January 7, 2016

Debt Collection and Credit Reporting Violations Spur Series of Enforcement Actions by the Consumer Financial Protection Bureau

Arnold & Porter Advisory

Throughout the month of December, the Consumer Financial Protection Bureau (CFPB) announced a series of enforcement actions against financial institutions for a variety of alleged violations of consumer financial protection laws and regulations, most notably in the areas of debt collection and credit reporting.

As discussed more fully below, the CFPB’s recent enforcement activity is instructive for multiple reasons. For one, the enforcement actions against debt collection firms and collection-related activities continue a trend of heightened regulatory focus on the debt collection industry, even before the CFPB proposes and finalizes its rule implementing the Fair Debt Collection Practices Act (FDCPA).1 In addition, in two instances, the CFPB held individual persons liable under its “related person” authority under the Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), or the Consumer Financial Protection Act (CFPA).

Summary of Recent CFPB Enforcement Actions

Frederick J. Hanna & Associates. On December 28, 2015, the CFPB announced a consent order against Frederick J. Hanna & Associates, a law firm that collects debts on behalf of debt purchasers, banks, and credit card issuers, as well as three of its principal partners (collectively, the Hanna Law Firm) for alleged illegal debt collection operations. The consent order resolves more than a year of proceedings between the Hanna Law Firm and the CFPB, including a public complaint in July 2014.

The complaint alleged that the Hanna Law Firm used tactics that were intended to intimidate borrowers, such as filing automated or “robo-signed” and other deceptive court documents and introducing faulty or unsubstantiated affidavits in connection with such court filings. In response to the complaint, the Hanna Law Firm filed a motion to dismiss the case, but the motion was dismissed by a federal district court in July 2015.

The proposed consent order, if approved by the court, would prohibit the Hanna Law Firm from illegal debt-collection practices, including filing lawsuits without being able to verify the consumers’ debt and intimidating consumers with deceptive court filings. Specifically, the consent order would prohibit the Hanna Law Firm from initiating or threatening a collection suit against a borrower without possessing certain original account-level documentation, certified or properly authenticated bills of sale, and other specific documentation evidencing the consumer’s use of the account. In addition, the consent order would require the Hanna Law Firm to meet ongoing reporting requirements and pay US$3.1 million in civil money penalties.

T3 Leads and Lead Publisher. On December 17, the CFPB announced enforcement actions against D and D Marketing, Inc., d/b/a/ T3 Leads and Lead Publisher (naming the proprietor of the business individually) for alleged violations of the Dodd-Frank Act. T3 Leads2 is a lead aggregator that purchases consumer information (or leads) from lead generators (which operate websites advertising credit products to consumers) and sells that information to various consumer lenders, data brokers, and other lead purchasers. According to the CFPB, T3 Leads failed to adequately vet and monitor both its lead generators and lead purchasers, which exposed consumer information to misuse.

Specifically, the CFPB alleged T3 Leads knew or should have known that the lead generators from which it purchased leads had made false or misleading statements to consumers in the course of marketing their products and that T3 Leads should have had systems in place to vet and monitor lead purchasers for potential illegal activity. For example, the CFPB’s complaint notes that T3 Leads’ lead generators represented themselves as lenders and asserted that they would help consumers find the best rates and lowest fees possible, but that the lead generators did not follow through on those representations and T3 Leads did not monitor the loan application process or take any steps to pair consumers with the best loan available to them. According to the CFPB, this conduct was “unfair” and “abusive” and in violation of the CFPA.

In addition, the CFPB alleged that Lead Publisher sold millions of leads to various purchasers, principally to debt collection firms, who in turn used that information to threaten, harass, and defraud consumers. According to the CFPB, Lead Publisher had no written policies or procedures or compliance training programs in place and conducted no review of the consumer information it purchased prior to selling the information to lead purchasers. Moreover, the CFPB asserts that Lead Publisher never sought to verify whether the entities to which it sold leads were engaged in legitimate consumer lending practices or had adopted any form of a compliance program. The CFPB found Lead Publisher’s conduct to be unfair and deceptive under the CFPA.

