On October 12, 2023, the Consumer Financial Protection Bureau (CFPB) issued a consent order and a stipulation against a parent credit reporting agency and two of its subsidiaries for for alleged violations of the Fair Credit Report Act (FCRA) and the Consumer Financial Protection Act (CFPA). The CFPB alleged that as early as 2003, the credit report agency failed to implement security freezes and locks on consumer credit reports upon request, and falsely informed customers that the request had been addressed, despite knowing that this was not the case.
As of 2018, federal law requires credit reporting agencies to provide security freezes, which blocks certain third parties from accessing consumer’s credit reports to prevent potential identity theft, as a free service. As a result of systems issues and other problems, the credit reporting agency allegedly failed to place security freezes and locks on tens of thousands of consumer reports for months or even years after the initial request. The CFPB alleged that the credit reporting agency knew of these issues but failed to address them and also falsely informed consumers that their requests to place security freezes and locks had been successful, in violation of FCRA and the CFPA. The CFPB alleged that the credit reporting agency further violated FCRA when it failed to exclude certain vulnerable consumers from pre-screened solicitation lists.
Under the consent order, the credit reporting agency agreed to pay $3 million in consumer redress and $5 million in civil penalties and take affirmative steps to prevent future violations, including creating a committee to identify and address similar issues.