Archives for January 2024

In a change of course, the Utah court of appeals has reversed the dismissal of a plaintiffs’ suit against a debt collector based on its alleged failure to register as a collection agency prior to filing collection suits. While the Utah Collection Agency Act (UCAA) was repealed by the Utah legislature last year, discussed here, cases asserting this theory of liability remain pending before state and federal courts in the state. Late last year, in Meneses v. Salander Enterprises LLC, discussed here, the court of appeals held that a violation of the UCAA was not a deceptive or unconscionable act. The court distinguished this case from Meneses by finding that the defendant made affirmative representations in the lawsuits at issue that precluded dismissal at this stage.

In Pace v. Link Debt Recovery, LLC (Link), Link initiated two separate debt collection lawsuits in 2020. In the complaints, Link asserted it was “operating pursuant to the laws of the state of Utah.” Link prevailed on both collection suits, but the debtors later filed the instant case alleging that Link was not properly registered and bonded as a debt collector and thus its collection activity was unlawful under the Fair Debt Collection Practices Act (FDCPA) and Utah Consumer Sales Practices Act (UCSPA). Link filed a motion to dismiss asserting that it was properly registered under the UCAA in 2020 and, even if it was not, its collection activities did not violate the statutes. The district court granted the motion to dismiss and the plaintiffs appealed.

As to its first argument, Link acknowledged that it was not separately registered and bonded as a debt collector, but in 2019 it had changed its corporate status from an “LLC” to a “dba,” and that the entity under which the “dba” did business was properly registered and bonded. However, the plaintiffs pointed out that in 2020 Link changed its corporate status back to an LLC so at the time it filed both collection lawsuits, Link was an independent LLC that was not registered and bonded as a debt collector. However, Link countered that in 2021, notably just weeks after the filing of the plaintiffs’ suit, it filed a Statement of Correction with the state indicating that the 2020 document converting Link back to an LLC had been “filed in error.” Link asserted that this correction operated to retroactively void the earlier-filed conversion document, and that Link had therefore been a dba of a registered entity at all relevant times. The district court concluded, that based on the correction, Link was a dba at the time it filed the suits at issue and therefore Link was properly registered and bonded as required by the UCAA. The court of appeals reversed finding that from the timing of the filings and the fact there did not appear to be any facial inaccuracy in the “corrected” document, there was a question of fact as to whether Link filed the correction not to remedy an inaccuracy but, instead, to sidestep any potential liability in this lawsuit.

Next, the appellate court turned to whether Link’s representation that it was “a duly organized and existing business operating pursuant to the laws of the State of Utah” sufficiently stated a claim under the FDCPA and UCSPA. The court acknowledged in Meneses, it held that the plaintiffs had not sufficiently alleged a violation when the debt collector’s only asserted unlawful act was “its failure to comply with the UCAA’s registration requirement,” but in that same case the court suggested that the plaintiffs might have stated a valid cause of action if the debt collector had “represent[ed] that it was a debt collector operating in full compliance with the laws of Utah.” Based on that, the court found it was premature to dismiss the case at this stage. “Link’s statement might well have been entirely benign, intended to communicate simply that it was a Utah business entity created pursuant to the laws of that jurisdiction. But the [plaintiffs’] contrary interpretation of that statement is not unreasonable, especially given our instruction in Meneses that similar representations might be actionable … and given the reality that all reasonable inferences must be drawn in the [plaintiffs’] favor at this point.” However, the court did caution that in order to succeed on the merits the plaintiffs will bear the burden of demonstrating that, when Link alleged that it was “a duly organized and existing business operating pursuant to the laws of the State of Utah,” it was intentionally or knowingly misrepresenting that it was in compliance with the UCAA.

On January 2, New York Governor Kathy Hochul unveiled her 2024 consumer protection agenda, which includes plans to regulate the “buy now, pay later” (BNPL) industry. Specifically, Governor Hochul plans to propose legislation to require BNPL providers to be licensed in the state and to authorize the New York State Department of Financial Services to propose and issue regulations for the industry. According to Governor Hochul, “New Yorkers are increasingly turning to [BNPL] loans as a low-cost alternative to traditional credit products to pay for everyday and big-ticket purchases. This legislation and regulations will establish strong industry protections around disclosure requirements, dispute resolution and credit reporting standards, late fee limits, consumer data privacy, and guidelines to curtail dark patterns and debt accumulation and overextension.”

