Internal FCRA Compliance Audits

Internal FCRA Compliance Audits

By : Joseph S. Messer, Esq.

A summary of my presentation at the 2022 PBSA Annual Conference, in Aurora, Colorado. For more information, see the presentation slides.

Originally prepared for and published by PBSA in the Sept-Oct 2022 edition of the Journal. Read the full issue here:  https://thepbsa.org/resources/publications/  

Internal Fair Credit Reporting Act (FCRA) Compliance Audits can be an effective way to guard against lawsuits. A properly conducted Audit will expose operational deficiencies which can subject your firm to potential liabilities so you can address them before liability arises. This article describes what an Audit can cover, how to motivate your employees to meaningfully participate in the Audit, what to do with the information gleaned from the Audit and how to protect negative information from the Audit from disclosure if litigation arises.

What Should You Audit For?

The scope of the Audit is up to you. A good way to identify compliance deficiencies is to review past FCRA lawsuits. If you settled a lawsuit due to a compliance error it should be addressed. You can also review past consumer disputes. Have you had to correct reports? If the same patterns are repeating themselves audit your report preparation procedures for compliance.

Audits Need Not Be Comprehensive

Top-down Audits are not always necessary. It often makes more sense to focus on problem areas based on particular compliance concerns. If problems are identified from past FCRA lawsuits and consumer disputes you can design mini Audits to root out compliance deficiencies and change procedures to avoid repetitive errors. The following are examples of auditable areas.

Audit for Permissible Purposes

Clients must have permissible purpose for the reports they order (e.g., employment or rental decisions).  How are they conveying their permissible purpose to you?  In paperwork each time they request a report?  If electronic, by clicking a box when they order a report?

Conduct an “audit trial” of the forms through which your clients provide permissible purpose. Match them to the reports you generate. Do you have permissible purpose for each report? Are reports being issues without document permissible purpose?

Audit for Accuracy of Information

Background screeners must have “reasonable procedures to assure the maximum possible accuracy” of information in reports. Pull multiple reports prepared by different researchers and double check them for accuracy.   Reports prepared by new researchers can be “peer reviewed” for accuracy by experienced researchers. To avoid animosity peer review can be anonymous. At a minimum communications between reviewer and reviewees should be limited.

Have a series of “seed reports” prepared from scratch on consumers whose reports contained errors previously corrected in response to consumer disputes. Are the same errors occurring?  If so, why? Obviously make sure “seed reports” are not erroneously issued to end users.

Audit for Stale Adverse Information

The FCRA prohibits the inclusion of stale adverse information in reports:

• Bankruptcies that predate the report by 10 years or more from the date of entry of the order for relief or date of adjudication.
• Civil suits, civil judgements, and records of arrest that predate the report by more than 7 years, or until the governing statute of limitations has expired, whichever is longer.
• Accounts placed for collection and/or “Charged Off” Accounts which predated the report by more than 7 years.
• Any other adverse information other than records of convictions of crimes which predate the issuance of the report by more than 7 years.

Does your software automatically remove stale adverse information? Prepare several test reports on consumers with stale records to confirm the software weeds them out.  Do you rely on researchers to exclude stale adverse information? Test researchers to confirm they are excluding stale information.

Audit for “Mixed Files”

FCRA liability can occur when court records belonging to another person are included in a consumer’s report. “Mixed files” can be avoided if care is taken when preparing reports. Audit by testing to determine:

• The types of personal identifiers used in verifying a consumer’s identity.
• The minimum number of personal identifiers that are acceptable to confirm an identity match, especially for common names.
• The degree of deviation that is acceptable before a criminal record is included in a report.
• The quality and quantity of personal identifying information obtained on consumers by your client.

Pull sample reports on consumers with common names to double check for accuracy. Audit for mixed file risk by Interviewing researchers to determine how they use personal identifiers in preparing reports.  Test researchers by having them prepare reports on consumers with common names to determine if they result in mixed files. Determine if particular researchers are prone to producing mixed files by reviewing consumer disputes.

Review application materials received from clients to confirm they provide sufficient personal identifiers. Determine what researchers do when clients fail to provide sufficient personal identifiers. Do they know to contact client for more information?

