Compliance Blog

On April 29, 2021, Vivint Smart Homes, Inc. (Vivint), a home security and monitoring company, entered into an agreement with the Federal Trade Commission (FTC) regarding alleged violations of the Fair Credit Reporting Act (FCRA), including the Red Flags Rule. Under this agreement, Vivint will pay a $15 million civil penalty and $5 million in compensation to consumers. According to the FTC press release, this is the largest monetary judgement to date for an FTC FCRA case. So, what did Vivint allegedly do that ran afoul of the FCRA?

According to the complaint filed by the Department of Justice on behalf of the FTC, Vivint’s smart home security systems cost over $1,000, so many consumers will finance the cost. Some of this financing is through a third-party bank, but a significant portion are also financed by Vivint using retail installment contracts where the seller of goods also finances the purchase. Consumers had to meet a minimum credit score to qualify for the financing, and Vivint often used seasonal sales representatives paid solely on commission to sell the systems. The sales representatives would use a tablet to conduct the transactions including checking credit histories of potential buyers.

If a consumer did not meet minimal requirements, some sales representatives used a method described as “white paging” to get applications approved. Section 604 of the FCRA requires a “permissible purpose” to access a consumer report – such as a transaction initiated by a consumer. If a consumer did not independently satisfy the credit requirement, the sales representative would use the white pages to identify someone who had the same or similar name to the consumer but was not related to them. The Vivint representative would then enter this unrelated person’s address as a “previous address” in their application and re-run the credit check. This would pull the credit score of the similarly named person. This essentially duped the software into approving someone by accessing credit history of the unrelated individual without a permissible purpose, and Vivint would extend credit to this unqualified customer.

Vivint representatives had other methods to work around a consumer not qualifying based on their individual credit history. Representatives also allegedly would ask consumers if they knew someone who could help them qualify, like a relative. These individuals would also be added to an application either through a process like the “white paging” to get the person’s credit history included, or by adding that person as a cosigner.

Regardless of the process used, when some of these consumers defaulted on loans, these innocent third parties’ information was given to Vivint’s debt buyers who attempted to collect the amount due from the people added to these applications. Some of those whose consumer reports were used without their knowledge complained to the FTC or the Better Business Bureau that a debt collector was seeking money owed to Vivint when the consumers had never done business with Vivint.  The FTC alleged was an unfair practice under Section 5 of the FTC Act.

Vivint was allegedly aware of these kinds of practices going back as far as 2016, and some of the sales representatives who committed these violations were fired in 2017. But some, particularly from a successful sales team with millions in sales, were then rehired later, first to work for an affiliate of Vivint then later once again directly employed by Vivint. During this time, according to the FTC sales representatives continued to evade mechanisms in place to prevent misuse of credit reports.

In addition to these alleged violations, according to the complaint there were also violations of the FCRA’s Red Flags Rule. This provision, in part, requires many businesses to have a written identity theft prevention program and take steps to detect signs of identity theft, take preventative steps and mitigate damage from identity theft.  More basics of this rule’s requirements can be found in this FTC summary and NCUA’s AIRES questionnaire on the rule. Vivint also did not implement an identity theft protection program until January 2020, and the FTC asserted its efforts to address identity theft were “inadequate.”

In addition to paying monetary penalties, Vivint also agreed to take several remedial actions:

• Implement an employee monitoring and training program;
• Implement an identity theft prevention program;
• Establish a customer service task force to verify that accounts belong to the correct customer before referring an account to a debt collector;
• Assist consumers who were improperly referred to debt collectors; and
• Obtain an assessment twice a year by an independent third party to ensure compliance with the FCRA.

The alleged facts here can show how incentives can impact employee behavior and what can occur if sales priorities are placed above regulatory obligations. The FCRA covers a lot of ground, with some implementing regulations but other provisions in statute only. Consumer reporting was the subject of many consumer complaints filed with the CFPB during the pandemic, and the bureau plans to issue a report later this year focusing on issues with the national consumer reporting agencies (CRAs). More NAFCU resources on the FCRA can be found here including member-only articles on issues like furnishing information to CRAs.