BNPL loans, also known as “point-of-sale installment loans” or “pay-in-4” loans, have seen a rapid increase in recent years. In a typical BNPL transaction, the lender pays the merchant for the good or service and takes on the responsibility of collecting payments from the borrower. To compensate for the credit risk, merchants pay a “merchant discount” to the lender. The lender then collects the full purchase price through installment payments from the borrower. If the borrower does not pay on time, the lender may, at times, charge late fees and refuse to make additional BNPL loans to the borrower until the borrower brings the account current.

While BNPL loans can provide consumers with a convenient and relatively low-cost financing alternative, Governor Hochul is not alone in suggesting that these loans can also carry potential risks for both banks and consumers. As discussed here, just last month, the Office of the Comptroller of the Currency (OCC) issued guidance advising banks engaged in BNPL lending to operate within a risk management system that is commensurate with the associated risks and designed to capture the unique characteristics of BNPL loans. Specifically, the OCC advised that banks should establish policies and procedures for BNPL lending that address loan terms, underwriting criteria, methodologies to assess repayment capacity, fees, charge-offs, and credit loss allowance considerations.

On December 5, the U.S. District Court of New Jersey dismissed an FDCPA suit brought against a debt collector. According to the opinion, plaintiff originally filed suit because they received a letter from defendant regarding an outstanding cell phone bill. The letter provided instructions on what to do if the recipient suspected identity theft. Additionally, the letter contained a summary of plaintiff’s account and a QR code that linked to defendant’s website for online payment. Plaintiff contended that the dual approach of offering assistance while simultaneously pursuing collection of a debt was false and misleading. A District Court judge, however, disagreed and dismissed the case, at which point the plaintiff filed an amended complaint.

The amended complaint alleges that the debt collector breached the FDCPA by using false, deceptive or misleading representations regarding the rights of the plaintiff and the obligations of the debt collector with respect to communications concerning identity theft. Specifically, plaintiff argued defendant was in violation of § 1681m(g) of the FDCPA, which obligates a debt collector to take certain steps upon being notified of identity theft, but the court disagreed, finding that the collector’s specific steps taken were in accordance with the Act.

The court emphasized that plaintiff did not introduce any new factual claims in the amended complaint, and merely clarified how the facts already outlined in the initial complaint breached the FDCPA. The judge ruled that the letter not only allows plaintiff to inform defendant about potential identity theft, but also may serve to bring potential identity theft to plaintiff’s attention. The ruling stated that there is no obligation to extensively explain recommended procedures in the case of an identity theft occurrence, and only an “idiosyncratic reading” of the letter would lead to the conclusion that the letter misrepresents defendant’s obligations.

On December 12, the U.S. Court of Appeals for the Third Circuit affirmed a U.S. District Court’s order denying a consumer’s motion for reconsideration of the grant of summary judgment against the consumer. After the consumer successfully defended herself in a debt collection action in municipal court, she sued the debt collection agency that had brought suit against her in federal court alleging that the agency violated the FDCPA by utilizing false or deceptive means in collecting debts that she did not owe in violation of 15 U.S.C. § 1692e and unfair or unconscionable means in the collection of any debt in violation of 15 U.S.C. § 1692f.  

The district court granted judgment to the debt collection company and denied the individual’s motion for reconsideration. The appellate court found that the consumer failed to produce evidence that proved the debt collection agency made any false or deceptive representations or acted unfairly or unconscionably in bringing the debt collection action against the consumer. Although the agency failed to meet its burden of proof in the municipal action, the court noted that “losing a debt collection lawsuit does not in itself mean a defendant violated the FDCPA.” 

NEW YORK, NY — Skit.ai, the leading provider of conversational Voice AI solutions,
announced today that one of its clients, Southwest Recovery Services, has
achieved a remarkable 10X return on its investment in Skit.ai’s Voice AI
technology for automated collections. 

