The First CFPB Administrative Appeal: RESPA, Kickbacks, and the Danger of De Novo Review

21 Min Read By: David N. Anthony, Julie D Hoffmeister


  • Due to its broad scope and expansive reach, the FCRA is likely regulating your client’s business.
  • Besides the ever-expanding FCRA class-action arena, federal regulatory enforcement has become just as prominent, with the CFPB and FTC prosecuting FCRA violations by furnishers of consumer information.
  • Common claims include a failure to maintain reasonable procedures against CRAs and adverse action notices against employers.


Many  companies  believe that they are beyond the reach of the Fair Credit Reporting Act (FCRA) because they do not engage in typical “credit” reporting; however, such beliefs are enormously mistaken. Rather, the FCRA regulates a sprawling spectrum of products and industries ranging from insurance to retail to energy. The FCRA further governs all those involved in the consumer report chain of custody – furnishers, consumer reporting agencies (CRAs), and users of consumer information. Indeed, it is difficult to imagine an employer or a consumer-facing business that is not subject to the FCRA’s strict, technical requirements. Given the innumerable number of products offered by the plethora of specialty CRAs in the marketplace today, users may even unknowingly purchase a regulated consumer report. The bottom line is that the FCRA is likely regulating your client’s business, even if you do not think it is, and with regulation comes risk – both monetary and reputational. Besides the ever-expanding FCRA class-action arena, federal regulatory enforcement has become just as prominent, with the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) taking the lead in prosecuting FCRA violators. Counsel must take notice of this ever-increasingly prominent statute and advise their clients accordingly.

This article explores the broad scope and expansive reach of the FCRA. Part I describes the various individuals and entities that fall within the FCRA’s reach. Part II illustrates the potentially staggering damages that may result from an FCRA violation. Part III then explores some of the common claims that typically are asserted against employers and CRAs. Part IV explains the emerging scrutiny on furnishers of consumer information.

I. The FCRA’s Expansive Reach

Although its name insinuates a limited scope, the FCRA governs more than just traditional credit reports. Rather, the FCRA focuses on any information that can be broadly defined as a “consumer report.” A “consumer report” means “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility” for credit, insurance, or employment purposes. A “consumer reporting agency,” in turn, is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Thus, the FCRA clearly reaches beyond the spectrum of credit reporting – it extends to criminal and civil records, civil lawsuits, reference checks, and other information obtained by a CRA.

The FCRA additionally imposes requirements on entities beyond typical CRAs. In addition to its clear control over the “Big Three” CRAs – Experian, Equifax, and Trans Union – and the burgeoning industry of specialty CRAs, the FCRA also regulates users and furnishers of consumer information, each of which is subject to a unique set of obligations.

First, the FCRA requires CRAs to use “reasonable procedures” to protect “the confidentiality, accuracy, relevancy, and proper utilization” of consumer credit information contained in consumer reports. Accordingly, CRAs are prohibited from furnishing consumer reports to persons who lack a permissible purpose, such as using a consumer report to determine employment or credit eligibility. These types of entities are further required to maintain reasonable procedures to ensure the maximum possible accuracy of consumer information in consumer reports and to ensure that such information is provided to only proper users.

Second, users of consumer information, such as employers, must first have a permissible purpose under the FCRA to obtain a consumer report. Users are also required to notify consumers when “adverse” actions are taken based at least in part on information contained in a consumer report.

Finally, furnishers have specific responsibilities to establish and maintain reasonable written policies and procedures designed to implement the FCRA requirements and to ensure that the information furnishers report to CRAs is accurate. Furnishers also have specific reinvestigation obligations in the context of consumer disputes that are submitted either directly or indirectly to the furnisher.

Each of these three entities clearly faces a different set of technical requirements under the FCRA and, as demonstrated below, potentially may be subject to enormous monetary damages for failure to comply.

II. Potential Damages under the FCRA

The FCRA provides for a range of potential remedies, including actual, statutory, and punitive damages as well as reasonable attorney fees. Specifically, the availability of statutory damages under the FCRA makes the statute attractive to plaintiffs who otherwise cannot prove an injury-in-fact and leads to potential enormous exposure for defendants.

