Florida Credit Union Consumer Complaints List by ner17598


More Info
									Privacy Academy 2008
     Orlando, Florida
                                           Broad Scope of FCRA
Regardless of how you describe your        The Non-Traditional CRA
business, it’s likely you use and access
consumer reports.
The FCRA and FACT Act cover a wide         Background Screening Reports
range of activities related to
accessing, collecting and using
consumer information.                      Red-Flag Rules
We will discuss what business
practices are regulated by these
                                           Identity Theft Prevention
statutes and recent FTC rules
concerning identity theft.
The overall goal of this presentation is
                                           Litigation Trends
heightened appreciation for the
effects of noncompliance.
We will end with a question and            Question and Answer Session
answer session.

 The remarks in this presentation do not
  necessarily reflect the views of the Federal
  Trade Commission or of any Commissioner,
  nor are they intended to be legal advice.
 Anyone with specific questions about a
  matter should consult legal counsel.
An adventure in definitions
Federal Trade Commission

 Nation’s only general jurisdiction consumer
  protection agency
 Enforcement through federal district court
  and administrative litigation

 Passed in 1970; significant amendments in
  1996 and 2003
 “[T]o insure that consumer reporting
  agencies exercise their grave responsibilities
  with fairness, impartiality, and a respect for
  the consumer's right to privacy”
FCRA Guiding Principles

 Privacy
   Limited access to consumer reports
   Same limits on government access, with
    certain exceptions
 Accuracy
   Responsibilities of consumer reporting agencies
    and information furnishers
   Consumer dispute process
 Fairness
   Adverse action notices
   Obsolete information deleted
Who Is Covered by FCRA

 Consumer Reporting Agencies
 Furnishers – information sources
 Users of consumer reports
 And more (merchants using debit/credit
  cards; “financial institutions” and “creditors”)
FCRA Enforcement

 Civil enforcement by many agencies:
     FTC and federal banking agencies
     State attorneys general
     Consumers: private right of action in some cases
 Criminal enforcement: federal or state
  prosecutors (e.g., information obtained under
  false pretenses, unauthorized disclosure by
  credit bureau employees)
Consumer Report Defined

 “any written, oral, or other communication of any
  information by a consumer reporting agency bearing on a
  consumer's credit worthiness, credit standing, credit
  capacity, character, general reputation, personal
  characteristics, or mode of living which is used or expected
  to be used or collected in whole or in part for the purpose of
  serving as a factor in establishing the consumer's eligibility
  for -- (A) credit or insurance to be used primarily for
  personal, family, or household purposes; (B) employment
  purposes; or (C) any other purpose authorized under
  section 604.”
Definition Dissected

 Two basic elements:
   Information in report has a “bearing on” one or
    more specified consumer characteristics (e.g.,
    credit standing)
   Report is “used or expected to be used (by the
    user) ... for the purpose of ... establishing the
    consumer’s eligibility (for purposes allowed by
    the FCRA)...”
Some Important Points

 Has to be about a consumer – if doesn’t
  identify specific consumer, not a consumer
   Ex. Flagging a specific internet transaction as
    potentially fraudulent based on comparison to
    aggregate data about internet transactions (e.g.,
    time-of-day activity, geographic location, amount
    of the transaction, etc.), without reference to an
    individual consumer, is not a consumer report
Includes Summaries and Evaluations of Reports

 Includes numerical or other evaluation of file
  data by a CRA, such as a credit score that
  bears on a consumer’s creditworthiness
 Includes a list of the names of people meeting
  certain characteristics – such as a list of
  creditworthy individuals, or individuals on
  whom CRAs have derogatory information
Examples of Consumer Reports

 Credit report
 Rental history
 Check writing history/“bad check” lists
 Employment history
 Medical history
 Insurance claims history
Consumer Reporting Agency Defined

 “any person which, for monetary fees, dues, or
  on a cooperative nonprofit basis, regularly
  engages in whole or in part in the practice of
  assembling or evaluating consumer credit
  information or other information on consumers
  for the purpose of furnishing consumer reports
  to third parties, and which uses any means or
  facility of interstate commerce for the purpose
  of preparing or furnishing consumer reports”
Mutually Dependent Definitions

 Consumer report = report provided by
  consumer reporting agency
 Consumer reporting agency = an entity that
  provides consumer reports
Some Important Points