Southwest Recovery,
a Texas-based financial services company with over two decades of experience in
accounts receivable management, adopted Skit.ai’s Voice AI solution in late
2023 to automate a portion of its inbound debt collection calls. The company strategically
turned to Skit.ai to address its inability to handle all inbound traffic and
answer calls outside business hours. 

The decision to
leverage Skit.ai’s innovative technology proved to be a game-changer for the
company. Within a few weeks after going live with the solution, Southwest
Recovery reported a 10X ROI, a 50% right-party contact (RPC) rate, and a 10%
promise-to-pay (PTP) rate. The outcomes have enabled the company to offer 24/7
assistance to its consumers and boost the agents’ productivity.

The Voice AI
solution successfully responded to consumers’ inquiries and promptly
transferred calls to the company’s live agents whenever the consumers requested
it. 

“The results we’ve
achieved so far with Skit.ai’s Voice AI solution have been exceptional,” said Steven Dietz, CEO at Southwest Recovery
Services. “Skit.ai, perhaps one of the best Voice AI providers in the
market, enabled us to automate both inbound and outbound collection calls. So
far, we’ve automated over 400,000 outbound collection calls and achieved a 10X
ROI on the inbound calls. We are collecting faster and more cost-effectively.
We look forward to scaling our consumer interactions further with Skit.ai.” 

Designed
specifically for the collections industry, Skit.ai’s conversational Voice AI
solution accelerates and streamlines debt recovery through end-to-end
automation of both inbound and outbound consumer calls. The solution, powered
by Generative AI, features on-call payment processing and negotiation
capabilities; additionally, thanks to its 24/7 availability and its ability to
handle complex conversations, it delivers a positive consumer experience (CX). 

Sourabh Gupta, founder and CEO of Skit.ai, said: “The impressive 10X ROI we’ve witnessed with Southwest Recovery
underscores the capabilities of our technology. We anticipate even more success
as we continue to grow and expand our product offerings in the coming months.”

Dozens of companies
across the U.S., both large and small, have deployed Skit.ai’s Voice AI
solution to enhance and automate their debt recovery strategy.

Schedule a meeting
to learn more about how Skit.ai can help you accelerate revenue recovery with
higher efficiency and at an infinite scale.

About Southwest
Recovery Services: 

Southwest Recovery Services, LLC is a nationally
recognized leader in financial business process outsourcing (BPO) headquartered
in Dallas, Texas with additional locations throughout Texas as well as Georgia,
Missouri, Florida, Oklahoma, and Ohio. Southwest Recovery
Services has spent 20 years building its expertise across nearly every industry
and business sector. Southwest
Recovery Services is nationally recognized as an ethical, professional, and
diplomatic service provider in receivables management.

About Skit.ai:

Skit.ai is the
accounts and receivables industry’s leading conversational Voice AI company,
enabling collection agencies to streamline and accelerate revenue recovery.
Skit.ai’s compliant, configurable, and easy-to-deploy solution enables
enterprises to automate nearly one million weekly consumer conversations.
Skit.ai has been awarded several awards and recognitions, including Stevie Gold
Winner 2023 for Most Innovative Company by The International Business Awards,
Disruptive Technology of the Year 2022 by CCW, and Gold Globee CEO Awards 2022.
Skit.ai is headquartered in New York City, NY. Visit https://skit.ai/

This New Year is setting up to be a momentous one for the consumer financial services industry in the United States Supreme Court. In 2024, the Supreme Court is expected to decide four impactful cases that may hold that the CFPB’s funding is unconstitutional, eliminate giving deference to CFPB, FTC and federal banking agency regulations, severely narrow National Bank Act (NBA) preemption of state laws, and limit the time during which a plaintiff may sue an agency to facially challenge an agency rule. We cannot recall a prior year in which the Supreme Court considered so many cases which impacted the consumer financial services industry.

