What CRAs Must Know: Important FAQs Regarding CFPB’s Recent Action for Employment Background Check Report Violations
Summary of Case
Based on the public filing, the Bureau asserted that Sterling was engaged in the business of providing background screening reports as to job applicants to assist employers in hiring decisions. The outcome was an order of $6 million in consumer redress and a $2.5 million civil money penalty. The Bureau specifically alleged that Sterling violated the Fair Credit Reporting Act in three distinct ways:
- Failing to employ reasonable procedures to ensure the “maximum possible accuracy” of the information about consumers (i.e., the job applicants) whom it included in the consumer reports it prepared;
- Failing to maintain strict procedures to ensure that public record information about consumers that it included in consumer reports it prepared was complete and up-to-date or notify consumers, at the time that such information was reported, of the fact that public record information was being reported; and
- Reporting criminal history and other adverse information about such consumers outside of the reporting period allowed by the Fair Credit Reporting Act.
1. What is the FCRA and why does it matter to employers or for employment lawyers?
The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is one of the enumerated federal consumer financial laws which can be enforced publicly (by federal agencies) or privately (by private plaintiffs). (State analogs to the FCRA also exist.) In recent years, we have seen an uptick in FCRA litigation.
The architecture embedded in the FCRA is thorough and consumer-focused and is designed to restrict types of activity that may exist from every vantage point of every actor in the “ecosystem” of consumer data. In my view, the FCRA’s original writing is intended to protect the privacy of consumer data (i.e., specifically “consumer reports”), while also keeping the system workable for businesses who provide services in consumer-facing industries (whether financial or not).
Actually, to that point, while the FCRA is a financial regulation, this adjective leads to a misnomer, because the FCRA applies to non-financial businesses as well, provided that the business’s activity triggers one of the three covered entity types. Namely, whether the FCRA applies depends fundamentally on whether the subject business falls into one of three primary categories that are relevant for FCRA purposes: (1) consumer reporting agencies (CRAs), (2) users of consumer reports, or (3) furnishers of consumer data.
In the Sterling action, the Bureau asserted that Sterling constituted a CRA and this assertion meant that all attendant obligations of CRAs set forth in the FCRA would apply to Sterling. This fact was not disputed based on a review of the parties’ stipulated judgment. (While the defendant neither admitted nor denied the allegations for settlement purposes, the defendant did admit facts necessary to establish jurisdiction, including presumably, jurisdiction under the FCRA.) The primary problem garnering Bureau attention in this matter was the fact that consumer-job applicants would have consumer reports about them supplied to prospective employers, but those consumer reports contained inaccurate records reflecting criminal histories. The consumer harm in this and related scenarios would include loss of a job or economic opportunity, an employment offer containing less favorable terms, or reputational harm—all potential (and conceivable) consequences of reporting inaccurate information.
Because CRAs have the ability to control, or at least influence, the future outcomes of consumers based on the quality of data that is listed in the consumer reports that a CRA compiles, the FCRA sets forth requirements for “maximum possible accuracy” that CRAs are bound to adhere to when compiling such consumer reports, for the protection of the consumer.
2. What satisfies “maximum possible accuracy” with respect to criminal-record information in consumer reports?
While the case filings in this matter do not establish a prophylactic standard for maximum possible accuracy, they do illuminate the types of omissions and policies that the Bureau would deem deficient under that standard. At a high level, in numerous instances between December 16, 2012, and July 31, 2016, Sterling allegedly had failed to follow “reasonable procedures” to ensure “maximum possible accuracy” of the criminal-record information in its consumer reports, including in the following ways:
- Until October 2014, Sterling matched criminal records with applicants based only on two personal identifiers, which could include first and last name and date of birth. Three or more identifies were not used to enhance the quality of the match. This policy and practice created a heightened risk of false positives because many commonly named individuals (e.g., John Smith) share the same first and last name and date of birth.
- In October 2014, Sterling adopted its first company-wide record matching policy specifically for applicants with common names, which required that a public criminal record match an applicant on the basis of at least three personal identifiers before that record was attributed to an applicant. Nonetheless, after October 2014 and continuing through July 31, 2016, Sterling continued in instances to erroneously match criminal records with common-name applicants.
- These continuing errors resulted, in part, from insufficient training on the implementation of Sterling’s new common-name policy. The common-name policy itself underwent several clarification revisions after October 2014.
- Aside from the items listed in bullets above, another act of omission was deemed problematic. Sterling had relied on a third-party to provide specific address type data rising to the level of a “high-risk indicator,” i.e., does the consumer’s address exist at a psychiatric hospital, correctional institution, nursing/personal care facility, or social services facility? If so, then the consumer report would contain a notation of ** HIGH-RISK INDICATOR** next to that consumer’s address. The Bureau alleged that Sterling failed to implement procedures that would ensure the accuracy of such “high risk” designations based on the information gleaned by the third-party, thereby violating the FCRA.
Separate from the above issues constituting a failure to maintain “reasonable” procedures, the Bureau also invoked a separate section of the FCRA dealing with “strict” procedures. The Complaint explains: the “FCRA contains special requirements for consumer reporting agencies like Defendant that furnish consumer reports containing public record information for employment purposes if that information is likely to have an adverse effect upon a consumer’s ability to obtain employment. The FCRA requires that a consumer reporting agency must either (1) notify the consumer, at the time such information is reported, of the fact that public record information is being reported, or (2) maintain ‘strict procedures’ designed to ensure the reported public record information is ‘complete and up to date.’” The Bureau alleged that Sterling had failed to so notify, and that—for the reasons stated above in (a) through (d)—Sterling had also failed to maintain the requisite “strict procedures.”