The FCRA provides for statutory damages in the amount of $100 to $1,000, but plaintiffs must first prove a willful violation. Based on an analysis of the statutory construction of the term “willfully” in the FCRA, the U.S. Supreme Court in Safeco Insurance Co. of America v. Burr, 551 U.S. 47 (2007), defined “willful” to include reckless disregard of a statutory duty. The court then defined “reckless” as an “action entailing an unjustifiably high risk of harm that is either known or so obvious that it should be known,” and further explained that, “[i]t is this risk of harm, objectively assessed that is the essence of recklessness at common law.” The court summarized its holding as follows: “[A] company subject to FCRA does not act in reckless disregard of it unless the action is not only a violation under a reasonable reading of the statute’s terms, but shows that the company ran a risk of violating the law substantially greater than the risk associated with a reading that was merely careless.” The court’s ruling thus raised the bar for a plaintiff to prove reckless disregard because evidence of a defendant’s subjective bad faith is no longer determinative; rather, courts will apply an objective lens when considering a defendant’s actions.

Although many class-action plaintiff claims hinge on this statutory damages clause, the future of such damages remains questionable after the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, 194 L. Ed. 2d 635 (2016). In Spokeo, Robins sued the “people search engine” for alleged violations of the FCRA. Specifically, Robins alleged that Spokeo published inaccurate (though not harmful per se) information about him, including that Robins had a graduate degree and was married and had children. At issue on appeal was the fact that Robins’s complaint alleged only statutory violations and no physical injury in fact. Spokeo argued that this statutory violation alone was insufficient to confer Article III standing because it did not meet the “irreducible constitutional minimum” to establish standing, which requires a plaintiff to have suffered an injury in fact by sustaining an “actual or imminent” harm that is “concrete and particularized.”

The district court originally dismissed the case, holding that Robins failed to allege any injury-in-fact and, therefore, did not have Article III standing. The Ninth Circuit reversed, holding that the alleged violation of Robins’s statutory rights alone is sufficient to satisfy Article III’s injury-in-fact requirement, regardless of whether the plaintiff can show a separate actual injury. On May 16, 2016, the U.S. Supreme Court issued its much-anticipated decision, vacating and remanding the decision of the Ninth Circuit.

Justice Alito delivered the 6–2 decision, with the majority holding that the Ninth Circuit’s injury-in-fact analysis was “incomplete” because it “focused on the second characteristic (particularity), but it overlooked the first (concreteness).” According to the court, “a ‘concrete’ injury must be ‘de facto’; that is, it must actually exist.” Through its analysis, the court indicated that a technical violation is not enough to create particularized, concrete harm. The court specifically determined that: “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Rather, “Article III standing requires a concrete injury even in the context of a statutory violation.” The court thus held that “Robins cannot satisfy the demands of Article III by alleging a bare procedural violation.” The court remanded with instructions to the Ninth Circuit to decide “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”

Although Spokeo is an FCRA decision, the ruling undoubtedly will have broad implications across all types of consumer lawsuits. The decision will continue to engender arguments as to whether a named plaintiff has alleged a sufficient “concrete” injury to give rise to constitutional standing. Given the number of individual and class-action lawsuits that were stayed pending the court’s decision, it is expected that many lower courts will soon flesh out the contours of Spokeo.

III. Common Claims Against FCRA Players

Common Claims Against Employers: Adverse Action Notices

Claims against employers have been on the rise, affecting all industries including retailers, restaurant chains, manufacturers, and financial institutions. Rejected applicants often allege violations of the FCRA’s background-screening requirements on behalf of themselves and putative class members. Although the FCRA specifically authorizes employers to obtain and use a consumer report (such as criminal background checks and credit reports) for employment decisions, including those related to hiring, retention, and promotion, the FCRA imposes a specific and a surprisingly technical three-step requirement on such use.

Disclosure forms. Before obtaining a report, the employer must provide a “clear and conspicuous” written disclosure to the consumer in a document that consists “solely” of the disclosure that a consumer report may be obtained. The employer must also obtain the consumer’s written authorization. Recent litigation has revolved around the interpretation of the term “solely.”