 Entities that work together for a common
  purpose without monetary compensation
  may form a CRA
   Exchange or data pool

 Entities that repackage and/or resell
  consumer report information may be CRAs
Evolution of the information industry: A case study
Case Study

 In the Matter of Ingenix, Inc.
 In the Matter of Milliman, Inc.
 Consent Decisions and Orders issued
  February 12, 2008
Where Industry Was

 Life insurance companies used service
  providers to get medical records
 Service providers requested records from
  health care providers, put in envelope, and
  mailed to insurer
Record Retrieval Companies Are Not CRAs

 An entity that performs only mechanical
  tasks in connection with transmitting
  consumer information is not a CRA because it
  does not assemble or evaluate information. A
  business that delivers records, without
  knowing their content or retaining any
  information from them, is not acting as a CRA
  even if the recipient uses the records to
  evaluate the consumer’s eligibility for
  insurance or another permissible purpose.
Ingenix and Milliman

 Provide reports on prescription drug
  purchase histories of insurance policy
  applicants, to insurance companies for
  underwriting decisions
 Obtain prescription drug histories from
  Pharmacy Benefit Managers and create
  prescription medical profiles
Why CRA – “Assemble” or “Evaluate”

 “Assembled” -- Compiled information
  into single report
 “Evaluated” -- Analyzed information to
  report potential medical conditions that
  may be present
Administrative Enforcement Action

 Complaints charged Ingenix and Milliman
  with violating FCRA by failing to provide
  Notice to Users
 Notice to Users describes FCRA
  responsibilities and obligations of recipients
  of reports, including notifying consumers if
  adverse action is taken, based in whole or in
  part, on information contained in the
  consumer report
Consent Order

 5 year record keeping obligation
 20 year injunction to comply with CRA duties:
   Notice to Users
   Only furnish reports to those with permissible purpose
   Reasonable procedures to assure maximum possible
    accuracy of information
   Reasonable procedures to handle consumer disputes
   Conduct reasonable reinvestigations
   Comply with the Disposal Rule
Special Reports: Special Rules
Background Reports Are Consumer Reports

 The definition of a “consumer report”
  includes more than just consumer credit
 Criminal background checks, educational
  background checks, and license checks are
  consumer reports because involve the
  individual consumer's “character, general
  reputation, personal characteristics, or mode
  of living”
Background Screening Companies Are CRAs

 Company that provides oral/written reports
  to employers about the prior work experience
  of applicants
 Company that regularly researches criminal
  records of job applicants and reports them to
  its clients
Special Rules in Employment

 Written notice and authorization before
  getting report
 Pre-adverse action disclosure – copy of
  report and Summary of Rights
 Adverse Action Notice
 Using Consumer Reports: What Employers
  Need to Know
What they are and what they’re not.
What They Are

 “Red Flag” means:
   a pattern, practice, or specific activity that
    indicates the possible existence of identity theft
“Red Flag Guidelines and Rules”

 Where do they come from?
   Fair and Accurate Credit Transactions (“FACT”)
    Act of 2003
   Amended FCRA
   Passed in response to concerns about misuse of
    personal information of consumers, including
    identity theft
   Instructed FTC and agencies to establish
    guidelines and rules
Red Flag Guidelines

 15 U.S.C. § 1681m(e)(1)(A): “The federal
  banking agencies, the National Credit Union
  Administration, and the [Federal Trade]
  Commission shall jointly . . .
   establish and maintain guidelines . . . regarding
    identity theft with respect to account holders at,
    or customers of, such entities, and update such
    guidelines as often as necessary . . . .”
Joint Rulemaking

 Final rules published November 9, 2007.
  (Press Release)
 Effective on January 1, 2008
 Full compliance required by November 1, 2008
Identity Theft Prevention Programs

 The rules require “financial institutions” and
  “creditors” with “covered accounts” to
  implement a written Identity Theft Prevention
  Program to detect, prevent, and mitigate
  identity theft in connection with:
   The opening of a covered account or
   The existence of a covered account
“Creditors” with “Covered Accounts”

 “Anyone who arranges for the extension,
  renewal or continuation of credit or any
  assignee of an original creditor who
  participates in the decision to extend, renew
  or continue credit.”
“Creditors” with “Covered Accounts”