Moreover, with certain exceptions, the FCRA prohibits a CRA from including in a consumer report (1) records of arrest that from the date of entry antedate the report by more than seven years or until the governing statute of limitations has expired, whichever is longer, and (2) any other adverse item of information (other than records of convictions of crimes) that antedates the report by more than seven years. In this case, Sterling was alleged to have committed the following acts:
- Sterling allegedly provided consumer reports containing adverse information that was more than seven years older than the report.
- Beginning in May 2012 and continuing through February 2013, Sterling’s policies required use of the “disposition” date as the start date for the seven-year reporting period for records of arrest and other non-conviction criminal-record information, rather than the “date of entry” for records of arrest or the date of the criminal charge for other non-conviction criminal-record information, as required under § 605(a) of the FCRA. (Practically speaking, this use of the wrong input data in the “start” identifier was problematic because, in reality, the “disposition” date can be many years after the “date of entry,” and is almost always later than the “date of entry.” This almost assuredly elongates the period that adverse information is listed on the report.)
Although — consistent with the FCRA — Sterling maintained a dispute-handling procedure, the Bureau specifically found that some corrections came too late. The Complaint alleged that some applicants may have had to take lower-paying jobs as a result of delays associated with receiving from Sterling the corrected consumer report (i.e., including amendments following the dispute resolution process), and applicants also may suffer lost wages while waiting for the error to be resolved.
3. What amounts of compensation are provided to an aggrieved consumer receive for an erroneous criminal-record listed on her consumer report?
From an attorney’s perspective, what seems notable is the damages analysis. Interestingly, the Complaint used conjectural language to describe the “potential” for lost economic opportunity, loss wages, or reputational harm. It did not allege specifically (as is typically needed to satisfy Article III standing and “injury-in-fact” requirement) that a job applicant actually did suffer that harm in any one instance.
In such a scenario, then, how do you decide how much money to return to consumers? The Bureau’s filing established that there were 7,100 consumers who fell in the category of those who had erroneous criminal background information reported in the applicable period. It also established $6 million in redress to that subset of consumers; this results in an average of $845.07 per person, assuming it is reasonable to divide the whole pot by the total number of consumers. It is, however, not reasonable to do so based on the structure of the consent order’s redress provision.
As is customary for the Bureau, the parties’ stipulated judgment actually set out a “redress plan” that the defendant was responsible for proposing within 45 days, which would include a procedure for outreach to consumers and a resolution for what must occur if fewer than $6 million is paid out through the plan (the rest is to be paid to the Bureau). The redress check amount is decided on a pro-rata basis, with each affected consumer to receive a share of the redress fund that is proportionate to the number of qualifying disputes involving each affected consumer. Meaning, the parties’ stipulated judgment did not specify when or if a consumer is eligible for special, incidental, or consequential damages, nor did it identify per-person dollar amounts for the same.
4. If an entity that compiles consumer report disclaims to the end-user that it must not use the report for employment decision-making, does that insulate the entity from liability?
The court accepted the parties’ proposed stipulated judgment on November 26, 2019. Because this case resolved through settlement, it is not a litigated case and is not technically binding on future cases. However, the rationale used by the Bureau, in this case, is illustrative of the regulator’s position on disclaimers. In this matter, Sterling had sometimes required its clients to certify that they “shall not use Social Security Number trace results in any way, directly or indirectly, for the purpose of making employment decisions” or to “confirm that information obtained through a Social Security Number trace will not be used to disqualify applicants from employment or employees from continued employment.” This was done in connection with the provision of the “high risk” indicators (mentioned above).
The Bureau expressly highlighted this disclaimer, and then nevertheless deemed Sterling to have failed to maintain reasonable procedures to assure maximum possible accuracy. The inference here is that merely drafting contractual language, or online or other disclaimers, that seek to allow CRAs to direct end-users on how they should use the data—when in actuality the end user relies upon the data in a manner that is adverse to consumers and the CRA knows or has reason to know that has occurred, is likely insufficient to insulate from CRA liability.
5. Last Monday, it was publicly reported that the Bureau plans to provide businesses with shorter compliance terms, i.e., terminate their compliance burdens ahead of schedule. In this case, did the Bureau provide a relatively more lenient term of compliance obligation?
A Bureau consent order typically imposes compliance burdens that last for five years, as noted in public reporting. Notwithstanding the announced policy of last week, in the Sterling matter (filed just three weeks before the announcement), the Bureau had imposed the following periods for the obligations to:
- Notify the Bureau of any development that may affect compliance obligations arising under this Order – imposed for 10 years
- Submit an annual compliance progress report – imposed for 5 years
- Maintain compliance business records – imposed for 5 years
- Maintain registration on the Bureau’s portal – imposed for 5 years
- Notify Bureau of changes to compliance committee – imposed for 5 years
- Undertake monitoring and coordinating adherence to the Order, including compliance committee meetings every 2 months – imposed for 5 years
- Notify Bureau of any judgment, settlement order in a related consumer action – imposed for 10 years
Arent Fox’s Consumer Financial Services group will continue to monitor developments in this area. If you have any questions, please contact Jenny Lee, Elyssa Evans, or the Arent Fox professional who usually handles your matters.
- Related Practices