With Facebook neutralizing most TCPA ATDS claims, understanding the DNC rules—including the dense CFR requirements— is more important than ever.

Well a court in Pennsylvania just quietly saved TCPAWorld from a massively dangerous new theory and—per usual—we’re the only ones talking about it.

Courts struggle with whether a cause of action is permitted for a violation of 47 CFR 64.1200(d)—requiring maintenance of an internal DNC list and policies and training by all marketers regardless of the technology they use to place calls—but a solid body of law is now developing that individuals who did not ask for calls to cease lack standing to sue in any event. That’s good news for well-meaning businesses but bad news for professional litigators who don’t get to sue over a ticky-tack violation unless a company actually does something wrong. (Heaven forbid.)

Well a Plaintiff in PA decided to test the limits by arguing that these courts are wrong because the CFR protects everyone one the national DNC list, not just those who actually asked a specific business for calls to stop.

Hmmmm.

Backing up, a 61.1200(d) claim—known as an “internal DNC” claim in the jargon—is a particularly dangerous claim. This is so because—according to the Plaintiff’s bar’s theory—the failure to maintain a policy converts every single call made by a marketer (even those with consent!) into an automatic violation of the TCPA. And nothing is easier to certify than a case involving every single call made by a company—just ask DirectTV. So internal DNC claims are actually the most dangerous type of TCPA case out there—where they’re permitted.

As mentioned above, these claims have been stamped out recently by courts determining that only individuals who have asked for calls to stop can sue—including unnamed class members. This converts Internal DNC claims into run-of-the-mill (uncertifiable) revocation cases that go nowhere. But what if the Plaintiff’s bar could expand the reach of the provision to protect more than just those that asked for calls to stop?

Well in Perrong v. South Bay Energy Corp., Case No. 2:20-cv-05781-JDW, 2021 U.S. Dist. LEXIS 70715 (E.D. Pa.  April 13, 2021)  a district court just saved everyone from having to find out.

Perrong is actually a really important ruling. The Plaintiff argued directly that the internal DNC rules are designed to protect all numbers on the national DNC list. Had this theory been accepted then everyone on the DNC would automatically have standing to bring an Internal DNC claim, even without having asked the caller for calls to their phones to stop.

The Court in Perrong held that the Plaintiff’s broad reading of 47 CFR 64.1200(d) was inconsistent with the regulation’s language and dismissed the claim as brought by a Plaintiff who had not actually asked for calls to cease. So TCPAWorld was saved.

We’ll keep an eye on this for you. And if you see this argument crop up in one of your cases let us know!

Rebekah Johnson, CEO, and Anis Jaffer, Chief Product Officer of Numeracle host a live Q&A podcast series covering all things related to call center communications, including call delivery, STIR/SHAKEN, caller ID technology, TRACED Act, brand identity, and more. In the episode below (transcript edited by insideARM; listen to the full episode here), Rebekah and Anis have the second part of their discussion about what it takes to authenticate and achieve the elusive “green checkmark” on the end subscriber’s device. Read the first part here.

Let’s start with a recap of the origination side as it relates to authentication.

Rebekah Johnson: First and foremost, the originating service provider must establish a local policy for how they will attest to the authenticity of the calls originating on their network. This will be achieved through policy and procedures with the help of identity management tools if needed. The indicator in SHAKEN that relays this authenticity is through the Attest Claim, which can be one of the following three values: A, B, or C, as defined in the ATIS Standard.

We also learned an originating service provider’s reputation is dependent upon how rigorous a local policy they implement when making the claim of A. Meaning, the identity of the caller, and authorization for use of the TN can be proven.

We concluded part one of What it Takes to Authenticate by exploring the challenges related to the gap between the originating service provider and the identity of the caller due to the presence of call centers, BPOs, and communication platform providers. Several options were discussed, each with their respective pros and cons. The expectation is that the industry will land with one or possibly multiple solutions.

Where should we start on the termination side? How does the terminating carrier make the final decision to display the green checkmark?

Anis Jaffer: To understand what happens at call termination, let’s first talk about the various components involved. First, we have the terminating network: this is the service provider where the call is terminated. Then you have the user device where the call lands. You can also have another component used by the terminating service provider for call validation, which is the analytic service that some providers use. So, in STIR/SHAKEN when the terminating network receives the call, they would first verify the signature received as part of the SIP header. This verification service would determine whether the call received is from a trusted source.

We talked about Attestation Flags last time, so the attestation flags sent by the originating network will be used by the terminating side to determine whether the call can be authenticated. Assuming the call is authenticated, the verification service then would update a parameter, what is called a Verstat Parameter. If the call is authenticated the Verstat Parameter would be updated as “TN validation passed.” If the call is not authenticated, then the terminating service provider would set it “TN validation failed.” In this case, they can also block the call.

Rebekah Johnson: You mentioned call validation. I’ve heard this referred to as CVT or Call Validation Treatment. Would you explain that portion just a little bit further?

