a complaint in court, with a three-year statute of limitations. Remedies include back pay, reinstatement, compensatory and punitive damages, and attorney’s fees and costs.

New York City joins 12 other jurisdictions that have prohibited credit checks in employment-related decisions, including the city of Chicago as well as California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington.

Read the New York City legislation here.

June 12th, 2015|Legislation|

Do you know about specialty consumer reports?

Credit reports are a part of life, whether applying for a credit card or purchasing a home. But what about specialty consumer reports?

Many people are unaware that dozens of other types of consumer reports exist, filled with information about medical and prescription history, for example, or insurance claims. Specialty consumer reports gather data from a wide variety of sources including information provided by consumers on applications (such as an apartment lease or a wireless phone contract) as well as public documents like criminal records and marriage licenses.

The reports provide information geared for a specific industry. A truck driving company might purchase reports that detail a job applicant’s driving record and motor vehicle insurance claims while an insurer will review a report with claims filed by a homeowner to check an individual’s historic use of insurance policies. Other niche reports provide data on loan balances, information about any bounced checks, and bank account history for lenders; another company tracks consumers’ product returns and will alert large retailers for fraud prevention purposes.

The Fair Credit Reporting Act (the “FCRA”) entitles consumers to one free report per year from any nationwide credit or specialty reporting agency (plus another free report if an adverse action has been taken, or the consumer disputes an item in the report that was corrected).

Recently, consumer rights group Consumer Action focused on the issue of specialty consumer reports in an “Insider’s Guide to Specialty Consumer Reports: A Guide to Obtaining, Understanding and Managing Your Information,” complete with a directory of furnishers. Staffers went through the process of requesting their own reports to help provide information for consumers about the types of reports available and their rights to request reports or correct errors.

Access the Consumer Action guide.

Read the directory of specialty consumer report furnishers.

May 8th, 2015|FCRA, Fraud|

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

May 8th, 2015|Legislation|

Securities class actions remain popular

For regulated entities, an enforcement action by a government agency is practically guaranteed to result in a parallel consumer class action.

Nowhere is that more clear than for publicly traded companies regulated by the Securities and Exchange Commission (SEC). Securities class actions were considered to be so rampant that in 1995, Congress enacted the Private Securities Litigation Reform Act (PSLR) to curb what the industry believed were abusive practices.

While the statute raised the bar for private enforcement actions, it certainly did not close the courtroom doors to plaintiffs. Although there are fewer suits brought today, complaints are still filed lockstep with an agency enforcement action and in significant enough numbers to keep companies on their toes.

Industry watchers predicted that a seminal case decided by the U.S. Supreme Court last term, Halliburton Co. v. Erica P. John Fund (Halliburton II), would result in a decrease in class actions filed. That case involved a popular theory known as “fraud on the market,” where plaintiffs were not required to demonstrate that each individual class member relied on any allegedly misleading statements if the security at issue could be shown to be “efficient,” or with a market price reflecting all of its publicly available information.

While the Court did not toss the theory, the justices held that defendants can rebut the presumption prior to class certification. The June decision appeared to have little impact on the figures for 2014 filings. For example, NERA Economic Consulting reported that 221 securities class actions were filed last year, compared to 222 in 2013 and 212 in 2012.

Interestingly, although the number of complaints in securities class actions has not fluctuated much over the last few years, the aggregate amount of investor losses has declined, NERA found. 2014 saw a drop to $154 million from $159 million in 2013, down significantly from $243 million in 2012 and $248 in 2011. Are certain industries facing more lawsuits than others? NERA reported that one quarter of all of the securities class actions were filed against companies in the health technology and services area. Other major players: the finance industry, in second place with 19 percent of the suits, followed by the electronic technology and service sector with 13 percent.

Securities class action plaintiffs are also continuing a trend of settling prior to trial. Of all the pending and newly filed cases in 2014, just one lawsuit was actually tried to verdict (resulting in a plaintiff victory). Almost half of the cases ended on the defendant’s motion to dismiss (48 percent last year with an additional 21 percent dismissed in part), NERA found; 75 percent of the cases that survived settled prior to the class certification stage of litigation.

Read the U.S. Supreme Court’s opinion in Halliburton II.

February 23rd, 2015|Lawsuit|

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

February 23rd, 2015|Legislation|

Beware of loopholes in reporting on securities brokers

When considering the track record of a securities broker or dealer, investors should be cognizant of loopholes in background reporting.

The Financial Industry Regulatory Authority (FINRA) oversees the regulation of brokers and operates BrokerCheck, an online database that contains disciplinary records of registered brokers. But a review by the Wall Street Journal found that BrokerCheck is sorely lacking a wealth of information about registered brokers, some of which can be found in the records of state regulators. At least 38,400 brokers have regulatory or financial red flags that appear only on state records, according to the WSJ’s investigation; of those brokers, at least 19,000 had clean BrokerCheck records. One significant area omitted by FINRA: internal reviews.