Preadverse action notices. Before making a final employment decision based in whole or even in part on the results of a report, the employer must provide a preadverse action notice to the individual, which includes a copy of the applicant’s consumer report and the CFPB’s Summary of Rights. The concept of “adverse action” is broad and generally includes any employment-related decision that negatively affects the employee. The purpose of a preadverse action notice is to allow the applicant or employee the opportunity to discuss the report with the employer before becoming subject to any adverse action. Although the timeframe is not specifically defined, the employer is required to wait a minimum amount of time (typically interpreted as at least five business days) before taking the adverse action.

Post-adverse action notices. In the final step, the employer is required to provide a post-adverse action notice to the individual, which includes:

  • the name and contact information of the CRA that provided the background check on which the adverse employment decision was based;
  • a statement advising the individual that the CRA did not make the adverse employment decision and therefore cannot provide any reasons why the adverse action was taken; and
  • notification that the applicant or employee is entitled to receive a free copy of the background check or consumer report on which the adverse action was based within a 60-day period.

On their face, these three requirements are relatively clear and specific; however, they quickly become convoluted because:

  • different kinds of background checks require different kinds of initial disclosures;
  • several states have additional requirements affecting the disclosure, consent, and adverse action procedures;
  • the trucking industry has its own special procedures under the FCRA;
  • recent court decisions have suggested additional, unwritten requirements on the process, particularly with respect to electronic employment application processes; and
  • compliance with “ban the box” statutes, which require the removal of questions related to criminal conviction history on a job application, and ordinances may require deferral of employment background checks in the employment process, leading to delays in the hiring process, additional paperwork, and a more unfriendly application process.

Indeed, the staggering number of recent class actions against employers, which have resulted in many multimillion-dollar settlements across the country, illustrate how intricate these requirements actually are. For example, the interpretation of the word “solely” has resulted in numerous, nationwide class actions. In March 2015, a class of job applicants requested that the U.S. District Court for the Middle District of North Carolina approve a nearly $3 million settlement they had reached with Delhaize America LLC, Food Lion’s parent company, for the company’s failure to include a stand-alone disclosure. The named plaintiff was joined by 59,000 others who had applied to Delhaize-owned stores in the preceding two years.

Food Lion was not the only company hit with such a class action, however. Three putative, nationwide class actions against Michaels stores were also filed, alleging that the company buried its disclosure among blank spaces on its employment application form. Whole Foods Market Group, Inc. agreed to pay $803,000 in October 2015 to settle claims that it improperly disclosed to job applications that they would undergo background checks. That putative class action included approximately 20,000 class members. Publix Super Markets likewise settled a class action for $6.8 million in October 2014 for the supermarket’s alleged failure to provide a stand-alone disclosure informing job applicants that a background check would be performed.

Common Claims Against CRAs: Failure to Maintain Reasonable Procedures

The FCRA requires CRAs to “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the [consumer] report relates.” Importantly, the FCRA is not a strict-liability statute. The mere existence of an error in a consumer report does not, in and of itself, constitute a violation. Rather, a CRA’s liability hinges on the failure to follow reasonable procedures. According to the FTC, “[a] CRA must accurately transcribe, store and communicate consumer information received from a source that it reasonably believes to be reputable, in a manner that is logical on its face.”  FTC, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations  67, § 2 (2011). The reasonableness of a CRA’s procedures typically is a question of fact for the jury.

This reasonable-procedure requirement similarly applies to resellers under the FCRA. A reseller is a type of CRA that assembles and merges information contained in another CRA’s database into a “tri-merge report.” A reseller does not maintain its own database of the assembled or merged information from which new consumer reports are produced. In other words, a reseller acts as a middleman between the CRA and the user of the consumer information. Although a reseller’s role is limited, given that the FCRA imposes liability on “[a]ny person” who fails to comply with the statute’s requirements regarding credit information, plaintiffs have named resellers as codefendants alongside CRAs. In turn, courts have held that a reseller is subject to the same reasonable-procedure requirements as imposed on CRAs, even though resellers typically have no ability to investigate, judge, or evaluate the decisions made by CRAs.

Besides the numerous individual and class-action lawsuits that have been filed pursuant to this reasonable-procedure requirement, the CFPB has also exercised its enforcement power under this provision. In October 2015, for example, the CFPB announced a $13 million settlement of an enforcement action against General Information Services, Inc. (GIS) and, Inc., two of the largest background-screening companies, for their alleged failure to assure maximum possible accuracy of the data provided to employers.