Anis Jaffer: CVT is the (optional) analytics service that service providers can use. After the carrier verifies the result from the SIP Header, the CVT uses analytics and reputation data sources to determine if a number is fraudulent or spam. This information is then used as an overlay on the user device to show if a call is labeled as ‘Spam,’ ‘Scam,’ ‘Nuisance Likely,’ etc. This could either be a carrier application service that’s drawn as part of the verification we talked about earlier or, it can be implemented as a third-party solution. For instance, all the major U.S. carriers use third-party analytics for call labeling.

Okay, so as for the consumer display, where does the green checkmark fit in?

Anis Jaffer: We talked about carrier verification and analytics. The green checkmark is on the user equipment or the end device. Let’s say the call terminates at the network level, verification is done by the verification service, TN validation is passed, and the verstat parameter is set as “validation passed.” At this point, CVT does its check, and let’s say the number is determined as ‘Not Scam’ or ‘Not Spam. At this point, the CVT can pass this information to the user device or an app running on the user device, which can then display a checkmark, typically a green check, or it could be a character “V”.

This depends on the user equipment. In the case of smartphones, you can display the checkmark but in the case of devices with limited capabilities that display text-only, a simple indicator, like a letter V, can be used. For instance, Comcast recently announced a rollout of STIR/SHAKEN across the Xfinity Voice Over IP-network. They leverage both for displays that are capable of displaying the green check. For character or display-limited devices, they display the letter V.

Rebekah Johnson: Speaking of Xfinity, we led a proof-of-concept to test delegated certificates with Comcast, which was serving as the terminating provider, and Twilio as the originating provider. Through our Identity Management Platform™ we were able to verify the identity, authorization for use of TN, and elevate this information to Twilio via a delegate certificate provided by NetNumber.

The reason Comcast seems to be progressing very quickly on the display side of termination is their control of the display on the TV and their mobile service. Does this mean the display is dependent upon the user and the equipment?

Anis Jaffer: Yes, that’s a very important layer that influences how the calls are displayed on the device. Assuming verification process CVT checks and calls actually land, the app running on the device can layer its data on top. It could be a green checkmark, it could be a CNAM look-up where it can pull up the caller’s name, or it could look up its own data source for logo and call reason for that number and display that. There are several apps that do this today and typically they use pre-loaded data either from an internal database or by connecting to a third-party data source. They match the number to the corresponding name, logo, and call reason, and they overlay that information on the device. Today it’s usually caller name, but more and more we are seeing rich call data and logos being displayed.

Does the rich call data provide information, such as logo and call reason, as part of the STIR/SHAKEN certificate?

Anis Jaffer: There is a way to pass RCD over SIP as part of the SIP header. An originating service provider can add an RCD claim and when that information is received by the terminating service provider, they can choose to display this information on the device. However, this is not part of the BASE STIR/SHAKEN specification and the originating service provider does not have to do this. The delegated cert specification allows RCD to be added to the header, however, adoption is still early. We have to get through the STIR/SHAKEN implementation first before we can take full advantage of RCD claims on the SIP header.

With that said, while STIR/SHAKEN implementation is ongoing, some other solutions have sprung up. These are essentially using the data network to transmit rich call data to the user device by bypassing the communication network; these are called out-of-band solutions. For example, Google introduced Google Verified Calls, which works this way.

Out-of-band means out-of-telecom-band. What exactly is this and how does it work?

Anis Jaffer: In an out-of-band model the originating enterprise and its information, such as business name, logo, the numbers they are using, and the reason for those calls, are registered ahead of time with the service. When the business originates the call, they can attach the From: Number and the To: Number to the service right before the call is made. They have to do this right before the call because this information is short-lived and it is only alive for a few minutes.

In the case of Google, for instance, they can push this information to a specific Google device. As soon as the call lands on the device, Google can overlay the logo and call reason when the call rings. So as the data is sent, not using the communication network but essentially using the data network, it’s called out-of-band.

Rebekah Johnson: This raises interesting concerns. If it’s outside of the communication network, then is it outside of the Standard?

Anis Jaffer: That’s a tricky question to answer. It’s outside the Attest or STIR/SHAKEN Standard, but they are part of an IETF STIR Standard called STIR Out-of-Band. So it’s not something that’s completely out of standard specification. In fact, even in the case of STIR/SHAKEN, there are networks that are not fully SIP enabled and this method can be used to pass data. Surprisingly, there are a lot of networks that are still TDM-based, and since they cannot handle SIP headers, one proposal that has been presented is to send this STIR/SHAKEN information using the data network, or basically, an out-of-band solution.

What should we expect from the FCC’s June 30th deadline?

Rebekah: While I’m hopeful for a June 30th, 2021 deadline, I don’t believe that we’re going to see an environment where authentication from origination to termination exists throughout the network; it’s going to be a mix. I think we’re going to have to continue to watch the progression of where this goes and how the industry responds. Especially, it seems the terminating carrier side has a lot of control over what eventually gets displayed no matter what you do on the origination side.

Anis Jaffer: At the end of the day the call gets terminated and the user device has to display the information. You can add information at origination, but then it needs to get transported first to the terminating service provider, and then they have to figure out how to send this data to the end device. Then we have this added complexity of multiple service providers that are not SIP-enabled, there are several TDM-based networks, so how do you pass the information through their network? Calls don’t go on a single hop, there are multiple hops that happen before the call actually goes from origination all the way down to termination, so there is also this added layer where you should be able to send data.

