CFPB Cracks Down on FCRA Violations
Last month, the CFPB fined JPMorgan Chase (JPMorgan) $4.6 million for various alleged violations of the FCRA. According to the consent order, the CFPB found that JPMorgan failed to have reasonable policies and procedures in place to ensure it provided accurate information to consumer reporting agencies, failed to inform consumers of the results of dispute investigations and failed to identify the consumer reporting agency on adverse action notices.
Policies and Procedures. The FCRA does not require financial institutions to provide information to consumer reporting agencies. However, if a financial institution elects to do so, the FCRA requires it to provide accurate information. Regulation V requires these financial institutions to have reasonable policies and procedures in place to ensure that information provided to consumer reporting agencies is accurate. The procedures should be designed based on the institution's complexity and scope of activities and updated periodically. The rule also requires institutions to consider the interagency guidelines in developing their policies.
While JP Morgan had policies in place, the CFPB found that these policies were insufficient to ensure it provided accurate information to consumer reporting agencies. The policies did not contain procedures for providing information to consumer reporting agencies and did not address quality assurance, systems testing or training. The policies were also not materially altered or revised anytime between 2005 and 2014. In addition to these specific deficiencies, the CFPB determined that the policies were not appropriate given the size and complexity of JPMorgan's operations. The consent order requires JPMorgan to implement and maintain reasonable policies and procedures that fully comply with the FCRA's requirements and adequately incorporate Regulation V's guidance.
The policies at issue related to the information JPMorgan provided to consumer reporting agencies about its deposit accounts. While the consent order does not attempt to determine whether JPMorgan was providing information to a party it believed was not a consumer reporting agency under the FCRA, it may be helpful to pause for a moment and review exactly who is a consumer reporting agency. The FCRA defines "consumer reporting agency" rather broadly:
"(f) The term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports."
While this certainly covers the big three credit reporting agencies – Transunion, Equifax and Experian – it is important to keep in mind that this also covers a variety of other agencies that may be collecting information other than credit information. Consumer reporting agencies also include "specialty" agencies that collection information regarding medical records or payments, residential history, check writing history, employment history and insurance claims. When reviewing or drafting your policies and procedures on providing information to consumer reporting agencies, remember they may need to cover more than just credit information.
Dispute Investigations. Both the FCRA and Regulation V have specific procedures financial institutions must follow when they receive a direct dispute from consumers regarding the accuracy of information contained in a consumer report. The rules require institutions to conduct a reasonable investigation within 30 days of receiving the dispute, inform the consumer of the results of the investigation and provide each consumer reporting agency with corrected information, if necessary. The CFPB determined that JPMorgan had received thousands of direct disputes between 2010 and 2014 and that JPMorgan failed to provide any notice to these consumers regarding the results of the investigation. Going forward, the consent order requires JPMorgan to inform consumers about the results of all dispute investigations.
Adverse Action Notices. If a financial institution bases any adverse action on information obtained in a credit report, the FCRA requires the institution to provide an adverse action notice. The notice must include the adverse action taken; the credit score disclosure; the name, address and telephone number of the consumer reporting agency that provided the consumer report; a statement that the consumer reporting agency did not make the adverse action decision and inform the consumer of his or her right to obtain a copy of the consumer report. The CFPB found that JPMorgan failed to include the name, address and telephone number of the consumer reporting agency on approximately 17,500 adverse action notices. The notices were later corrected, however, the consent order requires JPMorgan to provide this information on all future adverse action notices.