Educational Series

FTC’s civil rights testimony recaps FCRA obligations and aggressive enforcement

On December 7, 2012, the Federal Trade Commission (the “FTC”), submitted its written testimony to the U.S. Civil Rights Commission on the use of criminal background checks in employment decisions. The Commission intends to apply the testimony in reviewing the EEOC’s guidance that an employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964. The EEOC suggests that minorities are disproportionately likely to have criminal records, which means that when employers use criminal background reports, minorities are possibly affected more than other groups.

Notably, in its testimony, the FTC, which shares the authority for enforcing the Fair Credit Reporting Act (“FCRA”) with other federal agencies, including the Consumer Financial Protection Bureau (“CFPB”) does not say anything substantial about civil rights.

The testimony does, however, provide a good recap of the legal rights and obligations prescribed by the FCRA when consumer reports are used for employment purposes, and highlights the FTC’s law enforcement efforts in this area. As its starting point, the testimony reminds that the FCRA imposes several requirements on consumer reporting agencies (“CRAs”) that provide consumer reports to employers, which include ensuring that the employer is in fact using the report for a permissible purpose. In the employment context, permissible purposes are limited to “employment, promotion, reassignment, or retention.” Thus, employers may only obtain a consumer report about applicants or employees, and may not simply use their status as employers to get information about competitors, opposing parties in litigation, or anyone else. Relatedly, under the permissible purpose requirement, CRAs must have reasonable procedures in place to ensure that the consumer report users are who they claim.

The CRAs also must comply with certain procedural requirements, such as giving all users of consumer reports a notice that informs them of their duties under the FCRA. The CRAs must obtain certifications from the employer that: (1) it is in compliance with the FCRA; and (2) it will not use consumer report information in violation of any federal or state equal employment opportunity laws or regulations.

Further, the FCRA mandates that CRAs follow “reasonable procedures to assure maximum possible accuracy of the information

[15 U.S.C. § 1681e(b)].” It does not establish, however, a requirement of absolute accuracy and does not require that the CRAs guarantee that the reports are error-free.

If a CRA provides a report that has negative information about an applicant or employee that is based on public records — for example, tax liens, outstanding judgments, or criminal convictions — that CRA either has to notify the applicant or employee directly that it has provided the information to the employer, or has to adopt strict procedures to ensure that the information is complete and up to date [15 U.S.C. § 1681k(a)(1)-(2)]. Regardless of whether a CRA opts to provide the notice or adopt strict procedures, FCRA § 1681e(b), as noted above, requires CRAs to have “reasonable procedures to assure maximum possible accuracy.”]

The FCRA also places specific obligations upon employers to provide certain disclosures to the applicants or employees, and obtain their written authorization before using consumer reports. If an employer intends to take an adverse action based either in whole or in part on the information in a consumer report, such as denying a job application, reassigning or terminating an employee, or denying a promotion, the employer must provide the applicant or employee with a pre-adverse action notice before taking the action. The pre-adverse action notice must include a copy of the consumer report on which the employer is relying and a summary of rights under the FCRA. The form, which recently was reissued by the CFPB, describes the consumers’ rights under the FCRA, including the right to obtain copies of their consumer reports and dispute information.

Once the employer has taken the adverse action, it must give the applicant or employee a notice that the action was based on information in the consumer report.  This adverse action notice must include the name, address, and phone number of the CRA that supplied the report, and must inform the applicant or employee of his or her right to dispute the accuracy or completeness of any information in the report, and the right to obtain a free report from the CRA upon request within 60 days. Even though a consumer has the right to dispute errors, the CRAs and furnishers of information to the CRAs typically are allowed thirty days to investigate the consumer’s dispute, and the information may not be corrected in time to affect the consumer’s consideration for a particular job.

The FTC points out that it has pursued an aggressive law enforcement program to ensure that CRAs, furnishers, and consumer report users (including employers) comply with their responsibilities under the FCRA, providing details of recent lawsuits for FCRA violations that resulted in civil penalties against CRAs ranging from $800,000 to $2.6 million. Its recent actions against employers included charges against railroad contractors for failing to provide pre-adverse action and adverse action notices to employees who were fired and job applicants who were rejected based on information in their consumer reports. Under negotiated settlement orders, the companies were required to pay penalties in the amount of $1,000 per violation, and are subject to specific injunctive, record-keeping, and reporting requirements to ensure compliance with the FCRA.

The FTC’s enforcement actions and the latest wave of class action lawsuits enforce that FCRA compliance must be a priority for employers, CRAs and furnishers of information alike.