I think the space is going to be evolving; the first step is to implement STIR/SHAKEN and get as many carriers as possible and networks as possible to handle that. Then over a period of time, we’ll be able to add rich call data. In the meantime, devices also need to have the capability to display the information; that is also evolving. We saw Google doing something. Apple could do similar things, but we don’t know at this point.

Last week the California Department of Financial Protection and Innovation (DFPI) issued a reminder to future debt collector licensees and existing mortgage lenders and servicers about protections for California renters and homeowners experiencing economic hardship under the COVID-19 pandemic.

The DFPI will take all necessary actions to ensure debt collectors comply with the FDCPA, CFPA, and the COVID-19 Tenant Relief Act.

Here is the text of the reminder:

Under California law, COVID-19 rental debt includes any “unpaid rent or other unpaid financial obligation of a tenant” that came due between March 1, 2020 and June 30, 2021. (Code Civ. Proc. § 1179.02.) The COVID-19 Tenant Relief Act (SB 91) includes the following renter protections for COVID-19 rental debt:

• COVID-19 rental debt cannot be sold or assigned before July 1, 2021. (Civ. Code §1788.65.)
• Starting July 1, 2021, COVID-19 rental debt cannot be sold or assigned if the debt pertains to a person “who would have qualified for rental assistance funding” under California’s emergency rental assistance program if “the person’s household income is at or below 80 percent of the area median income for the 2020 calendar year.” (Civ. Code § 1788.66.)
• Creditors cannot charge or attempt to collect late fees for COVID-19 rental debt if the renter has submitted a “declaration of COVID-19-related financial distress.” (Civ. Code § 1942.9, subd. (a)(1).)
• With limited exceptions, those collecting COVID-19 rental debt in court must submit documentation showing that they have made “a good faith effort to investigate whether governmental rental assistance is available to the tenant, seek governmental rental assistance for the tenant, or cooperate with the tenant’s efforts to obtain rental assistance from any governmental entity, or other third party.” (Code Civ. Proc. § 871.10.)
• Actions to recover COVID-19 rental debt may not be commenced before August 1, 2021, and any action to recover COVID-19 rental debt that was pending as of January 29, 2021 is stayed until August 1, 2021 (Code Civ. Proc. § 871.10, subds.(d), (f).)

Under California’s COVID-19 rental assistance program, a landlord can receive 80 percent of unpaid rent owed from April 1, 2020 through March 31, 2021 from government funds for a qualifying tenant if they agree to forgive any remaining unpaid rent for that period. To comply with applicable laws, debt collectors should ensure that they are not collecting rental debt that was paid or forgiven under California’s rental assistance program.

[article_ad]

The DFPI also reminds debt collectors that the federal Fair Debt Collection Practices Act (FDCPA) and the Consumer Financial Protection Act (CFPA) (part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) protect California consumers from unfair, false, deceptive, or misleading representations, and harassment or abusive conduct in
rental debt collection. (15 U.S.C. § 1692 et seq.; 12 U.S.C. § 5536.) For example, courts have held that falsely suggesting one may initiate a lawsuit to collect a debt when one has no intention or ability to do so can be deceptive or misleading under the FDCPA.

Under the DCLA, the Commissioner must investigate all applicants for a debt collector’s license to determine whether any facts exist that constitute reasons for denial. The DFPI will begin accepting applications for debt collector licenses later this year. Grounds justifying license denial include “any act involving dishonesty, fraud, or deceit, if the crime or act is substantially related” to the debt collection business and violations of any similar regulatory schemes. (Fin. Code §100012, subd. (b)(2).) Furthermore, the Commissioner may revoke a license if the Commissioner determines that “[a]ny fact or condition exists that, if it had existed at the time that the licensee applied for the license, would have been grounds for denying the application.” (Fin. Code § 100003.3, subd. (b)(6).)

The DCLA was enacted in 2020 to protect California consumers and provide the DFPI with licensing and examination authority over debt collectors, which includes debt buyers, operating in California. (Fin. Code § 100002, subd. (j).) The DFPI will take all necessary actions to ensure debt collectors comply the FDCPA, CFPA, and the COVID-19 Tenant Relief Act.

 

 

Clint Lotz, President and Founder of TrackStar stops by Clark Hill’s Credit Eco to Go to talk not only about data, but he weighs into the debate of data regulation. More and more states are enacting laws that give consumers more control over their own data. Industry opposes a fragmented regime and instead favors a national standard.

Clint disagrees and sees states being in a better position to align their privacy laws with the needs of their constituents. At the federal level, Clint sees agencies like the CFPB weighing into the regulation of data, especially when the economy starts to recover and lending increases. Ultimately the consumer needs to know whether their own data will be their friend or foe. 

DISCLAIMER – No information contained in this Podcast or on this Website shall constitute financial, investment, legal and/or other professional advice and that no professional relationship of any kind is created between you and podcast host, the guests or Clark Hill PLC. You are urged to speak with your financial, investment, or legal advisors before making any investment or legal decisions.