 A consumer account that “involves or is designed to
  permit multiple payments or transactions, such as a
  credit card account, mortgage loan, automobile loan,
  margin account, cell phone account, utility account,
  checking account, or savings account and
 “Any other account that the financial institution
  or creditor offers or maintains for which there is
  a reasonably foreseeable risk to customers or to
  the safety and soundness of the financial
  institution or creditor from identity theft,
  including financial, operational, compliance,
  reputation, or litigation risks.”
The Guidelines

 Intended to assist financial institutions and creditors in the
  formulation and maintenance of a Program that satisfies
  the requirements of the Red Flag Rules
 Topics include
    The Identity Theft Program
    Identifying Relevant Red Flags
    Detecting Red Flags
    Preventing and Mitigating Identity Theft
    Updating the Program
    Methods for Administering the Program
    Other Applicable Legal Requirements
Guideline Highlights

 Identifying Red Flags
   Categories of Red Flags
      Alerts, notifications, or other warnings from consumer
       reporting agencies or service providers, such as fraud detection
      The presentation of suspicious documents
      The presentation of suspicious personal identifying
       information, such as a suspicious address change
      The unusual use of, or other suspicious activity related to, a
       covered account
      Notice from customers, victims of identity theft, law
       enforcement or others regarding possible identity theft
   Appendix to Rule has 26 examples for the foregoing
Guideline Highlights (cont’d)

 Procedures to detect Red Flags
   Verify identity
   Authenticate customers
   Monitor transactions
   Verify validity of address changes
Guideline Highlights (cont’d)

 Appropriate Responses to Red Flags
   Monitor accounts
   Contact customer
   Change passwords
   Close and reopen account
   Refuse to open account
   Do not collect on or sell account
   Notify law enforcement
   No response
Guideline Highlights (cont’d)

 Administering the Program
   Oversight involves
   Assigning specific responsibility
   Reviewing reports
   Approving material changes to Program
What They’re Not

 Red Flags compliance v. data security
 Definition of “financial institution” is not
  same under Red Flags and Gramm Leach
  Bliley Act
 Compliance with HIPAA does not equal
  compliance with Red Flags
FTC Activity

 June 2008 “FTC Business Alert”
 FTC set-up email for questions:
Are you a financial institution or creditor?
Mandatory Compliance

 By November 1, 2008 for:
   “Financial Institutions”
   “Creditors” that hold any consumer account or
    other account for which there is a reasonably
    foreseeable risk of identity theft
Are you a “Financial Institution”?

 A “financial institution” is:
   A State or National bank
   A State or Federal savings and loan association
   A mutual savings bank
   A State or Federal credit union
   “Any other person that, directly or indirectly, holds
    a transaction account belonging to a consumer”
15 U.S.C. § 1681a(t) (emphasis added)
Transaction Account

 “The term ‘transaction account’ means a deposit
  or account on which the depositor or account
  holder is permitted to make withdrawals by
  negotiable or transferable instrument, payment
  orders of withdrawal, telephone transfers, or
  other similar items for the purpose of making
  payments or transfers to third persons or others.
  Such term includes demand deposits, negotiable
  order of withdrawal accounts, savings deposits
  subject to automatic transfers, and share draft
12 USCS § 461(b)(1)(C) (also known as section 19(b)
of the Federal Reserve Act)

 FCRA says,
    “[t]he term[]…’creditor’ ha[s] the same meaning[]
     as in section 702 of the Equal Credit Opportunity
See 15 U.S.C. § 1681a(r)(5)
Are you a “Creditor”?

A “creditor” is:
   Any person who regularly extends, renews or
    continues credit
   Any person who regularly arranges for the
    extension, renewal, or continuation of credit
   Any assignee of an original creditor who
    participates in the decision to extend, renew, or
    continue credit
15 U.S.C. §1691a(e) (also known as the Equal
Credit Opportunity Act, Definitions)
Step 1: Risk Assessment

 Do you offer or maintain “covered accounts”?
 How do you open “covered accounts”?
 How do you provide access to your accounts?
 What experiences do you have with
  identity theft?
Step 2: Develop Program to

 Identify red flags and incorporate
  into Program
 Detect red flags included in Program
 Respond to red flags when detected
 Periodically update program to address
  changing risks
Step 3: Administer Program by

 Obtaining approval of initial Program from
  Board or appropriate Board committee
 Ensuring adequate oversight
 Training appropriate staff
 Overseeing service provider agreements
Message from the Federal Trade Commission

 “By now, the message should be clear: companies that
   collect sensitive consumer information have a responsibility
   to keep it secure.”
  (FTC Chairman, Deborah Platt Majoras, March 27, 2008)
 Using its authority under Section 5 of the FTC Act (which
  prohibits unfair or deceptive practices), the Commission has
  brought a number of cases to enforce promises in privacy
  statements, including promises about the security of
  consumers’ personal information. The Commission has also
  used its unfairness authority to challenge information
  practices that cause substantial consumer injury.
Privacy Initiatives
Traps for the Unwary
Private Right of Action?