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

Identity theft again tops FTC’s top complaints list for 2011

Identity theft again tops FTC’s top complaints list for 2011

The Federal Trade Commission (FTC) on February 27, 2012 released its list of top consumer complaints received by the agency in 2011. For the twelfth year in a row, identity theft topped the list at 279,156 complaints or 15%. The breakdown for the next nine complaint categories (from a list of 30) is as follows:

Category Number Percentage
Debt collection 180,928 10
Prizes, sweepstakes, and lotteries 100,208 6
Shop-at-home and catalog sales 98,306 5
Banks and lenders 89,341 5
Internet services 81,805 5
Automobile-related 77,435 4
Imposter scams 73,281 4
Telephone and mobile services 70,024 4
Advance-fee loans and credit protection/repair 47,414 3

 
The FTC records the complaints in its Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. Other federal and state law enforcement including the U.S. Postal Inspection Service, the Department of Justice’s Internet Crime Complaint Center, and the attorneys general offices of Idaho, Michigan, Mississippi, North Carolina, Ohio, Oregon, Tennessee, and Washington also contribute to the database content, along with private-sector organizations such as U.S. and Canadian members of the Better Business Bureau, Western Union and Moneygram, and the Lawyers Committee for Civil Rights Under Law.

Federal Sentencing Guidelines: a lure to organizational compliance

About 20 years ago, the United States Sentencing Commission (USSC) enacted the Federal Sentencing Guidelines (FSGs) for organizations with the intent to govern the sentencing of companies convicted of federal crimes. The FSGs, which have been amended several times, hold that organizations can act only through agents and, under federal criminal law, generally are vicariously liable for offenses committed by their agents.

A proactive approach to prevent, detect and report illegal and unethical activities can substantially reduce fines and punishment, in some cases up to 95% according to a commentary by the USSC. The USSC specifies that the two factors that mitigate an organization’s ultimate punishment are “the existence of an effective compliance and ethics program, and self-reporting, cooperation, or acceptance of responsibility.” In contrast, the absence of solid compliance mechanisms can increase fines and punishment, as verdict determination is based on “the organization’s involvement in or tolerance of criminal activity, its prior history, violation of an order, and obstruction of justice.”

The compliance incentives provided by the FSGs and the proliferation of new regulations mandate a cultural imperative for ethical and law-abiding conduct by all companies, large and small. High-level attention, leadership and sufficient resources must be dedicated to meet the strict requirements of a compliance program defined by the USSC as “effective.” In its manual, the USSC emphasizes the necessity of strong due diligence to prevent and detect criminal conduct. Among its guidelines, a provision in Chapter 8 notes that:

“The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

Comprehensive background investigations, whether for employment purposes, evaluation of prospective clients, existing relationships and third-parties, or for other business transactions, are essential for compelling due diligence which actualizes a masterful compliance strategy. Although various committees and officials are calling for a complete review of the FSGs which the 2005 landmark case U.S. vs. Booker held as discretionary rather than mandatory, well-developed compliance programs are here to stay.

Scherzer International is on the forefront of the quick-changing regulations regime with a portfolio of background investigation products designed to facilitate purposeful risk management and compliance protocols. Visit us often at www.scherzer.com as we continuously analyze and test new elements and incorporate them into our products if they have proven value. And stay tuned for a Dodd-Frank regulations product which we will introduce within the next few months.

Epidemic of fake websites is real

Cyber crime experts report that fake websites are proliferating at the rate of 60,000+ per week or over 3,100,000 per year. And the fraudsters’ malicious exploitations are getting bold and more sophisticated, creating sites that are difficult to discern from those of legitimate businesses or organizations. From banks (which make up about 68% of fraudulent sites) to regulators and news reporting agencies, no entity is immune.

Recently, several local and national newspapers reported on a publicity campaign by a public relations company that purportedly set up a fake news site to promote one of its clients, a public entity, with positive articles and press releases “written in the image of real news” by “journalists” who allegedly do not exist. Although Web experts note that it is fairly common for celebrities and private-sector businesses to generate buzz or improve sales through news coverage, open government advocates called this stunt an egregious breach of trust and ethical standards.

The Federal Trade Commission (FTC) issued warnings a few months ago about scam artists exploiting well-known news organizations by setting up fake news sites to peddle their wares. The sites, which usually display logos of legitimate news organizations, promote everything from bogus weight loss products to work-at-home jobs, anti-aging products and debt reduction plans. The FTC cited several investigations that resulted in charges against the fraudsters, saying that many of the websites are owned by marketers and used to entice consumers to click on links to the sellers’ sites. In its case against acai berry supplement peddlers, the FTC disclosed that the sellers paid the marketers a commission based on the number of consumers they lured to their sites. There was no reporter, no studies, no dramatic weight loss, no satisfied consumers who left comments, and no affiliation with a reputable news source. As a rule, the FTC noted, legitimate news organizations do not endorse products.