The CFPB’s consent order requires Lead Publisher to disgorge any proceeds obtained through fraud and bans its sole proprietor from the financial products and consumer leads industries. The CFPB seeks monetary and injunctive relief from T3 Leads in addition to requiring corrective measures to its business practices.3

CarHop and UAC. On December 17, the CFPB announced a consent order with Interstate Auto Group, Inc., d/b/a/ CarHop for violations of the Fair Credit Reporting Act (FCRA) and the CFPA. CarHop markets and sells used vehicles to consumers, which are financed through its affiliated finance company, Universal Acceptance Corporation (UAC).4 CarHop enters into retail installment sales contracts with consumers and subsequently assigns such contracts to UAC, who services the agreements.

The CFPB alleged that CarHop misrepresented the nature of its credit reporting practices to consumers and that UAC, on behalf of CarHop, furnished inaccurate credit information to consumer reporting agencies (CRAs) for 84,000 customers. Specifically, the CFPB asserted that UAC furnished consumer information that it knew or had reasonable cause to believe was inaccurate based on customer performance, internal data, or other external information. In total, the CFPB alleged that CarHop and UAC furnished 28 categories of inaccurate information to CRAs. Moreover, neither entity maintained written policies and procedures to ensure the accuracy of consumers’ credit information.5 The CFPB found CarHop’s and UAC’s conduct to be in violation of several aspects of the FCRA and Regulation V, as well as being unfair and deceptive under the CFPA. Under the consent order, CarHop and UAC must correct any inaccurate information reported to CRAs, provide credit reports to harmed consumers, implement a compliance and internal audit program for its credit reporting activities, and pay US$6.465 million in civil money penalties.

EZCORP. On December 16, the CFPB announced a consent order with EZCORP, Inc. for violations of the CFPA, the FDCPA, and the Electronic Fund Transfer Act (EFTA). The CFPB alleged that EZCORP, a consumer lender specializing in short-term, small-dollar loans,6 engaged in a number of unlawful practices, including: making in-person collection visits to consumers’ homes and workplaces; contacting third parties about consumer debts and disclosing (or risking disclosure of) consumer debts to those parties; threatening consumers with legal action; failing to conduct credit checks of loan applicants; conditioning loans on consumers’ pre-authorizing repayment through electronic fund transfers; and making misrepresentations to consumers about their ability to repay their loans or stop collection calls and electronic fund withdrawals.

The CFPB’s consent order requires EZCORP to cease its collection activities on approximately 130,000 delinquent consumer loans, pay US$7.5 million in restitution payments to approximately 93,000 harmed customers, and pay US$3 million in civil money penalties.

In connection with the EZCORP consent order, the CFPB published Compliance Bulletin 2015-07, which provides guidance on in-person collection of consumer debt. The Bulletin notes that both first-party and third-party debt collectors face heightened UDAAP risk and FDCPA liability when engaging in in-person collection activity.

EOS. On December 7, the CFPB announced a consent order with EOS CCA (EOS), a debt collections firm that also maintains a debt purchasing operation, for violations of the FCRA, the FDCPA, and the CFPA. The CFPB alleged that EOS purchased loan portfolios comprised of fraudulent, already paid, or already settled consumer debts and engaged in collection activity on those accounts despite learning of these significant problems regarding the accuracy and integrity of account information. According to the CFPB, EOS failed to verify the accuracy of customer account information and the validity of certain debts by obtaining and reviewing the necessary account-level documentation, yet still reported consumers’ credit information to CRAs. The CFPB contends, in certain instances, that EOS was unable to properly validate debts because it had difficulty obtaining required documentation from the loan portfolio seller, even though the seller had represented to EOS that the loan portfolio it had purchased did not contain fraudulent debt, already paid, or already settled debts.

Under the consent order, EOS must refrain from collecting disputed or unverified debts, take steps to ensure the accuracy of the information reported to CRAs, pay US$743,000 in restitution payments to harmed customers, and US$1.85 million in civil money penalties.

