CFPB Proposes Settlement with Debt Collector for Failing to Investigate Identity Theft Reports

With the ongoing COVID-19 pandemic, credit card companies may face increased scrutiny, as Consumer Financial Protection Bureau (CFPB) Acting Director Dave Uejio recently stated that "credit reports play a huge role in consumers' financial lives" and "we will not tolerate companies that put inaccurate data on credit reports or fail to investigate consumers' disputes."

On Aug. 16, 2021, the CFPB filed a proposed settlement in an attempt to resolve a lawsuit against a debt collection enterprise, Fair Collections & Outsourcing (FCO), and its owner. The full impact of the case and the resulting settlement terms proposed by the CFPB remain to be seen, but the proposed settlement requires the attention of many players in the consumer debt selling and buying industries. Creditors, including credit card companies and other institutions selling debts, should be knowledgeable of the procedures that debt purchasers have in place for ensuring accuracy in reporting. The CFPB may seek to hold responsible not only the debt buyers with insufficient policies and procedures or insufficient compliance with such, but also those selling debt to them.

Background and OCC Guidance

The notion of a federal regulator scrutinizing the sellers of debt for the misdeeds of the buyers of such debt is not a new phenomenon. In 2014, the Office of the Comptroller of the Currency (OCC) issued a supervisory bulletin entitled "Consumer Debt Sales: Risk Management Guidance," OCC Bulletin 2014-37 (Aug. 4, 2014), wherein the OCC issued what was precedent-setting guidance on national banks' sale of charged-off debt to third-party debt buyers.

What made this guidance so revolutionary is that it marked what seemed to be the first time that the OCC (or any federal bank regulator) has required banks to perform some measure of compliance-related due diligence on a counterparty to an asset sale. According to the OCC: "Banks should know what resources debt buyers use to manage and pursue collections and consider the debt buyers' past performance with consumer protection laws and regulations." The OCC was concerned that national banks "gave debt buyers access to customer files so they could assess credit quality before the debt sale, without the banks first making proper customer disclosures, which was inconsistent with the banks' internal privacy policies and applicable laws and regulations." The OCC also identified instances in which banks, debt buyers or both had inadequate controls in place to protect the transfer of customer information, and further identified debt-sale arrangements between banks and debt buyers that lacked confidentiality and information security provisions.

In order to address the OCC's perceived risks in the sale of consumer debt to third-party debt buyers, the OCC offered several recommendations for compliance remediation. These recommendations include, but are not limited to the following.

• Ensure appropriate internal policies and procedures are developed and implemented to govern debt-sale arrangements consistently across the bank.
• Perform appropriate due diligence when selecting a debt buyer.
• Ensure that debt-sale arrangements with debt buyers cover all important considerations.
• Provide accurate and comprehensive information regarding each debt sold at the time of sale.
• Certain types of debt are not appropriate for sale.
• Comply with applicable laws and regulations. The consumer protection statutes that are specifically referenced by the OCC are: the Fair Debt Collection Practices Act (FDCPA), the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Equal Credit Opportunity Act (ECOA) and the Federal Trade Commission Act (FTC Act).

Although the OCC, like the other "prudential" bank regulators (e.g., the Federal Reserve Board and Federal Deposit Insurance Corporation), has long required its supervised banks to screen vendors, joint venture partners and other "third parties," the 2014 guidance marked the first time that the OCC required banks to protect their existing customers by vetting a counterparty. Of note, the OCC's concerns did not stop at national banks. Rather, the OCC made clear that when it "becomes aware of concerns with nonbank debt buyers, the agency refers those issues to the CFPB, which has jurisdiction over these entities." Thus, there is clear regulatory coordination between the prudential and consumer protection agencies to ensure that alleged unfair, deceptive or abusive debt collection practices do not go unnoticed.

CFPB Complaint and Proposed Settlement

The CFPB's complaint filed in the District of Maryland in 2019 alleged that FCO violated the Consumer Financial Protection Act of 2010, the FCRA and Regulation V by failing to have reasonable policies and procedures regarding the accuracy and integrity of information furnished to credit reporting agencies (CRAs) and especially to identity theft disputes that consumers submitted to CRAs. The CFPB alleged that FCO failed to establish or implement reasonable written policies and procedures regarding the accuracy of information furnished and failed to conduct reasonable investigations of indirect consumer disputes, resulting in inaccurate information remaining on credit reports. Specifically, the CFPB alleged that FCO:

• represented that consumers owed debts, when there was no reasonable basis to assert that those consumers owed debts
• failed to establish reasonable policies and procedures to investigate consumer disputes
• failed to conduct reasonable investigations of disputes when consumers submitted identity theft reports

The CFPB also alleged that FCO violated the FDCPA by telling consumers they owed debts when they did not have a reasonable basis for that assertion. The terms of the proposed settlement require FCO to:

• establish reasonable policies and procedures concerning the accuracy and integrity of information furnished
• continue to evaluate the effectiveness of its policies and procedures by creating internal controls to identify practices or activities that compromise the accuracy or integrity of information furnished
• establish an identity theft review program to safeguard against FCRA violations
• create written intake policies and procedures to evaluate account information before commencing collections
• create policies to evaluate trends in consumer disputes and other signs of potential unreliability on accounts
• retain an independent consultant for conducting reviews of information furnished and debt collection activities to make further recommendations on its policies and procedures for compliance with federal law
• pay a penalty of $850,000 toward the Civil Penalty Fund

What Should Be Done Now?

The proposed settlement highlights to creditors and debt buyers that increased scrutiny is likely to extend into the future. Debt buyers must have procedures in place that seek to accurately report consumer data, as well as comply with such procedures and seek to improve where improvements can be made. Some key considerations when reviewing policies for furnishing consumer information should include ensuring that internal controls exist to review policies relating to consumer data and also to continue to analyze and implement new methods to improve accuracy in reporting. Creditors must do all of these same things and also take steps to confirm that when they sell debt, the buyers of that debt are doing the same.

Given the CFPB's focus on identity theft issues and in particular alleged disregard of FTC identity theft reports submitted with indirect disputes received through CRAs, all creditors and debt buyers should consider reviewing their policies concerning these issues. It has long been the case that ensuring that identity theft disputes are appropriately investigated is critical to limit civil liability exposure. Some of the most significant FCRA awards are in identity theft cases that were not sufficiently investigated. The focus of the CFPB on identity theft review programs reinforces the need to further analyze compliance in this area.

Lastly, expect continued information sharing between the prudential regulators and the CFPB so as to generate increased CFPB supervisory scrutiny and enforcement as to companies that acquire debt from banks. Moreover, the CFPB retains the authority to apply the principles of counterparty due diligence to any sale of debt from a non-bank regulated lender to a debt buyer. The same principles of ensuring that customers who are being transferred to a debt buyer do not suffer abusive debt collection practices that informed the OCC's guidance also inform the CFPB's review of debt sales by non-bank originators.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.