The FTC itself, and other regulators have not escaped the fraudsters’ blitz. In April 2011, the FTC brought charges against an individual for multiple violations of the Federal Trade Commission Act for misrepresenting his affiliations with federal agencies, including the FTC, misrepresenting that the services advertised on his websites were government-approved, and making deceptive debt relief claims. The FTC alleged that the individual, a Texas-based “lead generator,” set up several websites through which he associated his business with a fictitious government agency – the “Department of Consumer Services Protection Commission” – that appeared to combine two real government entities, the Federal Trade Commission and the Consumer Financial Protection Bureau. Among other charges, the FTC stated that to further these scams, the websites depicted the FTC’s official seal, copied language about the fictitious agency’s consumer protection mission from the FTC’s site, and claimed that the fake agency “monitors and researches” member companies that provide financial assistance to American consumers.

The scammers and their fake websites are also busy abroad. Earlier this month, international news sources reported that Russian fraudsters set up a counterfeit site of a popular five-star hotel, complete with the real hotel’s photographs, room descriptions and services. According to published reports, they also paid a fee to Google to ensure that their bogus site was listed before the hotel’s genuine site. The fraudulent website purportedly came to an abrupt end after, among other disparities, it was discovered that the room rates were advertised in dollars.

Another story about a flagrant website invasion came in October 2011 from Belgrade, where Serbian media reported that a mock-up of the official Nobel Prize website was set up purportedly by political activists to promote their causes and views.

Fraudulent websites appear daily and no industry or organization is beyond these fraudsters’ reach. Scherzer International, a provider of specialized background investigations for business transactions and employment decisions, includes comprehensive website reviews in its reports. We know how to spot scams, exaggerated claims and other red flags.

Department of Justice filed a record number of criminal cases in 2011

Acting Assistant Attorney General Sharis A. Pozen in a November 17, 2011 published speech reported that in the fiscal year 2011, the DOJ filed 90 criminal cases — the highest number in the past 20 years. The DOJ agreed to more than $520 million in criminal fines, which is close to the amount in 2010 (which totaled 60 cases.) In this year’s 90 cases, 27 corporations in the real estate, optical disk drives, auto parts, air cargo, and financial services industries were charged along with 82 individuals.

Pozen also disclosed that the DOJ has been conducting an international cartel investigation into price fixing and bid rigging in the auto parts industry, which already resulted in the guilty pleas of one corporation and three individuals, $200 million in fines, and three jail terms for the executives involved in the conspiracy.

In the real estate industry, Pozen said that the DOJ continues its investigations into bid rigging conspiracies at public real estate foreclosure auctions and tax lien auctions. With the help of the FBI, the DOJ agents ferreted out the ways in which the participants coordinated their bids. To date, 32 defendants have pleaded guilty to conspiracy charges, according to Pozen.

The DOJ remains focused on criminal activity in the financial services sector. Pozen noted that together with several federal and state agencies, the DOJ has been investigating a criminal conspiracy involving bid rigging in the municipal bond investments market, resulting in nine pleas of individuals this year. These investigations, which are ongoing, impelled JPMorgan Chase to enter into an agreement to resolve its role in the conspiracy, and agree to pay $228 million in restitution, penalties, and disgorgement to federal and state agencies. Earlier in the year, UBS AG also agreed to pay a total of $160 million and Bank of America previously consented to $137.3 million.

Paying for ambiguity: the myths of instant background checks and national databases

The cottage industry of data-collection agencies that provide inexpensive background information is flourishing even in this tough economy. Many prospective employers with tight budgets believe they can save money by relying on the “national” records that are spewed out within minutes of entering a credit card number. So just what do you get for $19.99? Not much. Or a lot…a lot of worthless data, that is. Unverified name-match only records come up by the hundreds if the name is fairly common. And it is nearly impossible to determine case details or duplicate filings, as the cryptic printouts often require specialized knowledge that is specific to each state, municipality or records venue.

Many subjects who are flagged as criminals in these databases have never been convicted of a crime. In fact, according to the U.S. Bureau of Justice statistics for felony defendants in large urban counties, one-third of felony arrests never lead to a conviction. And there is no standardized process for reporting arrests and dispositions or updating the records at the various court levels. Some reported offenses are not actually violations of the criminal code in the particular state, but may still show up in these databases.