The companies provided public-record background information – such as criminal records and civil judgment data – to employers who were conducting screenings on job applicants and current employees. The CFPB’s order focused on the following four alleged deficiencies:

  1. failure to have written procedures for researching public records for consumers with common names or who use nicknames;
  2. failure to require employers to provide middle names for applicants for purposes of matching criminal records to consumers, resulting in the reporting of mismatched criminal record information about consumers;
  3. failure to track consumer disputes in a manner that would allow for identification and remedy of reporting error trends, and failure of the internal departments to meet on a regular basis to discuss errors; and
  4. failure to conduct sufficient testing of nondisputed records.

With regard to the first alleged deficiency, the CFPB’s order appeared to conclude that matching should be done by requiring an exact match based on first, middle, and last name in addition to one additional identifier, such as date of birth or Social Security number. By this order, therefore, the CFPB in effect attempted to create a detailed standard of conduct in matching data, but one that likely does not recognize the realities of the market. For example, few, if any, courts provide a Social Security number of the defendant, making a match on this element impossible for some criminal records. Similarly, with respect to the order’s focus on the companies’ internal compliance procedures, the CFPB sought to establish a detailed standard for internal compliance procedures down to the level of detail of how often internal meetings should occur to discuss consumer complaints.

In addition to the stiff monetary penalty, which requires $10.5 million in relief to harmed customers and a $2.5 million civil penalty, the CFPB’s order also required the background-screening companies to revise their procedures to assure reporting accuracy.

IV. Emerging Trends: Increased Scrutiny on Furnishers

Anyone who provides consumer information to a CRA, even those who only occasionally report information, is a furnisher under the FCRA. Creditors, insurers, employers, landlords, and debt collectors are all potentially subject to the FCRA’s furnisher requirements. Furnishers were once an unregulated group, but today furnisher compliance has become a top federal regulatory priority, as evidenced by the increased number of supervisory and enforcement actions brought by the CFPB and FTC.

The Furnisher Rule (Regulation V promulgated by the CFPB under the FCRA) requires furnishers to: (1) furnish information that is accurate and complete; and (2) investigate consumer disputes about the accuracy of the information they provide. With regard to this latter requirement, the Furnisher Rule requires furnishers to respond to consumer disputes that a consumer directly reports to the furnisher. The FCRA also requires furnishers to respond to “indirect” disputes, or disputes that consumers first lodge with a CRA but then are passed along to the furnisher by the CRA.

Whether submitted directly or indirectly, the furnisher must then undertake a reasonable reinvestigation of the dispute, which some courts have interpreted as some degree of a careful inquiry. During the reinvestigation process, the furnisher has an obligation to:

  • investigate the dispute and review all relevant information provided by the CRA about the dispute;
  • report the results of the investigation to the CRA;
  • provide corrected information to every CRA that received information if the investigation shows the information is incomplete or inaccurate; and
  • modify the information, delete it, or permanently block its reporting if the information turns out to be inaccurate or incomplete or cannot be verified.

Furnishers have four response options: (1) verify the account as accurate; (2) modify the account tradeline information as indicated; (3) delete the tradeline because the information cannot be verified; or (4) delete the tradeline due to fraud. Each of these steps must be completed within 30 days after the CRA receives the dispute.

The Furnisher Rule additionally requires furnishers to establish and maintain reasonable written policies and procedures designed to implement the FCRA requirements, to ensure that the information furnishers report to CRAs is accurate, and to allow consumers to dispute, directly with the furnisher, information they believe is inaccurate. More than one furnisher has been surprised by Regulation V’s written-policy requirement.

Through their advisory bulletins and hard-hitting enforcement actions, the FTC and CFPB have signaled their priority in holding all players in the credit reporting market accountable for ensuring the accuracy of data in credit reports, with a particular focus on furnisher compliance obligations. For example, in December 2014, the CFPB announced that it will require CRAs to provide regular reports to the CFPB identifying by name potentially problematic furnishers of information, including furnishers with the most overall disputes and those with particularly high disputes relative to their industry peers. This active monitoring for compliance has the potential to result in more enforcement actions against furnishers.