Clarity Services. On December 3, the CFPB announced a consent order with Clarity Services, Inc., a credit reporting firm, for violations of the FCRA, including obtaining consumer reports from CRAs and other sources without a permissible purpose and failing to investigate consumer disputes and inquiries.7 The CFPB alleged that Clarity Services and its president8 obtained tens of thousands of credit reports and consumer application data for use in the company’s own marketing materials. Moreover, the CFPB accused Clarity Services of failing to investigate consumer disputes or suspected inaccuracies in information contained in credit reports.

Under the CFPB’s consent order, Clarity Services must cease-and-desist from further violations of the FCRA, improve its compliance program, specifically with respect to the investigation and resolution of consumer disputes and inquiries, and pay civil money penalties of US$8 million.


Although there are substantive differences between the enforcement actions described in this bulletin, their consistent elements provide important indicators of CFPB enforcement trends.

First, in two of the above-described enforcement actions, the CFPB again demonstrated its willingness to hold individual persons liable as covered persons under the agencies’ theories of its authority with respect to “related persons” and liability for providing substantial assistance to a covered person or service provider. This approach and the actions by other federal financial regulators underscores for financial institutions and their service providers the importance of carefully evaluating the entities and individuals with whom they conduct business and the potential enforcement risks arising out of such relationships. Indeed, it is becoming a more common practice for companies operating in industries subject to CFPB enforcement to require representations, warranties, and indemnification clauses targeted at protecting against failures to meet the requirements of the CFPA or Dodd-Frank Act.

Second, several of the recent enforcement actions involved the acquisition of consumer account information and the collection of consumer debts. In recent months, the debt collection industry has been scrutinized not only by the CFPB, but by the Federal Trade Commission (FTC) and State Attorneys General. In September, the CFPB entered into substantial consent orders with the two largest debt purchasing firms in the industry, Portfolio Recovery Associates and Encore Capital Group, for violations of the FDCPA, the FCRA, and the CFPA. Those orders were followed by the November announcement by the FTC and dozens of State Attorneys General and local law enforcement agencies of 30 new enforcement actions against debt collection firms under the jointly coordinated “Operation Collection Protection” initiative, which has produced 115 public actions against debt collection firms in 2015 alone. Concurrently, the CFPB continues to analyze responses from its 2013 ANPR in an effort to propose rules to further regulate the debt collection industry as early as next year.

These enforcement actions by the CFPB and other regulators are the latest reminder of the movement to promulgate guidelines and standards for the debt collection industry prior to any formal rulemaking that has been subject to notice and comment. Given this movement, debt sellers, purchasers, and other industry participants should carefully evaluate each enforcement action, draw out any perceived guidance, and implement practices and procedures to avoid committing any of the violations cited.
  1. On November 6, 2013, the CFPB issued an Advanced Notice of Proposed Rulemaking on the FDCPA and Regulation F (2013 ANPR). A proposed rule is expected in 2016.

  2. The CFPB asserts that T3 Leads is a “service provider” under the CFPA because it sells leads to consumer lenders and other statutorily “covered persons.” 12 U.S.C. § 5481.

  3. In part, the CFPA authorizes the CFPB to use its enforcement powers to prevent any covered person or service provider from engaging in conduct that is unfair, deceptive, or abusive (its UDAAP authority). Id. §§ 5531, 5536(a).

  4. The CFPB asserts that CarHop is a covered person under the CFPA by virtue of the fact that it extends credit for automobile purchases. Id. § 5481. UAC is a “furnisher” of consumer credit information under the FCRA and Regulation V. See 12 C.F.R. § 1022.41.

  5. The CFPB highlighted the fact that for a period of nearly four years, CarHop and UAC had no procedure or practice for providing consumers with an address to which they can send notice that the information furnished to a CRA is believed to be inaccurate. Failure to do so amounted to a violation of Section 623(a)(1) of the FCRA. 15 U.S.C. § 1681s-2(a)(1).

  6. The consent order notes that EZCORP acted both on its own and through various wholly-owned subsidiaries. Thus, in certain instances, EZCORP was liable under the CFPA as a covered person, but in other instances, it was liable as a “related person” under the CFPA. See 12 U.S.C. § 5481.

  7. See 15 U.S.C. §§ 1681b(f), 1681i.

  8. The CFPB asserts that Clarity Services’ president is liable as a “related person” under the CFPA.

Subscribe Link

Email Disclaimer