 Dissention over whether FACT Act eliminated private rights
  of action for all violations of § 1681m. See Perry v. First Nat.
  Bank, 459 F.3d 816, 820 (7th Cir. 2006).
 No question Congress declined to provide private right of
  action for violations of the red flag requirements and
  guidelines set forth in § 1681m(e). See id. at 821; White v. E-
  Loan, Inc., 409 F. Supp. 2d 1183, 1185-86 (N.D. Cal. 2006).
 15 U.S.C. § 1681s-2(c)(3) provides that 15 U.S.C. §§ 1681n
  and 1681o – which establish rights of action for willful and
  negligent violations of the FCRA respectively – “do not
  apply to any violation of…subsection (e) of section 1681m
  of this title.”
The Beverly Litigation

   Named Plaintiff applied to Wal-Mart
   Application denied due to criminal record:
     He was shown as a felon when he had been
      convicted of a misdemeanor
     Others in the class were shown as felons based on
      records of other people with the same name but
      different birth dates, SSNs
   Inaccuracies blamed on ChoicePoint’s internal
Beverly v. ChoicePoint, Inc.

   Two option for CRA that reports public record
    information for employment purposes:
     Notify the consumer “at the time such public report
      information is reported”
     Maintain “strict procedures designed to insure that [the]
      information . . . is complete and up to date”
   ChoicePoint gave notice, but not until after it had
    sent the reports to Wal-Mart
   No court decision yet
Beverly v. Wal-Mart Stores, Inc.

   Wal-Mart did not give sufficient time to dispute
    the erroneous information
     9/1/05: ChoicePoint, on Wal-Mart’s behalf, sent
      notice to Beverly of contemplated adverse action
       This included a copy of Beverly’s criminal history
        report, as required by the FCRA
     9/6/05: ChoicePoint, on Wal-Mart’s behalf, sent
      notice to Beverly of adverse action
     Due to Labor Day, both letters arrived on 9/7
The Beverly Litigation

   Beverly called ChoicePoint on 9/7 to dispute
   ChoicePoint sent Wal-Mart a corrected report
   Wal-Mart hired Beverly
Beverly v. Wal-Mart Stores, Inc.

 COURT DECISION: Court Opinion
   Under the FCRA, an employer must give the
   consumer “a reasonable period to respond” to the
   initial notice and consumer report
     Wal-Mart delegated this duty to ChoicePoint
     ChoicePoint did not take into account postal delays that
      would be caused by the holiday weekend
     Ultimately, Wal-Mart is responsible for that mistake
   Motion for summary judgment denied
Beverly v. Wal-Mart Stores, Inc.

   FCRA imposes technical obligations on CRAs and
     Employer can delegate its duties but remains
   Courts interpret FCRA in light of its purpose
     Consumers must be able to dispute inaccuracies
      before the report is used against them
   FCRA can be a trap for well-meaning and
    sophisticated employers
Did we cover all of your questions, and/or generate new ones?
For More Information
Rebecca E. Kuehn                                      Jennifer R. Rossi
Assistant Director                                    Business Litigator
Division of Privacy and Identity Protection           Consumer Financial Services Team Leader
Federal Trade Commission                              Robinson & Cole LLP
600 Pennsylvania Ave., N.W., NJ-3158                  280 Trumbull Street
Washington, D.C. 20580                                Hartford, CT 06103-3597
202.326.2017                                          860.275.8355
rkuehn@ftc.gov                                        jrossi@rc.com
www.ftc.gov                                           www.rc.com

                                        Fair Credit Reporting Act

                                 FTC Fair Credit Reporting Act Page

               FTC Business Alert: New ‘Red Flag’ Requirements for Financial
                  Institutions and Creditors Will Help Fight Identity Theft
Any additional questions please ask.

To top