CFPB reminds consumer reporting agencies that their “name-only” matching procedures violate the FCRA

James-Francis

We’d all like to think that we’re unique. But if we were to judge our uniqueness simply by our first and last names, we’d be disappointed.

Some of us might share the same first and last names with hundreds or thousands of other people. According to research from Southern Illinois University, there were 34,269 people in the U.S. named “Robert Smith” at the time the research was conducted, 30,507 people named “Maria Rodriguez,” and 25,255 people named “John Smith.”

While we might share the same names with hundreds or thousands of other people, if we consider other identifying information, we can regain our feelings of uniqueness. Our date of birth is likely to separate us from most of the other people who share our names. Add in our home address and our Social Security number and we should be back to feeling like we are one of a kind.

Although it seems self-evident that the uniqueness of a particular person can be more readily confirmed when many pieces of identifying information about them are considered, consumer reporting agencies (“CRAs”) like Equifax, Experian, TransUnion, and background screening companies have been slow to come to this conclusion. This has caused headaches for many U.S. consumers who receive credit reports or background checks about them that have other peoples’ information on them.

But those consumers have an avenue of redress. Under the U.S. Fair Credit Reporting Act (“FCRA”), CRAs that mix multiple consumers’ information on a single consumer report resulting in that report containing false information can be sued by the affected consumer.

That’s why the U.S. Bureau of Consumer Financial Protection (“CFPB”) recently issued an advisory opinion regarding CRAs’ inadequate “name-only” matching procedures when preparing consumer reports that reminds CRAs how those procedures can lead to liability under the FCRA. The million-dollar question, however, is whether CRAs will heed the CFPB’s threat in its advisory opinion of increased enforcement against them for continuing to use these procedures.

What is “name-only” matching?

When a CRA prepares a consumer report, it must “match” information it obtains from public data sources or it receives from furnishers of consumer information to the specific consumer who is the subject of the report.

There is no shortage of personal identifying information about us consumers available to CRAs. In addition to our first and last names, CRAs can identify us by, among other things, our addresses, our dates of birth, and our Social Security numbers. Obviously, the more pieces of data a CRA has about a consumer, the more accurate its matching procedures will be. It is much easier to verify which Robert Smith out of more than 34,000 Robert Smiths is the one with a particular defaulted loan or outstanding credit card balance when that particular Robert Smith’s date of birth and Social Security number is used to confirm his identity.

However, CRAs frequently use name-only matching when constructing consumer reports. Name-only matching occurs when a CRA uses only a first name and a last name to determine whether a particular piece of information relates to a particular consumer. In a country with almost 2.5 million people with the last name of Smith, almost two million people with the last name of Johnson, and more than one million people with the last names of Brown, Davis, Garcia, Hernandez, Jones, Martinez, Miller, and Rodriguez, it is practically a foregone conclusion that matching consumer data using only first and last names will result in false matches.

As the CFPB points out in its advisory opinion, name-only matching is particularly problematic for Hispanic, Asian, and Black individuals because there is less last-name diversity in those populations than among the white population. For example, according to the CFPB, 26 Hispanic last names cover more than a quarter of the Hispanic population, compared to 319 white last names covering a quarter of the white population.

Name-only matching causes inaccuracies on consumer reports that negatively impact consumers’ abilities to make purchases, rent apartments, obtain credit, or even land new jobs. The CFPB noted that “incorrect information on your [consumer] report” has been the largest category of consumer complaints it has received for at least the past five years. According to the CFPB, in 2020, companies regulated by the CFPB responded to more than 191,000 such complaints—which is roughly 68 percent of the consumer complaints those companies responded to that year. While it isn’t clear how many of these complaints can be attributed to name-only matching, I’m willing to bet a significant percentage, if not a majority, can be.

Name-only matching violates the FCRA

Section 607(b) of the FCRA (15 U.S.C. § 1681e(b)) states that “[w]henever a [CRA] prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” The CFPB, the U.S. Federal Trade Commission, state Attorneys General, and federal courts have made clear that name-only matching is not a “reasonable procedure[] to assure maximum possible accuracy” of consumer information, and thus violates section 607(b).

In 2015, the CFPB took action against a background screening company, General Information Services, for violating FCRA section 607(b) when it did not require employers to provide middle names for job applicants whom the employers wanted criminal background checks for. As a result, mismatched criminal record information was reported about some of those applicants. In 2019, the CFPB settled allegations that a background screening company, Sterling Infosystems, violated section 607(b) by matching public criminal records to job applicants based on limited identifying information, including first and last names and either dates of birth or addresses. The practice led to “a heightened risk of false positives.”

In 2014, the FTC settled allegations that a background screening company, InfoTrack Information Services, violated section 607(b) when it used name-only matching to provide employer background screening reports that contained information about whether the applicants were registered in a national sex offender registry.

In 2015, as a result of a settlement with more than thirty state Attorneys General, Equifax, Experian, and TransUnion—the “Big 3” U.S. CRAs—launched the National Consumer Assistance Plan with the goal of improving the accuracy of consumer reports and making it easier for consumers to correct errors on their consumer reports. Under the NCAP, as of July 1, 2017, public record data obtained by the three companies for inclusion on consumer reports must contain a consumer’s name, address, and Social Security number and/or date of birth and must be refreshed at least every 90 days.