SACRAMENTO, Calif. — Against all odds, the Receivables Management Association International held its 2021 Annual Conference in Las Vegas, April 12-15, 2021. With more than 500 in-person attendees and more than 150 virtual attendees, leaders from RMAI capitalized on the event by honoring an outstanding member and RMAI’s executive director.

President’s Award

RMAI awarded the President’s Award to Kino Financial Co., LLC, President, Amber Russo.

In 2017, RMAI created the President’s Award which recognizes an individual for outstanding contributions and services to the association and membership. The award goes to someone serving on an RMAI Committee who is selected because of their contribution to committee goals and their innovative ideas helping further the success of RMAI.

This year, RMAI presented the President’s Award to Amber Russo. When faced with the need to change course and innovate, she champions the effort enthusiastically with tireless dedication ensuring success. Her efforts paid dividends as she co-chaired two successful virtual silent auctions that raised record donations for the RMAI Legislative Fund. In addition to being a member of the Fundraising Committee, Amber also served on the Editorial & Social Media Committee.

Kino Financial joined RMAI in 2019 and has been actively involved in RMAI since day one. Amber is a Certified Receivables Compliance Professional and Kino Financial Co., LLC is a Certified Debt Buying Company.

Bud Reitzel Award

In a closely guarded secret, the RMAI Board of Directors awarded the Bud Reitzel Lifetime Commitment Award, the industry’s highest recognition, to RMAI’s Executive Director, Jan Stieger.

RMAI created the Reitzel Award to recognize an individual for outstanding leadership and dedication in the receivables management industry who has demonstrated, over many years of service, the ideals that Bud so firmly believed in. Jan joined RMAI in 2011. Through her leadership, she has overseen the complete transformation of RMAI from an organization operated by an association management company to one of the most dynamic and respected organizations within the receivables management industry. Among Jan’s many accomplishments over the past decade:

• The development of a robust state and federal government advocacy program, which has not only protected the industry but has driven significant policy changes at the same time. Since 2011, RMAI has been successful in over 95 percent of its advocacy efforts.
• Launching and the continued enhancement of the Receivables Management Certification Program from a program originally focused on debt buying companies to a highly valued program that benefits the entire receivables industry, by providing significant operational controls and consumer protections contained in rigorous and uniform industry standards of best practice. Originators looking for a single compliance footprint only need to look at RMAI certified debt buyers, collection agencies, collection law firms, brokers, and process servicers.
• Expanding RMAI’s education and networking experiences from RMAI’s Annual Conference and Executive Summit to regional events such as this September’s Advocacy Training and Baseball Ball Night in Atlanta, GA.
• Rebranding the association in 2017 from DBA International to RMAI with an expanded focus on secondary market opportunities and RMAI certification, both of which continue to grow RMAI’s footprint today.
• Successfully led RMAI through the many challenges associated with the COVID-19 pandemic. Despite the issues faced by the industry as well as our membership in 2020, RMAI is now in its fourth straight year of membership growth.

[article_ad]

About Receivables Management Association International
Receivables Management Association International (RMAI) is a nonprofit trade association representing more than 570 companies that purchase or support the purchase of performing and nonperforming receivables on the secondary market. The RMAI Receivables Management Certification Program and Code of Ethics set the global standard within the receivables industry due to the rigorous uniform standards of best practice that focus on protecting consumers. More information about RMAI is available at www.rmaintl.org.

A debt collector must verify the identity of a communication recipient to ensure a right-party contact while also avoiding a disclosure about the existence of the debt to a third-party.  Thus, a debt collector must, when asked, provide meaningful information about the purpose of a telephone call to a third-party – even when the third-party refuses to identify herself – without disclosing that the call is an attempt to collect a debt. 

In the latest episode of the Debt Collection Drill podcast, Moss & Barnett attorneys John Rossman and Mike Poncin are joined by attorney Aylix Jensen who elaborates on her recent, complete victory in Federal Court establishing that a debt collector did not violate the FDCPA by stating it was a “financial services company” calling regarding a “personal business matter” to an unidentified individual – the Plaintiff – who the Court identified as the correct “customer for the account.” 

The case, filed in the Maryland District Court,  is Mayhall v. MRS BPO, et al., Case # GJH-19-2384; the Order can be found here. 

Listen here.

—

insideARM Perspective

insideARM started talking about this issue a few years ago. See this for a concise video explanation of the “authentication dance” challenge faced by collectors and consumers.

Fair Credit Reporting Act (FCRA) lawsuits have been on the rise. In 2020, FCRA lawsuits increased by 5.3% over 2019, outpacing lawsuits filed under the Fair Debt Collection Practices and the Telephone Consumer Protection Act, which were down -17.6% and -3.3%, respectively.1 This trend will likely continue, and with the Consumer Financial Protection Bureau stepping up enforcement actions it is more important than ever for background screeners to review and improve their FCRA compliance procedures. This should start with a FCRA Compliance Manual.

 [article_ad]

Why Are FCRA Compliance Manuals Important?