Enforcement actions brought by the FTC and CFPB have set a clear precedent for noncomplying furnishers, given that these actions often impose stiff penalties on companies that do not live up to its duties under the Furnisher Rule. Recent examples of FTC enforcement actions against furnishers include:

  • FTC v. Tricolor Auto Acceptance Corp., LLC, which was fined $82,777 for failing to maintain written policies and procedures regarding the accuracy of reported credit information, and for failing to properly investigate disputed consumer credit information.  The FTC action can be found here.

Similarly, the CFPB has recently entered into consent orders with the following furnishers after investigations of FCRA violations:

  • EOS CCA, a Massachusetts debt-collection firm that was required to refund at least $743,000 to consumers and pay a $1.85 million civil penalty for providing inaccurate information to credit-reporting agencies and failing to correct reported information that it had determined was inaccurate;
  • First Investors Financial Services Group, Inc., an auto finance company that was required to pay a $2.75 million fine for failure to establish reasonable written policies and procedures regarding the accuracy and integrity of information furnished;
  • DriveTime Automotive Group, Inc., the nation’s largest “buy-here, pay-here” auto dealer, which was required to pay an $8 million penalty for having inadequate written policies governing the furnishing of information to CRAs.

Attorney generals nationwide have also stepped up enforcement in the furnisher arena. The 2015 multistate attorneys general settlement with the three national CRAs enlists the CRAs as part of the enforcement mechanism. Although the settlement only directly applies to changes to CRA business practices, many of the required changes will also impact furnishers. For example, CRAs are now required to:

  • review and update the terms of use agreed to by furnishers using e-Oscar;
  • establish a working group to share best practices for monitoring furnishers;
  • take corrective action when necessary with respect to furnishers that fail to comply with furnisher obligations and reinvestigation requirements; and
  • maintain information about problem furnishers and provide a list of those furnishers to the states upon request.

This regulatory focus on furnishers shows no signs of slowing down, as illustrated by the CFPB’s first bulletin of 2016, which warns furnishers yet again of the need to have adequate policies and procedures. The CFPB notes that a furnisher’s “policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher’s activities.” In other words, “if an institution furnishes both credit information to nationwide CRAs and deposit account information to nationwide specialty CRAs, that institution must consider the appropriate approach to each type of furnishing in its policies and procedures in order to comply with Regulation V.” The bulletin concludes with a warning to furnishers to have such policies and procedures in place with respect to all types of consumer information furnished to each of the CRAs: “If the CFPB determines that a furnisher has engaged in any acts or practices that violate Regulation V or other federal consumer financial laws and regulations, it will take appropriate supervisory and enforcement actions to address violations and seek all appropriate remedial measures, including redress to consumers.”

In addition to the harsh consequences of regulatory enforcement, furnishers have also now found themselves subject to a new world of civil liability pursuant to the U.S. Bankruptcy Code. Plaintiffs’ lawyers have begun experimenting with bankruptcy laws in an attempt to certify previously uncertifiable classes against furnishers. Section 524 of the Bankruptcy Code, known as the “discharge injunction” provision, prohibits any attempt to collect a discharged debt. The injunction is intended to give complete effect to the discharge and to eliminate any doubt concerning the effect of the discharge. Class actions have now been filed based on a furnisher’s systematic violation of the discharge injunction for refusal to correct a plaintiff’s credit report by showing that the plaintiff’s debts had been discharged. Courts have denied motions to dismiss when plaintiffs allege that the failure to update a credit report is a veiled attempt to collect the debt.

Furnishers should take note that they have become a central focus for regulatory supervision as well as a key target of the plaintiffs’ bar. Complying with the Furnisher Rule (Regulation V) has never been more important than it is today.


FCRA litigation is here to stay, at least for the foreseeable future. If your client’s business is involved in FCRA-regulated activities, compliance with the highly technical FCRA requirements is a necessity. Otherwise, failure to comply exposes the company to civil liability, including class actions and regulatory attention by the CFPB and FTC.


Connect with a global network of over 30,000 business law professionals


Login or Registration Required

You need to be logged in to complete that action.