On November 22, 2019, the federal Consumer Financial Protection Bureau (CFPB) filed a complaint in the U.S. District Court for the Southern District of New York against Sterling Infosystems, Inc. (“Sterling”) regarding allegations that it violated the Fair Credit Reporting Act (FCRA) in providing criminal background checks to employers. Sterling is a “consumer reporting agency” as defined by the FCRA, which provides background check results to employers when requested. The CFPB is an independent federal agency tasked with regulating and enforcing a host of consumer protection and financial protection statutes, including the FCRA.
Specifically, the CFPB’s Complaint alleges that Sterling’s internal procedures violated the FCRA by:
- Creating a heightened risk that its consumer reports would include criminal records belonging to another individual with the same name as the applicant because Sterling used only two personal identifiers to match criminal records to an applicant;
- Failing to ensure that public record information that was included in the consumer reports was complete and up to date;
- Not notifying consumers that public record information was being reported;
- Reporting adverse information about consumers outside of the allowable reporting period of seven years; and
- Incorporating “high risk” indicators from a third party source without verifying the accuracy of such designations.
As is routine with the CFPB’s enforcement actions, the agency entered a stipulated judgement and order along with the complaint, which has now been entered by the Court. The Order requires Sterling to pay $6 million in monetary relief to affected consumers (the subjects of the background checks) whose employment opportunities may have been adversely affected by its practices and a $2.5 million civil monetary penalty to the CFPB. The Order also includes injunctive relief to prevent the claimed illegal conduct from recurring. Among other requirements set forth in the Order, Sterling must remain registered on the CFPB’s Company Portal for at least five years and establish a Compliance Committee that will be responsible for overseeing compliance with the Order.
The CFPB’s complaint against Sterling is a blunt reminder that the CFPB’s enforcement jurisdiction extends to all entities subject to the FCRA’s requirements, including employers and background check vendors. It is also a reminder that both the creation of employment background check reports by vendors and the use of such reports by employers when making personnel decisions triggers FCRA compliance obligations, which can be litigated by private plaintiffs on a class-wide basis or the CFPB.
To reduce exposure under the FCRA, whether through a private action or by the CFPB, background check vendors should stay abreast of the evolving federal and state trends in FCRA enforcement about report accuracy, handling protocols and consumer protections. They should also be certain to clarify their roles in the holistic background processes of their employer clients, as many of the trends in FCRA litigation stem from simple miscommunication about division of responsibility between those entities.