Constitutionality of CFPB Funding: 

There is hardly a soul who isn’t aware of CFSA v. CFPB, the existential challenge to the CFPB arising from the manner in which the CFPB is funded exclusively by the Federal Reserve System and not through Congressional appropriations. The case has been fully briefed and argued and a decision will be forthcoming between now and the end of June. See some of our prior blog posts here and here.

Our Consumer Finance Monitor Podcast has devoted three episodes to this case. In May 2023, we released a podcast episode, “CFSA v. CFPB moves to U.S. Supreme Court: a closer look at the constitutional challenge to the Consumer Financial Protection Bureau’s funding,” in which our special guest was GianCarlo Canaparo, Senior Legal Fellow in the Heritage Foundation’s Edwin Meese III Center for Legal and Judicial Studies. In January 2023, we released a two-part episode, “How the U.S. Supreme Court will decide the threat to the CFPB’s funding and structure,” in which our special guest was Adam J. White, a renowned expert on separation of powers and the Appropriations Clause. To listen to the episode, click here for Part I and click here for Part II.

After the oral argument, we also presented a webinar roundtable in which we featured six lawyers who filed amicus briefs supporting a variety of positions. To listen to the podcast episode (which was repurposed from the webinar): “The U.S. Supreme Court’s Decision in Community Financial Services Association of America Ltd. v. Consumer Financial Protection Bureau: Who Will Win and What Does It Mean?,” click here for Part I and click here for Part II.

Chevron Judicial Deference: 

The next two cases (Loper Bright Enterprises, et al. v. Raimondo and Relentless, Inc. v U.S. Department of Commerce) will likely determine whether the Supreme Court will overturn its 1984 opinion in Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc., which created a framework for courts to use when deciding whether to uphold the validity of federal agency regulations (“Chevron Deference”). 

Under Chevron Deference, a court will typically use a two-step analysis to determine if the court must defer to an agency’s interpretation. In step one, the court looks at whether the statute directly addresses the precise question before the court. If the statute is silent or ambiguous, the court will proceed to step two and determine whether the agency’s interpretation is reasonable. If it determines the interpretation is reasonable, the court must defer to the agency’s interpretation. 

If Chevron Deference is rejected by the Supreme Court, regulated entities may no longer be able to rely on regulations to ensure compliance with federal law. Even worse, regulated entities may no longer be able to rely on regulations that have been previously validated by courts exclusively based on Chevron Deference. Will the Supreme Court 1996 opinion in Smiley v. Citibank, N.A. still be binding precedent? In that opinion, the Supreme Court relied exclusively on an OCC regulation defining “interest” under Section 85 of the NBA to include late fees on credit cards. That decision held that a national bank could charge late fees allowed by the bank’s home state to cardholders throughout the country and ignore limitations on late fees in the laws of the states where the cardholders reside. These two Chevron Deference cases will be argued on January 17, 2023. As we previously stated, we expect the Supreme Court to overrule the Chevron decision.

National Bank Act Preemption: 

The next extremely important case is one which will determine whether the OCC’s regulations promulgated in 2011 after the enactment of Dodd-Frank too broadly purport to preempt state consumer protection laws. In Cantero v Bank of America, the Supreme Court will decide whether the NBA preempts New York state law requiring the payment of interest on mortgage escrow accounts. 

The Department of Justice just filed an amicus brief arguing that the OCC’s 2011 regulations contradict the amendments to the NBA made by Dodd-Frank. If the Supreme Court agrees with DOJ’s opinion, many national banks, particularly those engaged in interstate lending or deposit-taking, will need to take a fresh look at whether they need to comply with a whole array of state consumer protection laws. In December, we released a podcast episode, “What recent developments in federal preemption for national and state banks mean for bank and nonbank consumer financial services providers,” discussing the implications of the Supreme Court’s review of NBA preemption (other than Section 85 of the NBA which deals with interest which national banks may charge). The case is in the process of being briefed.

Timing for Facial Challenge to Regulations: 

Lastly, in Corner Post, Inc. v Board of Governors of the Federal Reserve System, the Supreme Court agreed to decide when a right of action first accrues for an Administrative Procedure Act (APA) Section 702 challenge to a final rule issued by a federal agency—when the final rule is issued or when the rule first causes injury. This case involves a merchant who sued the Federal Reserve Board seeking to invalidate its Regulation II dealing with capping debit card interchange fees. The district court and Eighth Circuit ruled that the six-year statute of limitations for bringing facial APA claims (28 U.S.C. § 2401(a)) begins to run when a final rule is issued, which meant that the limitations period had run before the merchant had opened his doors for business. 