The WSJ identified 4,346 brokers with one or more internal reviews reported on their state records but not on BrokerCheck. Other regulatory red flags not spotted on FINRA’s database: personal bankruptcies filed more than 10 years ago, judgments and liens that have been satisfied, and certain employment terminations.

FINRA’s records do include complaints against brokers, regulatory actions, terminations for cause, and personal bankruptcies filed within the last decade, which the agency says is consistent with the Fair Credit Reporting Act. But in light of the gaps – and a proposal from FINRA to the Securities and Exchange Commission to expand the obligations of financial institutions with regard to the background screening of applicants (https://scherzer.co/sec-considers-background-check-rule-proposed-by-finra/) – investors should consider checking state regulatory records to form a more complete picture of a broker’s history.

In response to the WSJ’s inquiry, FINRA launched a review of its database and said the agency is studying the current rules about the information disclosed on BrokerCheck. The agency is also attempting to patch a separate loophole by coordinating its efforts with state insurance regulators. Following reports that insurance and securities regulators struggle to share data – and that individuals take advantage of the gap by continuing to sell insurance products despite losing a securities license, for example – FINRA vowed to take action. Beginning this month, the agency said it will provide a monthly report of its disciplinary actions against securities brokers not only to state securities regulators but state insurance regulators as well.

January 29th, 2015|Educational Series|

OFAC getting more common in contract terms and background checks

Do you know what OFAC is about? OFAC is the acronym of the U.S. Department of Treasury’s Office of Foreign Assets Control, and its function is to administer and enforce sanctions against countries or individuals (like terrorists or narcotics traffickers) with actions ranging from trade restrictions to the blocking of assets.

For U.S. companies, the agency’s enforcement applies to banks, insurers, and others in the financial industry that may be involved in covered dealings, which include engaging in transactions prohibited by Congress such as trade with an embargoed country or with a specially designated national (SDN).

Violations of regulations, which extend to all U.S. citizens, can result in substantial fines and penalties. Criminal penalties can reach up to $20 million and imprisonment up to 30 years; civil fees can range from up to $65,000 to $1,075,000 per violation, depending on the activity at issue.

OFAC has significantly stepped up its enforcement efforts that have resulted in sizable settlement agreements with U.S. entities, and thus companies increasingly are incorporating sanctions compliance language based on OFAC regulations into contracts and agreements, as well as including OFAC checks in their employment-purpose background screening or in connection with business transaction due diligence.

Contract terms requiring a party to affirm that it is not the subject of any OFAC sanctions status, that no OFAC investigations are in process, or that it does not engage in transactions with countries like Iran or North Korea, are becoming standard. Some deals also include a provision attesting that a company is not owned by an individual on the list of SDNs, that the company is not based or located in an embargoed country, or to assure that the monies used to make an investment or purchase were not provided by a sanctioned country or individual. Of course, it is also important to conduct background checks to confirm these representations at the start of the contract and at reasonable intervals thereafter.

The use of compliance language does not insulate a company from OFAC liability. While such a provision may create a contract-based remedy to recover monetary damages based on a fine or settlement with the agency, the clause cannot eliminate liability. Like any other governmental regulator, OFAC is not bound by private contract and can take action even with such terms in place.

Learn more about OFAC.

January 29th, 2015|Educational Series|

SEC considers background check rule proposed by FINRA

Financial institutions could face expanded obligations to conduct background screening of applicants for registration pursuant to a rule proposed by the Financial Industry Regulatory Authority (FINRA) to the Securities and Exchange Commission (SEC).

As currently drafted, the National Association of Securities Dealers (NASD) Rule 3010(e), the Responsibility of Member to Investigate Applicants for Registration, provides that a firm “must ascertain by investigation the good character, business reputation, qualifications and experience of an applicant before the firm applies to register that applicant with FINRA,” the regulator explained.

Seeking to “streamline and clarify members’ obligations relating to background investigation, which will, in turn, improve members’ compliance efforts,” FINRA proposed the addition of background checks to the Rule for the SEC’s consideration.

The change would mandate that firms verify the accuracy and completeness of the information in an applicant’s Form U4 (Uniform Application for Securities Industry Registration or Transfer) for first-time applicants as well as transfers. Written procedures for conducting the background check – including a public records search – must also be established.

While the rule is prospective, FINRA announced that it would take a look at currently registered representatives. The financial regulator intends to begin its efforts with a search of all publicly available criminal records for the roughly 630,000 registered individuals who have not been fingerprinted within the last five years; going forward, FINRA will periodically review public records “to ascertain the accuracy and completeness of the information available to investors, regulators and firms,” the agency said.

To read the Federal Register notice: click here.

December 3rd, 2014|Fraud, Risk Management|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top