Compliance Blog

Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel, NAFCU

Earlier this week, the BCFP (formerly the CFPB) filed a consent order detailing a pattern of conduct by Security Group Inc, and its subsidiaries (Security Group) that is nothing short of a spectacular disgrace.

Security Group is a payday lender and, by the looks of it, the exact kind of payday lender that makes the PAL program and other responsible short-term, small-dollar lending programs offered by credit unions such a critical alternative for members. Here is a summary of Security Group's conduct outlined by the Bureau in the Consent Order, and the consequences from the Bureau.

UDAAP Violations

Security Group conducted 12 million in-person visits to borrowers' homes, their neighbors and their places of employment in efforts to collect on these loans. As examples, its collectors confronted customers at fast food drive-thru windows and in line at a big-box retailer. Phone calls were also made to borrowers' places of employment, landlords, family members and strangers believed to be related to the borrowers, despite repeated requests that the calls stop. These visits and phone calls risked and sometimes involved disclosure of loan delinquency to third parties, including leaving field cards with neighbors and small children and directly informing co-workers that the consumer was in debt. The visits and calls disrupted borrowers' workplaces and jeopardized their employment. Reportedly, collectors also made threats of jail, shoved borrowers and blocked them from leaving private property. Understandably, this conduct left many borrowers humiliated, harassed and fearing for their jobs. The Bureau found this activity to be unfair acts or practices in violation of 12 U.S.C. §§ 5531 and 5536(a)(1)(B).

FCRA Internal Control, Reporting and Dispute Failures

Security Group built their own credit furnishing system using the Metro2 Guide to convert their loan-sales database to Metro2 format for reporting, but had no written policies or procedures regarding the standardized coding of loan information, proper reporting and transmission of information, record retention requirements, internal controls or investigating or correcting disputed information. The failure to establish and implement reasonable policies and procedures to ensure the accuracy and integrity of reported information is a violation of the FCRA and Regulation V. See, 15 U.S.C. § 1681s-2(a)(1); 12 C.F.R. § 1022.42(a).

Not surprisingly, as a result of the lack of procedures, internal controls and failure to properly investigate disputes, Security Group furnished inaccurate information regarding tens of thousands of consumers. The Bureau found these errors to be systemic and pervasive. Corrections were made slowly, sometimes taking over a year to correct. Even once corrected through e-OSCAR, systemic errors resulted in inaccurate information sometimes being reported again, overwriting the corrected information. After about five years, Security Group suspended reporting due to multiple systemic errors, but did not actually correct the information until it resumed reporting seventeen months later. The failure to correct inaccurate information is also a violation of the FCRA. See, 15 U.S.C. § 1681s-2(a)(2),(a)(5)(A).

Corrective Actions

Security Group has to pay a $5 million civil money penalty. Further, the Bureau is requiring Security Group to prevent their collectors from making in-person visits to consumer's homes, the neighbors, their workplaces, or any public place. They also cannot call any third party regarding the debt once the borrower has indicated a desire to cease communications, or that the calls to their work are inconvenient or prohibited by employers. Security Group cannot disclose information about the debt except as permitted by state law or with the consent of the borrower.

Some of these requirements basically mirror the requirements of the Fair Debt Collections Practices Act, though Security Group would not normally be subject to the FDCPA because it appears it was collecting its own debts. In the past, NCUA has recommended that credit unions avoid the practices prohibited under the FDCPA, including engaging in harassment or abuse, making false or misleading representations or engaging in unfair practices, even where the law does not apply to the credit union. See, Consumer Compliance Manual, p. 98.

Within 90 days, Security Group is required to engage with an independent consultant regarding information furnishing to establish, implement and maintain reasonable written policies and procedures to ensure the accuracy and integrity of the information they report. Within 30 days, it must establish an audit program for identifying inaccurate reporting, and it must fully implement that program within 90 days. Also, within 90 days, Security Group must also complete a review of its reporting since July 21, 2011, and correct any inaccurate or incomplete information, provide consumers with access to a credit report to review, and provide notifications to consumers regarding the inaccurate reporting and the Consent Order.