In its brief, the Petitioner argues that if the statute of limitations for bringing a facial challenge under the APA can expire before a plaintiff is injured by final agency action, a plaintiff seeking to challenge a regulation beyond the six-year period would be forced to intentionally violate a regulation to induce an enforcement proceeding to manufacture an “as applied” challenge. The Federal Reserve argues in its brief that the tolling provision in 28 U.S.C. § 2401(a) would be unnecessary if the statute of limitations did not begin to run until a final rule first caused injury. Twelve amicus briefs have been filed in the case, including a brief supporting the Petitioner filed by the West Virginia Attorney General and 17 other states. Oral argument has not yet been scheduled.

The upward trend in data privacy legislation continued in 2023. According to the National Conference of State Legislatures, “[a]t least 40 states and Puerto Rico introduced or considered at least 350 consumer privacy bills in 2023,” a significant increase from the 200 bills in 2022.  Many of these bills were limited in scope, relating to, for example, biometric, genetic and geolocation data, data brokers, and internet service providers.

State Comprehensive Consumer Data Privacy Laws 

Narrowing the focus to legislation that conveys certain rights to consumers and restricts the use of personal information, more than 60 bills were considered in almost 30 states. A comparison chart of those bills can be accessed here.

In 2023, seven states joined California, Virginia, Colorado, Utah, and Connecticut in passing comprehensive data privacy legislation.

• Iowa SF 262 was enacted March 28 and goes into effect Jan. 1, 2025.
• Indiana SB 5 was enacted May 1 and goes into effect Jan. 1, 2026.
• Tennessee HB 1181 was enacted May 11 and goes into effect July 1, 2024.
• Montana SB 384 was enacted May 19 and goes into effect Oct. 1, 2024.
• Texas HB 4 was enacted June 18 and goes into effect July 1, 2024.
• Oregon SB 619 was enacted July 18 and goes into effect July 1, 2024.
• Delaware HB 154 was enacted Sept. 11 and goes into effect Jan. 1, 2025.

Although there are differences worth attention, these laws are very similar to those enacted after the California Consumer Protection Act, and most include:

• Right to access
• Right to correct (except Iowa)
• Right to delete
• Right to obtain
• Right to opt-out of certain processing
• Data and entity-level Gramm-Leach-Bliley Act exemptions (Oregon is data-level only but includes an entity-level exemption for financial institutions as defined in Rev. Stat. Ann. § 706.008)
• Requirements for contracts between controllers and processors
• Risk assessments for processing certain data (except Iowa)
• No private right of action

A chart comparing the comprehensive data privacy laws can be accessed here. 

State Data Breach Notification Laws 

Utah SB 127 was enacted March 23 and went into effect May 3. Amendments include:

• Creation of the Utah Cyber Center tasked with, among other things, developing a cybersecurity plan for government agencies, identifying, assessing, and mitigating cyber threats, and promoting cybersecurity best practices;

• Requiring notification to the attorney general and the Utah Cyber Center.

Texas SB 768 was enacted May 27 and went into effect Sept. 1. Amendments include:

Shortening the time to notify the attorney general from 60 days to 30;

Requiring notification be submitted electronically using a form provided on the attorney general’s website.

Nevada SB 355 was enacted June 15 and went into effect Oct. 1. The law amends Nevada’s data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) by exempting installment loan companies and making them subject to different data breach notification provisions, including:

• Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;
• The notice deadline is 30 days, as opposed to “in the most expedient time possible and without unreasonable delay”;
• Breach notification by email is prohibited if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
• The law specifies information that must be included in a breach notification;
• Notice must be made to the attorney general if there are more than 500 affected residents;
• There is no safe harbor for data controllers subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act;
• Notice must be provided to consumer reporting agencies if the breach affects more than 1,000 persons.