For CRAs, liability under the FCRA often turns on whether they have “reasonable procedures” for compliance. In fact, that term appears in the FCRA fifteen times, starting with:

“It is the purpose of this title to require that [CRAs] adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.” (15 U.S.C. § 1681(b))

Good FCRA Compliance Manuals allow CRAs to document their reasonable compliance procedures and if properly implemented can insulate them from liability for unintended FCRA violations.

How Can a FCRA Compliance Manual Insulate a Background Screener From FCRA Liability?

The FCRA is not a “strict liability” statute like many other consumer protection laws. However, several burden shifting provisions in the FCRA can have the effect of making CRAs who lack reasonable compliance procedures strictly liable for violations.

For example, §1681(a) prohibits a CRA from issuing an investigative consumer report unless consumer disclosures are made, and §1681(b) requires the CRA to give the consumer written disclosure of the “nature and scope of the investigation” within a specified period of time. However, §1681d(c) provides a CRA who has violated §1681d(a) or (b) with a defense to liability if they have a “reasonable procedure” for compliance:

“No person may be held liable for any violation of subsection (a) or (b)… if he shows by a preponderance of the evidence that at the time of the violation he maintained reasonable procedures to assure compliance with subsection (a) or (b)…”

So how does a CRA who violated §1681(a) or (b) show “by a preponderance of the evidence” that it maintained “reasonable procedures” to assure compliance with those subsections? Theoretically a CRA who lacks a FCRA Compliance Manual could have an employee testify regarding its procedures at trial. But a CRA with a properly drafted FCRA Manual might be able to avoid trial altogether by using the Manual in support of a motion for summary judgment.

Another section of the FCRA which applies to CRAs who issue investigative consumer reports is §1681d(d)(4):

“A [CRA] shall not prepare or furnish an investigative consumer report on a consumer that contains information that is adverse to the interest of the consumer and that is obtained through a personal interview with a neighbor, friend, or associate of the consumer or with another person with whom the consumer is acquainted or who has knowledge of such item of information, unless

(A) the [CRA] has followed reasonable procedures to obtain confirmation of the information from an additional source that has independent and direct knowledge of the information; or

(B) the person interviewed is the best possible source of the information.”

In a lawsuit brought under §1681d(d)(4) a CRA who did not interview the person who was the best possible source of information would need to establish that it followed reasonable procedures for obtaining confirmation of the information from an additional source that has independent and direct knowledge of the information. Unless those procedures are in writing the CRA could have difficulty making this showing.

Reasonable Procedures for Proper Content of Reports and Ensuring Permissible Purpose

§1681e(a) requires CRAs to have “reasonable procedures” for ensuring that reports (i) do not contain information prohibited from being reported; and (ii) are furnished only to those with “permissible purpose”:

“Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of section…§1681c…and to limit the furnishing of consumer reports to the purposes listed under section… §1681b…”

Accordingly, §1681e(a) provides a CRA who has mistakenly reported a record of an arrest which predated the report by more than 7 years with a defense to liability if it can show it maintained reasonable procedures for avoiding this type of error. Similarly §1681e(a) provides a CRA who has mistakenly issued a consumer report to a person who lacks permissible purpose with a defense to liability if it can show it maintained reasonable procedures for avoiding the error. A CRA who maintains a FCRA Compliance Manual containing these procedures should be able to make this showing if the CRA can demonstrate that its employees were adequately trained to follow them.

Thankfully §1681e(a) provides CRAs with a roadmap for their reasonable procedures for ensuring permissible purpose:

“These procedures shall require that prospective users…identify themselves, certify the purposes for which the information is sought, and certify that the information will be used for no other purpose. Every [CRA] shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report.”

Reasonable Procedures for Resellers of Consumer Reports

§1681e(e)(2)(A) and (B) govern persons (including CRAs) who resell reports or information from reports issued by other CRAs (e.g., TransUnion, Equifax or Experian). Those CRAs must:

“(A) establish and comply with reasonable procedures designed to ensure that the report (or information) is resold … only for a purpose for which the report may be furnished under … §1681b…, including by requiring that each person to which the report (or information) is resold and that resells or provides the report (or information) to any other person

(i) identifies each end user of the resold report (or information);

(ii) certifies each purpose for which the report (or information) will be used; and

(iii) certifies that the report (or information) will be used for no other purpose; and

(B) Before reselling the report, make reasonable efforts to verify the identifications and certifications made under subparagraph (A).”

Thus, §1681e(e)(2)(A) provides a CRA who has mistakenly resold information from another CRAs report to a person who lacks permissible purpose with a defense to liability if they can show they employed these reasonable procedures.

§1681e(b) – The Most Important Reasonable Procedure

The most important reasonable procedure a CRA can have for avoiding FCRA liability is imposed by §1681e(b):

“Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.”

Compliance with §1681e(b) is important because it is the basis for most lawsuits against CRAs. Unfortunately, however, §1681e(b) does not tell CRAs what “reasonable procedures” they must follow to ensure the “maximum possible accuracy” of their reports. So, what “reasonable procedures” does a CRA need to avoid §1681e(b) liability? In a class action lawsuit this can be the “Million Dollar Question”. This is discussed further below.