As for federal courts, both the Third Circuit and the Ninth Circuit in cases handled by our firm have held that name-only matching procedures were not “reasonable procedures to assure maximum possible accuracy” of consumer information under section 607(b).

In Cortez v. TransUnion, LLC, 617 F.3d 688 (3d Cir. 2010), a case handled by our firm, the Third Circuit affirmed the district court’s ruling that TransUnion’s name-only matching protocols for matching consumers’ names with names on a list maintained by the Office of Foreign Assets Control (“OFAC”) violated section 607(b) where TransUnion had information within its own files showing that the OFAC alert in question was incorrect.

In Ramirez v. TransUnion, LLC, 951 F.3d 1008 (9th Cir. 2020), rev’d on standing grounds,141 S.Ct. 2190 (Jun. 25, 2021), the Ninth Circuit ruled that TransUnion continued using problematic name-only matching technology despite the ruling against it in Cortez, and upheld an eight-figure jury verdict that found TransUnion liable for violating section 607(b) because the company used “rudimentary name-only matching software without any additional checks to avoid false positives.” Noting that the correct reading of the FCRA should have been clear to TransUnion after Cortez, the Ninth Circuit held that this particular violation was willful.

The CFPB’s advisory opinion

The CFPB issued its advisory opinion “to remind [CRAs] that their matching practices must comply with their FCRA obligation to ‘follow reasonable procedures to assure maximum possible accuracy’ under section 607(b), and that the practice of name-only matching in particular is far from sufficient to meet that standard.”

In the opinion, the CFPB analyzed section 607(b) and interpreted its “reasonable procedures” requirement “to include as an integral component that the information in fact pertains to the consumer who is the subject of the report.” The CFPB further explained that the steps a CRA “takes in matching information it obtains or receives to the correct consumer in preparing consumer reports are critical in assessing whether the [CRA] is” complying with section 607(b).

The CFPB noted that it has consistently viewed name-only matching to not be “a procedure that assures maximum possible accuracy, and thus, [CRAs] that use name-only matching violate FCRA section 607(b).” The CFPB said that it “continues to conclude that it is not a reasonable procedure to use name-only matching to match information to the consumer who is the subject of the report in preparing a consumer report.” It concluded by noting that, additionally, it is not a reasonable procedure for a CRA to include information from a source that does not use identifying information other than consumers’ names in a consumer’s report “without taking additional steps to match the information to the consumer who is the subject of the report, such as consulting other databases or sources of information that contain additional identifying information.”

Where to go from here?

The CFPB’s advisory opinion does not cover any new ground. Instead, it simply reminds CRAs what they’ve known for at least a decade going back to the Third Circuit’s Cortez decision: CRAs violate section 607(b) of the FCRA when they use name-only matching procedures. For that reason, I’m skeptical that the CFPB’s advisory opinion will, on its own, bring CRAs in line.

Large CRAs like TransUnion have unlimited resources to build matching protocols that take into account identifying information other than first and last names. Yet, TransUnion was sued at least twice over its failure to build such protocols, and one of those times was after a federal appellate court had already held that TransUnion’s failure violated the FCRA. Perhaps TransUnion assumes it is in its shareholders’ best interests to litigate these cases instead of fixing the underlying problem.

Given my experience and my time litigating these cases for many years, my hunch is that large and small CRAs will be unlikely to proactively invest in better matching procedures for consumer information. I doubt that the threat of private litigation will provide a sufficient impetus for widespread reform.

Instead, I believe only increased enforcement by the CFPB will get the attention of CRAs. More frequent enforcement actions by the CFPB will show CRAs that the CFPB is serious about cracking down on name-only matching. The negative publicity created by these enforcement actions, and perhaps the hits the stock prices of publicly traded CRAs take as a result, might actually get their attention.

In a statement regarding the CFPB’s recent advisory opinion, CFPB Director Rohit Chopra seems to agree. He said the CFPB will be “closely collaborating” on enforcement actions with the FTC regarding name-only matching procedures. Also, in addition to civil penalties, Chopra expects the CFPB to seek to redress the “full range of harms” to victims of name-only matching procedures, and to “make appropriate referrals, including to the Department of Justice’s Civil Rights Division, when the [use of name-only matching procedures] might implicate violations of anti-discrimination laws.”

The CFPB’s advisory opinion, its first during the Biden Administration, is certainly a step in the right direction and hints at an increased focus at the agency on name-only matching. But actions speak louder than words. If the CFPB actually walks the walk when it comes to prosecuting CRAs for their name-only matching procedures, consumers might finally see less unlawful behavior from CRAs on that front.

James A. Francis is a founding partner of Center City-based Francis Mailman Soumilas, P.C., a leading consumer rights law firm. He can be reached at jfrancis@consumerlawfirm.com.


Reprinted with permission from the February 22, 2022 edition of The Legal Intelligencer © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or reprints@alm.com.