Connecticut SB 1058 was enacted June 26 and went into effect Oct. 1. Amendments include:

• Adding “precise geolocation data” to the definition of “personal information”;
• Depositing civil penalties into a “privacy protection guaranty and enforcement account”;
• Designating a violation as an unfair trade practice under Conn. Gen. Stat. § 42-110b.

Rhode Island SB 5684 was enacted June 27 and went into effect upon passage. Amendments include:

• Adding definitions for “classified data” and “cybersecurity incident”;
• Shortening the notification period to individuals from 45 days to 15;
• Requiring notification to the state police within 24 hours;
• Specifying what must be included in a notification.

State Regulation

California

In March, the California Privacy Protection Agency received approval of its first substantive rulemaking implementing the California Consumer Protection Act as amended by the California Privacy Rights Act.  The regulations became effective March 29, but enforcement of some provisions has been delayed until March 29, 2024.  The regulations include:

• Methods for allowing consumers to exercise the right to correct personal information;
• Required terms that must be included in contracts between businesses and the service providers and third parties with whom personal information is shared or disclosed;
• Modified notice requirements;
• Additional guidance on what constitutes a “dark pattern”;
• Expectations regarding opt-out preference signals.

New York

In November, amendments to New York’s cybersecurity regulations were adopted by the Department of Financial Services with staggered implementation dates for covered entities, small businesses, and Class A companies.  The amendments include:

• Creation of a category for “Class A companies” based on revenue in New York, and number of employees or global revenue;
• Heightened security measures for Class A companies;
• Annual penetration testing by a qualified internal or external party;
• Automated or manual scans of information systems;
• Risk assessments reviewed and updated annually, or as necessary;
• Multi-factor authentication for any individual accessing any information system;
• Notification to the Superintendent of any cybersecurity incident within 72 hours;
• Annual certification of compliance, or acknowledgment of noncompliance;
• Notice and explanation of extortion payments made in connection with a cybersecurity incident.

Federal Regulation 

Safeguards Rule

In September, the Federal Trade Commission announced its approval of an amendment to the Gramm-Leach-Bliley Act Safeguards Rule requiring nonbank financial institutions to report to the FTC the unauthorized acquisition of unencrypted customer information involving at least 500 consumers (a “notification event”). The amendment, which becomes effective May 13, 2024, also provides:

Notification must be made as soon as possible, and no later than 30 days after discovery of the event;

Notice must be provided through an online form that will be available on the FTC’s website;

The notice must include:

• the name and contact information of the reporting financial institution;
• a description of the types of information that were involved in the notification event;
• if the information is possible to determine, the date or date range of the notification event;
• the number of consumers affected or potentially affected by the notification event;
• a general description of the notification event; and
• whether any law enforcement official provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.

Conclusion 

2024 will undoubtedly be a remarkable year with respect to data privacy and security legislation and regulation and we expect an increased focus on issues related to the use of artificial intelligence. For more information and insight from Maurice Wutscher on data privacy and security laws and how to stay compliant click here.

CHESAPEAKE, Va. — Spring Oaks Capital, LLC is excited to announce the hiring of Michael Meyer as Chief Technology Officer. Michael will lead the firm’s efforts in data science, data engineering, product development, and information security and infrastructure, reporting directly to President & CEO Tim Stapleford.

Michael has spent the past 24 years at MRS BPO, LLC, most recently as Chief Technology Officer and Chief Security Officer. Other roles at MRS have included Chief Risk Officer and Chief Innovation Officer. Michael has dedicated his career to innovating and implementing technology-driven change in the ARM industry, with an unwavering commitment to enhancing the customer experience. At Spring Oaks Capital, the CTO role is critical to execute the Company’s strategic plans to build enterprise value for all stakeholders.

Spring Oaks Capital’s President and CEO, Tim Stapleford, stated, “We are thrilled to bring a person of Michael’s talent and reputation onto our world-class team. He is precisely the experienced leader the company needs as CTO going forward. Spring Oaks Capital was founded to be the first true fintech debt recovery company, and Michael will be a critical partner as we continue to grow the Company and tech platform.”