Reasonable Procedures for Reinvestigations of Consumer Disputes

Even when the FCRA does not use the term “reasonable procedure” the concept can apply. For example, §1681i(a), which requires CRAs to conduct reinvestigations after receiving consumer disputes, states in part:

“…if the completeness or accuracy of any item of information contained in a consumer’s file…is disputed by the consumer…the CRA shall…conduct a reasonable reinvestigation to determine whether the disputed information is inaccurate and record the current status of the disputed information, or delete the item…”

Similarly, §1681i(a)(5)(C) states:

“A [CRA] shall maintain reasonable procedures designed to prevent the reappearance in a consumer’s file, and in consumer reports on the consumer, of information that is deleted [due to a reinvestigation].”

A CRA whose FCRA Compliance Manual describes its reinvestigation procedures and procedures for preventing the reappearance of deleted information can successfully defend a lawsuit brought under §1681i(a) or §1681i(a)(5)(C) provided it properly implements those procedures.

“Strict Procedures” for CRAs Who Issue Reports for Employment

Under §1681k(a) CRAs who issue reports for employment purposes can be subject to a “strict procedures” requirement:

“A [CRA] which furnishes a consumer report for employment purposes and which for that purpose complies and reports items of information on consumers which are matters of public record and are likely to have an adverse effect upon a consumer’s ability to obtain employment shall

(1) at the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the [CRA], together with the name and address of the person to whom such information is being reported; or

(2) maintain strict procedures designed to ensure that whenever public record information which is likely to have an adverse effect on a consumer’s ability to obtain employment is reported it is complete and up to date.”

This means that unless the CRA choses to notify the subject of its report that it is reporting public record information it must maintain “strict procedures” designed to ensure the public record information which could adversely affect the subject’s employment prospects is complete and up to date when reported. Unless those “strict procedures” are spelled out in the CRA’s FCRA Compliance Manual they could be difficult to prove.

Why FCRA Compliance Procedures Should Be In Writing

The FCRA does not require CRAs to have written FCRA Compliance Manuals and CRAs who lack them can prevail when sued. But a CRA’s likelihood of success in litigation is greatly increased if it has a well drafted and properly implemented Compliance Manual.

A typical document request in a lawsuit alleging a CRA violated §1681e(b) reads:

“REQUEST NO. 5: Produce all documents that set forth the policies and procedures that You rely upon to prepare consumer reports while assuring maximum possible accuracy of consumers’ criminal history information.”

A CRA who lacks written procedures for complying with §1681e(b) would have nothing to produce in response to this request, providing the plaintiff an argument that the CRA has no procedures for assuring maximum possible accuracy of its reports. The CRA would be left arguing that despite the lack of written guidance its employees know how to ensure the maximum possible accuracy of information in its reports. Defense of the lawsuit will depend on the vagaries of employees’ understandings of how things are supposed to be done. Conversely, the CRA whose FCRA Compliance Manual includes its reasonable procedures for §1681e(b) compliance will produce the Manual and should be well-suited to defend the lawsuit. This could make the difference between winning or losing, or a large or small settlement.

How FCRA Compliance Procedures Alone Can Overcome Liability

FCRA liability often hinges not on the error, but on the CRA’s failure to maintain reasonable procedures to avoid the error. A CRA who follows reasonable procedures can prevail despite an error.

In Nelski v. TransUnion, 86 Fed. App’x 840 (6th Cir. 2004) there was no dispute that the report contained an erroneous past due account and that the plaintiff was injured due to the error. Regardless, the case turned on the reasonableness of TransUnion’s procedures for assuring the maximum possible accuracy of the report. The Court held that the reasonableness of procedures under §1681e(b) is “determined by reference to what a reasonably prudent person would do under the circumstances.” TransUnion prevailed because plaintiff could not show its procedures were unreasonable.

In Oses v. CoreLogic SafeRent, LLC, 171 F. Supp. 3d 775 (N.D. Ill. 2016) CoreLogic issued a report which erroneously characterized plaintiff’s drug charge as a robbery. Plaintiff sued CoreLogic under §1681k(a) arguing that CoreLogic lacked strict procedures designed to ensure that public record information likely to have an adverse effect on his ability to obtain employment was complete and up to date. At summary judgment CoreLogic demonstrated that it did maintain strict procedures. Specifically, CoreLogic showed that its procedure was to obtain criminal records directly from the courthouse but that in plaintiff’s case the court records mistakenly described plaintiff’s drug charge as a robbery.

The Court ruled for CoreLogic, finding that it was “undisputed that a SafeRent employee traveled to the Cook County courthouse and collected the record at issue using its standard procedures

for transcribing and auditing information from the courts.” The Court held that the “…error is of no significance for purposes of §1681k(a)(2), which concerns only the strictness of the procedures the defendant maintains, not any errors it may have committed in spite of those procedures.”

These cases demonstrate that a CRA who issues a report containing errors can prevail in FCRA litigation if demonstrates it had reasonable procedures for avoiding the error. If these procedures are spelled out in a FCRA Compliance Manual and the CRA has trained its employees to follow them, its likelihood of success will be significantly improved.