Audit for Accuracy in Describing Criminal Records in Reports

The level of offense when a consumer is initially charged with an offense often differs from the ultimate outcome.  Offenses are frequently reduced due to plea agreements and charged offenses are often dismissed.  Occasionally researchers will miss these changes when they don’t study the entire court file each offence. Test researcher by having them review lengthy court files to determine the ultimate outcome of an offenses.

Researchers sometimes use inaccurate abbreviations or the wrong terminology to describe an offense. Review files containing criminal records which were corrected as a result of consumer disputes. What mistakes were corrected?  Do they show patterns of repeated mistakes? Do they show that certain researchers regularly make mistakes?

Audit for Proper Consumer Disclosures

Consumer “files” and “reports” are separate things.  As discussed further below, a “file” on a consumer contains all of the information the CRA has in its database regarding that consumer.  A “report” on a consumer is the report the CRA issued to its client on the consumer.   Employees who field requests must know the difference between files and reports to properly respond to  consumer requests.

Interview employees who field consumer calls to determine if they understand the difference between files and reports. Review call recordings or notes from calls; what did consumers request and what was sent?

Audit for Proper Consumer File Documentation

The FCRA gives consumers the right to request that the CRA send them everything in their “file”. When the CRA receives a request from a consumer for their file the CRA must send the consumer “all of the information on that consumer recorded and retained by [the CRA] regardless of how the information is stored.” [1]

Review several files on consumers to confirm they contain the required documentation.

• Are there missing documents?
• Are documents located elsewhere?

Review several file requests.

• What was sent to the consumers?

Audit for Proper Responses to Consumer Disputes

The FCRA gives consumers the right to dispute the completeness or accuracy of any item of information contained in their report. Generally CRAs are required to conduct a reinvestigation within 30 days of receiving the dispute and to notify the consumer of the result of the reinvestigation within 5 business days after completing the reinvestigation.[2]

The notice must include:

• A statement that the reinvestigation is complete;
• A copy of a revised consumer report based upon the result of the reinvestigation;
• A notice that, if requested by the consumer the CRA will send the consumer a description of the procedure used to determine the accuracy and completeness of the information disputed by the consumer in their file including the business name and address of any furnisher of information contacted in connection with such information and the telephone number of such furnisher, if reasonably available;
• A notice that the consumer has the right to add a statement to his/her file disputing the accuracy or completeness of the information; and
• A notice that the consumer has the right to request that a revised report be sent to those that received a report in the last two years for employment purpose or in the last six months for any other purpose.

Review the records from several consumer disputes to determine if reinvestigations were conducted timely and that the proper notices were issued to the consumers.

Review recordings of consumer dispute calls. Did the employee fielding the dispute understand the dispute and properly respond? Was the reinvestigation conducted properly (i.e., were mistakes caught and corrected or ruled out)? Were proper notices sent to the consumer?

FCRA Compliance Manuals & Examinations

It is advisable that background screeners have FCRA Compliance Manuals.  Manuals should be tailored to the background screener’s operations. Employees whose work responsibilities involve areas governed by the FCRA should be required to review the Manual and to pass a FCRA Compliance Examination tailored to their work responsibilities as covered by the Manual. Employees should be tested on an annual basis.

Obtaining Meaningful Employee Participation

To get employees to meaningfully participate in the Audit they need to know it is not a gauge of their performance but an audit of the organization in general.  You may want to inform them that results won’t be maintained in their employment files and won’t be used in making decisions about their advancement (or lack thereof) in your organization.  Or consider using this as an opportunity for employees to advance within the organization by helping to improve organizational legal compliance.

Importance of Keeping Audit Results Confidential

The disclosure of negative Audit results in litigation could be harmful to your defense. Negative information could be used by a plaintiff to demonstrate a “willful” noncompliance with the FCRA.  This could result in punitive damages and/or class action liability.

Three Methods of Keeping Audit Results Confidential

There are three main methods of keeping Audit results confidential: (1) Self-Critical Analysis; (2) Work Product Privilege; and (3) Attorney-Client Privilege. Self-Critical Analysis is not always available. Work Product Privilege is available only in connection with litigation and is not ironclad. Attorney-Client Privilege is the strongest and best method of protection.