[article_ad]

Michael added, “I am thrilled to be joining Spring Oaks Capital and am inspired by the company’s focus on developing a technology-focused and data-driven approach to debt recovery that enhances the experience for both customers and employees. I look forward to working with the highly experienced management team at Spring Oaks Capital and contributing to its increasing success.”

About Spring Oaks Capital, LLC

Spring Oaks Capital is a national financial technology company, focused on the acquisition of credit portfolios. The Company subscribes to an employee and consumer-centric operating philosophy that creates high-value jobs, a significant performance lift, and the highest standards of compliance. Spring Oaks’ business strategy is rooted in innovative data-driven technology to maximize collection results and a contact platform that offers multi-channel options to meet each consumer’s communication preference. Spring Oaks has the management vision and experience to nurture a culture and DNA that is unique in the space. To learn more about Spring Oaks, please visit www.springoakscapital.com.

On December 15, 2023, the Consumer Financial Protection Bureau (CFPB) entered into a consent order alleging that a furnisher/debt collector failed to properly investigate disputes, failed to complete investigations within the requisite 30 days and that the furnisher deleted too many credit bureau tradelines in response to indirect disputes. The industry should collectively take note of the details in the consent order as it provides valuable insight into the policies and procedures the CFPB expects to see.

In this December 2023 Consent Order, the CFPB wrote:

1. “Respondent failed to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information it furnished to Consumer Reporting Agencies (CRAs) and failed to consider and incorporate the guidelines of Appendix E of Regulation V in developing such written policies and procedures, in violation of Sections 1022.42(a) and (b) of Regulation V, 12 C.F.R. § 1022.42(a) and (b) (Emphasis added).”

2. “Respondent has also not established and implemented written policies and procedures containing internal controls regarding the accuracy and integrity of information about consumers furnished to CRAs. Respondent does not, for example, verify random samples of information provided to CRAs.” (Emphasis added).

3. “Respondent has not established and implemented any written policies and procedures requiring it to review its records to identify dispute handling practices that could compromise the accuracy or integrity of information furnished to CRAs, such as a requirement to audit its dispute handling processes and practices.” (Emphasis added).  

4. Respondent has also failed to establish and implement any written policies and procedures requiring it to review records reflecting historic dispute trends, which would have been critical to its ability to identify, for instance, recurring disputes with the same root cause or clients with particularly high dispute rates. (Emphasis added).

Please note the very first item that the CFPB addresses in this Consent Order (on page 1) is the failure of the debt collector furnisher to consider and implement the CFPB’s guidance promulgated in Appendix E to 12 CFR Part 1022 (“Appendix E”).  Further, this entire consent order is built around the requirements of Appendix E similar to the June 8, 2023 CFPB Consent Order involving a different furnisher/debt collector:

The December 2023 consent order makes clear that a furnisher will be potentially subject to bans and fines from the CFPB if the furnisher does not maintain policies and procedures that:

1. Consider the requirements of Appendix E (discussed in detail below).

2. Verify random samples of data furnished to the credit reporting agencies.

3. Audit dispute processes and practices.

4. Review historic dispute trends.  

The Proven Strategy to Avoid CFPB Fines/FCRA Liability: Appendix E Must be the Cornerstone of Every Credit Reporting Policy.

Appendix E, issued by the CFPB, identifies the nature and scope of a furnisher’s credit reporting policies and provides specific objectives for the policy. It identifies three considerations for the implementation of the credit reporting policy and itemizes 13 specific components that should be included in the policies and procedures.

For instance, Appendix E recommends the following specific items listed below must be addressed in any furnisher credit reporting policy:

II. Specific Components of Policies and Procedures

In developing its policies and procedures, a furnisher should address the following, as appropriate:

1. Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that is appropriate to the nature, size, complexity, and scope of the furnisher’s business operations.

2. Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about consumers to consumer reporting agencies.

3. Maintaining records for a reasonable period of time, not less than any applicable recordkeeping requirement, in order to substantiate the accuracy of any information about consumers it furnishes that is subject to a direct dispute.

4. Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting agencies, such as by implementing standard procedures and verifying random samples of information provided to consumer reporting agencies.

5. Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the policies and procedures.

6. Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.

7. Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or sales, or other acquisitions or transfers of accounts or other obligations in a manner that prevents re-aging of information, duplicative reporting, or other problems that may similarly affect the accuracy or integrity of the information furnished.

8. Deleting, updating, and correcting information in the furnisher’s records, as appropriate, to avoid furnishing inaccurate information.

9. Conducting reasonable investigations of disputes.

10. Designing technological and other means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of information with the wrong consumer(s), and other occurrences that may compromise the accuracy or integrity of information provided to consumer reporting agencies.

11. Providing consumer reporting agencies with sufficient identifying information in the furnisher’s possession about each consumer about whom information is furnished to enable the consumer reporting agency properly to identify the consumer.

12. Conducting a periodic evaluation of its own practices, consumer reporting agency practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of information furnished to consumer reporting agencies.

13. Complying with applicable requirements under the FCRA and its implementing regulations.

Use Appendix E to Create Your Company’s Credit Reporting Policy

The CFPB has published its specific requirements for furnishers to include in their credit reporting policies and procedures in Appendix E. Further, the CFPB cites to the failure of two furnishers to even consider Appendix E in their credit reporting policies in two recent consent Orders. Thus, to avoid liability with the CFPB, every credit reporting policy and procedure should include all of the requirements set forth in Appendix E.  Every furnisher should review its credit reporting policies and procedures with qualified counsel to ensure compliance with the law.  

Appendix E can be found here

————

* This article is provided only as a general discussion of legal principles and ideas. Every situation is unique and must be reviewed by a licensed attorney to determine the appropriate application of the law to any particular fact scenario. If you have a legal question, consult with an attorney. The reader of this publication will not rely upon anything herein as legal advice and will not substitute anything contained herein for obtaining legal advice from an attorney. No attorney-client relationship is formed by the publication or reading of this document. Rossman Attorney Group, PLLC assumes no liability for typographical or other errors contained herein or for changes in the law affecting anything discussed herein.

**This article was inspired by a spirited
exchange I had with my colleague John Bedard of the Bedard Law Group.  John has wisely urged furnishers to comply
with Appendix E since its issuance.  

ROCHESTER, N.Y. — Continental Service Group, LLC d/b/a ConServe, takes great pride in supporting its community, especially during the holiday season. We aim to bring joy to children and families who may be facing difficult challenges during this time. Through our ongoing philanthropy program, we provide support and funding to various agencies that strive to make a positive impact on people’s lives. 

In the month of December, the ConServe team along with the organization’s corporate “Matching Gift Program,” donated to Hillside’s Special Santa program. George Huyler, ConServe’s Vice President of Human Resources said, “The company is pleased to be a part of the Hillside Special Santa program which makes a meaningful difference in our local community. ConServe’s mission statement proclaims an unwavering commitment to improving the human condition. The company’s team of skilled professionals takes great pride in giving back to the community, exemplifying the true meaning of this pledge.”

Maria Cristalli, Hillside President & CEO said, “Hillside is very grateful to be chosen as the December recipient of the ConServe Cares program. Community support for Hillside’s annual Special Santa program helps to provide children and families in our care with gifts to help brighten their holiday season. Thank you to ConServe for their thoughtful donation.”

About ConServe

ConServe is a top-performing accounts receivable management service provider specializing in customized recovery solutions for their Clients. Anchored in ethics and compliance, and steadfast in their pursuit of excellence, they are a consumer-centric organization that operates as an extension of their Clients’ valued brands. For over 38 years, they have partnered with their Clients to provide unmatched customer service while simultaneously helping them achieve their accounts receivable management goals. Visit them online: www.conserve-arm.com 

About Hilliside’s Secret Santa Program

Hillside’s annual Special Santa program goes above and beyond Hillside’s innovative year-round services to bring holiday smiles to the faces of thousands of youth in our care. Community support helps to provide more than 7,000 toys and gifts that match the wishes of over 3,000 children and siblings served by Hillside.  Visit them online:  https://hillside.com/