What Should Be Included in an FCRA Compliance Manual?

At a minimum, a CRA’s FCRA Compliance Manual should cover the following topics.

Investigative Consumer Report Procedures

A CRA who issues investigative consumer reports should have procedures for complying with §1681d(a) and (b) regarding consumer disclosure and disclosure upon the consumer’s request of the “nature and scope of the investigation”. The CRA should also have procedures for complying with §1681d(4) so if the person interviewed is not the best possible source of information the CRA can demonstrate it has reasonable procedures for obtaining confirmation of the information from an additional source that has independent and direct knowledge of the information.

Permissible Purposes & Report Content Procedures

CRAs should have procedures for complying with §1681e(a) to ensure reports (i) do not contain information prohibited from being reported (e.g., arrest records which predate reports by more than 7 years); and (ii) are furnished to only those with permissible purpose.

Reseller Procedures

A CRA who is a reseller should have procedures for complying with §1681e(e)(2)(A)&(B) documenting how it ensures (a) reports are resold to only those with permissible purpose; (b) those to whom reports are resold (i) identify end user, (ii) certify purpose, and (iii) certify reports will be used for no other purpose; and (c) the CRA’s reasonable efforts to verify these identifications and certifications.

Procedures for Assuring Maximum Possible Accuracy

CRAs should have procedures for complying with §1681e(b) to assure the maximum possible accuracy of the information in their reports such as standards for matching records to the consumers, properly classifying crimes in reports, and procedures for situations where records are unclear or conflicting.

Consumer Dispute and Reinvestigation Procedures

CRAs should have procedures for fielding consumer disputes and conducting investigations of disputed items in reports under §1681i(a) as well as procedures to prevent the reappearance of

deleted information under §1681i(a)(5)(C). Reinvestigation procedures should include procedures for responding to third party disputes, including rules for ensuring the third party is authorized to act for the consumer. Reinvestigation procedures should specify standards for conducting reinvestigations, standards for responding to frivolous or irrelevant disputes, procedures for timely notifying consumers of the results of reinvestigations, procedures for continued disputes, and procedures for reinsertion of previously deleted records.

“Strict Procedures” for Employment Reports

CRAs who issue reports for employment purposes should include §1681k(a)(2) “strict procedures” to ensure that public record information likely to have an adverse effect on a consumer’s employment is complete and up to date unless they opt to notify consumers that they are reporting public record information pursuant to §1681k(a)(1).

Other Recommended FCRA Compliance Manual Provisions

Other recommended FCRA Compliance Manual provisions include:

Procedures for responding to requests for reports and/or files;

rules and procedures for complying with state-specific credit and criminal reporting laws;

rules and procedures for complying with municipal credit and criminal reporting laws;

employee training procedures; and

compliance audit procedures.

Conclusion

A properly drafted and implemented FCRA Compliance Manual can help a CRA efficiently comply with the FCRA while insulating them from liability when things go wrong. Preparation of the Manual requires a deep dive into the CRA’s operational procedures by qualified management and legal counsel. It also requires the education and training of the employees who must comply with the Manual. This investment will pay off greatly if litigation arises or the CFPB comes calling.

About the Author

Mr. Messer provides comprehensive legal representation to CRAs and related companies throughout the nation in litigation, compliance and transactional matters. A former Illinois Special Assistant Attorney General, Mr. Messer has extensive trial and appellate experience and is admitted to practice before many federal district courts. He has earned a national reputation for defending lawsuits brought under the FCRA and other consumer protection laws. He has conducted many trials and has substantial class action experience. Mr. Messer is a nationally recognized author and speaker and an active member of the Professional Background Screeners Association. Feel free to contact Mr. Messer at (312) 334-3440 or jmesser@messerstrickler.com to discuss legal matters or a FCRA Compliance Manual for your company.

ARLINGTON, Va. — Convoke, a leader in SaaS solutions for the debt collection market, is pleased to announce significant updates it has made to its collections intelligence platform. Each year, Convoke develops and releases multiple new and expanded features to its platform to support its clients’ evolving needs.

Audio Recording Fulfillment

To support increased vendor oversight, Convoke has integrated two of its primary features – Data Groups and audio file loading. As third-party collection partners load dialer logs onto the platform, Convoke can now automatically request audio recordings of specific phone calls based upon criteria established by the credit issuer. The third-party collection partners in turn load these recordings to the Convoke platform for credit issuer review. New reporting and service level agreement tracking have been added as well in support of this new feature. These enhancements represent another exciting milestone in Convoke’s mission to help credit issuers achieve the utmost level of oversight possible over their third-party networks.

New Corporate Website

Convoke is also proud to introduce its newly redesigned corporate website, which describes how we help banks and other credit issuers to grow recovery, reduce costs, improve compliance, and protect their brand. One of the most exciting additions is a collection of our case studies, which describe real-life examples of the ways in which Convoke has helped our customers overcome their various challenges. Further content will be added in the coming months. Please visit us at https://www.convokesystems.com/ and watch our short introductory video by clicking “WATCH HOW CONVOKE WORKS” (or alternatively by visiting YouTube here).