Self-Critical Analysis

In jurisdictions where it is recognized, the Self-Critical Analysis privilege is a qualified privilege to protect self-critical, evaluative analyses from discovery.  The privilege seeks to protect the opinions and recommendations of corporate employees engaged in the process of critical self-evaluation of the company’s policies. Jurisdictions that recognize the privilege do so because it encourages thorough and candid self-evaluation and compliance with the law.

Generally Self-Critical Analysis involves a 4 part test:  (1) the information must be the result of self-critical analysis undertaken by the party seeking protection;  (2) the public must have a strong interest in preserving the free flow of the type of information sought; (3) the information must be of the type whose flow would be curtailed if discovery were allowed; and (4) the document sought to be protected must have been prepared with the expectation that it would be kept confidential, and it must have remained so.

Self-Critical Analysis privilege is not absolute and can be waived or overcome through a showing of exceptional need by the party seeking discovery.  Courts apply a balance test and consider: (1) the extent to which the information may be available from other sources; (2) the degree of harm that the litigant will suffer from its unavailability; and (3) the possible prejudice to the party’s investigation.

In 1979 TRW (now Experian) was unsuccessful in invoking the privilege in withholding documents subpoenaed by the Federal Trade Commission  as part of an investigation to determine whether TRW’s practices violated the FCRA. FTC v. TRW, 479 F. Supp. 160, 162 (D.D.C. 1979).  The court found the privilege to be not generally recognized and inapplicable when a law enforcement agency was seeking documents pursuant to its statutory subpoena power.

Conversely, a federal court in Georgia allowed the privilege in the context of an employment discrimination case. Banks v. Lockheed-Georgia 53 F.R.D. 283 (N.D. Ga. 1971). The court held plaintiffs were not entitled to a report prepared by team appointed to study the employer’s equal employment opportunity practices – because the report included a candid self-analysis and evaluations of the employer’s actions. It would be contrary to public policy to discourage frank self-criticism and evaluation in the development of affirmative action programs.

Work Product Privilege

The Work Product Privilege is available only if the Audit was carried out in anticipation of litigation.  To be protected, the Audit should be conducted at the direction of counsel to assist counsel to plan or strategize for litigation, such as possible legal defenses or affirmative claims.  Work product privilege has limits.  Even if documents are prepared in anticipation of litigation, the adverse party may obtain them by showing “substantial need” for disclosure and an inability to obtain their equivalent by other means.

Attorney-Client Privilege

Attorney-Client Privilege is the best way to protect Audit results from disclosure. If legal counsel conducts or directs the Compliance Audit the results may be protected by the attorney-client privilege under the US Supreme Court case Upjohn Co. v. United States, 449 U.S. 383 (1981). To be privileged, the Audit must be carried out for the purpose of obtaining and providing legal advice.  The privilege will not protect the Audit from discovery if no legal advice is sought or provided, or if the attorney is consulted merely for business advice.  The privilege can be lost if the confidential nature of the Audit is not conveyed to participants; if the attorney is merely kept informed of the Audit rather than tasked with directing it or to provide legal advice as part of the Audit. The predominant purpose of the Audit must be to obtain legal advice. Otherwise, the privilege is waived. Overly broad disclosure within the company can trigger a waiver if the individual to whom disclosure was made did not have a “need to know” the contents of otherwise privileged information

Conclusion

If properly conducted and protected an internal FCRA Compliance Audit can expose compliance procedures which could lead to lawsuits so you can correct them before liability arises. However, improperly conducted Audits can backfire and increase a background screener’s exposure to liability. For these reasons background screeners should engage qualified legal counsel to assist them in conducting and implementing Compliance Audits.

About the Author

Joseph Messer is a partner with Messer Strickler Burnette Ltd., a law firm which defends background screeners in Fair Credit Reporting Act lawsuits throughout the country. Relying on his unique insight on how background screeners can avoid FCRA liability Mr. Messer regularly counsels background screeners on legal compliance. Mr. Messer can be reached at (312) 334-3440 or jmesser@messerstrickler.com.

[1] Source information used solely for investigative consumer reports need not be disclosed.

[2] Most CRAs complete reinvestigations right away. The FCRA allows CRAs to obtain an extension of the 30-day deadline, and to terminate a reinvestigation if the dispute is “frivolous” or “irrelevant”.