About Convoke

Convoke is a collections intelligence platform that is transforming the way credit issuers manage third-party debt collection, leveraging a decade of experience for the issuers it serves. It provides unprecedented transparency and accountability, facilitating issuer debt validation and third-party oversight. With its powerful reporting, tracking, and auditing capabilities, issuers are able to have confidence that they are in compliance with internal and regulatory requirements. Convoke enables credit issuers to grow recovery, reduce costs, improve compliance, and protect their brand.  Convoke is headquartered in Arlington, VA. For more information on Convoke, please visit www.convokesystems.com.

It seems at least one judge in the Eastern District of Wisconsin appears to be tired of reviewing repeated meritless claims. On March 29^th, in two strongly worded Orders, Judge Brett H. Ludwig dismissed two cases filed on behalf of consumers by the Law Office of Paul Strouse against Enhanced Recovery Company, LLC (ERC) and other defendants. Further, the consumer’s Counsel has been ordered to show the court in each case why he should not be sanctioned. The cases are Herron v. Credit One Bank, et al., case #20-cv-0844 (E.D. WI) which can be found here, and Butler vs. 1^st Franklin Financial Corporation, et al., Case #20-cv-0842 (E.D. WI) which can be found here. 

[article_ad]

Each case alleged that ERC and other defendants violated the FCRA by failing in their respective duties to correct and report accurate credit information to the Credit Bureaus. However, according to Judge Ludwig, both the initial and amended complaints were “sparse on details” and mere “threadbare recitals.”  

In each case, the Court allowed the plaintiff a second opportunity to amend their complaints but ultimately found the “rather cryptic” amendments were insufficient as they did not describe any particularized or concrete harm. In dismissing the cases, the Court stated, “bare procedural violations, divorced from any concrete harm, [] do not satisfy the injury in fact requirement of Article III.”

Before dismissing the cases, however, Judge Ludwig probed the plaintiff’s Counsel in detail about the methodology he used to pursue his clients’ claims, which is where it gets fascinating. Judge Ludwig did not just dismiss the cases and call it a day. Instead, he took the time to issue a scathing rebuke to the plaintiff’s Counsel stating,

“Counsel’s description of his pre-lawsuit conduct also raises questions about whether this litigation was filed for a proper purpose. The record suggests Counsel was not trying to remedy a legitimate client problem but was instead interested in setting up defendants for “technical” violations of a consumer protection statute in order to obtain attorney’s fees. Counsel chose to send opaque, nonspecific complaint letters to the credit reporting agencies and declined to forward even those vague letters to defendants. If Counsel was concerned about remedying the accuracy of his client’s credit reports, providing prompt and proper notice to both the credit agencies and the defendants would have made sense. Of course, if Counsel was concerned about ginning up an FCRA lawsuit to coerce settlements or secure fees, on the other hand, it made perfect sense to use a nonspecific complaint letter and to delay the forwarding of that letter to defendants, who would have less time to address any potential issues and would be more likely to exceed the FCRA’s tight 30-day time limit for response.”

Now that the Court has made clear that it does not appreciate meritless filings, and certainly not those predicated on the pursuit of attorney’s fees, it remains to be seen whether Judge Ludwig will issue sanctions against the plaintiff’s Counsel.

Regarding the outcome of the Herron and Butler matters, Shelly Gensmer, VP of Legal and Compliance, EJD Candidate, CCCO, stated, “Article III standing is starting to get the spotlight it deserves, finally. ERC is very pleased with the Court’s orders, and we expect the trend of pushing plaintiffs to actually show harm will grow and continue.”

insideARM Perspective:

In light of the avalanche of dismissals the 7^th circuit issued for lack of standing in 2020, the dismissal of these cases isn’t all that surprising.  However, what is surprising is the Court’s willingness to probe the plaintiff’s Counsel’s pre-filing practices and the strongly-worded rebuke of these practices. If the Court ultimately enters an order sanctioning the plaintiff’s Counsel, it would send a clear message that at least some courts are tired of cookie-cutter complaints which lack substance. Whether decisions like this will impact the number of complaints filed remains to be seen. 

In case you missed it, on March 3, 2021, the New York Department of Financial Services (NY DFS) issued a press release stating that Residential Mortgage Services, Inc. (“RMS”) will pay a $1.5 million penalty to New York State for failing to report a 2019 security breach. The breach at issue consisted of unauthorized access to an RMS employee’s email account who had access to a significant amount of mortgage loan applicants’ personal data.

Per NY DFS, Failing to report this unauthorized access to the RMS employee’s email account violated New York’s Cybersecurity Regulation. NY DFS learned of the breach during a 2020 examination of RMS. Until prompted to do so by NY DFS, RMS had not investigated the breach and had not identified the data exposed.

As part of the settlement, RMS agrees to the penalty and has commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the  Cybersecurity Regulation.

insideARM Perspective

This penalty serves as a good reminder that security breaches don’t just involve unauthorized access to servers. As in the case with RMS, unauthorized access to emails that have sensitive consumer information is a security breach and must be reported.