There are few regulations governing the use of background information beyond the provisions of the Fair Credit Reporting Act (FCRA). The Federal Trade Commission (FTC) does not mandate that data aggregators provide guidance on how to properly interpret their records. The only possible value of these so-called national databases is to serve as an indicator that a record may exist, and use the search results to supplement a full investigation. Since the FCRA requires that all “reasonable procedures to assure maximum possible accuracy of the information are followed” and that “the information is complete and up-to-date,” searches for employment purposes must be conducted either manually or through direct access in the particular court where the record is filed.

Employment experts at a July 2011 Equal Employment Opportunity Commission (EEOC) hearing urged the Commission to consider the comprehensive recommendations put forth by the National Employment Law Project (NELP) in its report on the effect of criminal background checks in employment decisions. Among its recommendations, the NELP suggested that the EEOC revise its now 20-year-old guide on conviction records in view of the “intervening proliferation of instant computerized background information…” The EEOC should also address the “use of arrest records and third-party databases that are considered a part of the hiring process.”

Risk-based approach to employment screening rates high on value chain

In today’s world just about every company knows that an effective employment screening program is invaluable for hiring qualified individuals, reducing turnover, deterring fraud and other criminal actions, and avoiding or mitigating litigation.

Recognizing that a “bad” hire is a threat to the bottom line, many companies, from investment bankers to law firms, are taking a risk-focused approach to background investigations and deciding what is appropriate or how much should be done to ensure organizational success. For example, obtaining a credit report or checking civil records for an entry-level applicant with low risk responsibilities may be of limited use, while reviewing such record histories for someone who will handle money or have access to sensitive information may be imperative in assessing his/her suitability for a position of trust.

Best practices in both the government and in the private sector indicate that a risk designation should be determined for every position, based on its description of duties and responsibilities. The risk grade should be commensurate with the employee’s assigned trust level, financial accountability, access to sensitive and confidential information and critical data systems, autonomy, discretionary authority, and potential opportunity for misconduct.

To be effective and non-discriminatory, employment screening policies need to specify a uniform set of background investigation elements for all position/assignment levels, including new hires, temporary workers, interns, transferred and promoted employees, contractors and volunteers.

SI has a full suite of employment background investigation products. Please visit our website at https://scherzer.co/ to learn more or order an investigation.

Rudiments of a Ponzi scheme

The scheme is named after Charles Ponzi, who duped thousands of New England residents into investing in postage stamp speculation in the 1920s. But Ponzi is not the original mastermind behind the scheme; various reports show that there were several similar scams before he was born. (Charles Dickens’ 1857 novel “Little Dorrit,” for example, described such a scheme whereby the fraudulent dealings of Mr. Merdle led to the collapse of his bank.) Ponzi’s operation, however, took in so much money that it was the first to become widely known in the United States. Ponzi promised investors that he could provide a 50% return in just 90 days, at a time when the annual interest rate for bank accounts was 5%. Based on the arbitrage of international reply coupons for postage stamps, Ponzi quickly diverted investors’ money to support payments to earlier investors and to himself.

As originally designed, a Ponzi scheme remains a fraudulent operation that pays returns to separate investors, not from an actual profit earned but from the investors’ own money or money paid by subsequent investors. The scheme typically entices new investors by offering returns that other investments cannot guarantee, in the form of short-term yields that are either extraordinarily high or unusually consistent.
The main reason why the scheme initially works is that the early investors, those who actually got paid the large returns (from the investments of new entrants) reinvest their money in the scheme. Meanwhile, the fraudsters gain the investors’ confidence, maintaining the deception of high profits. Claims of a “proprietary” investment strategy, which must be kept secret to ensure a competitive edge, frequently is touted to hide the fraudulent operation.

The fraudsters also try to minimize withdrawals by offering new plans to investors, often freezing their money for a long time in exchange for higher returns. If a few investors do wish to withdraw their money in accordance with the strict terms, the requests are usually promptly processed, giving the illusion to other investors that the fund is solvent.

But once the required continuous stream of investors slows down, the scheme begins to collapse as the fraudsters start to have problems paying the promised returns (the higher the returns, the greater the risk of collapsing). Such liquidity crises often trigger panics, as more people start asking for their money, similar to a bank run. (A bank run, also known as a “run on the bank” occurs when a large number of customers withdraw deposits because they believe the bank is, or might become, insolvent.)

External market forces, such as the global economy decline in 2008, also cause many investors to withdraw part or all of their funds, not necessarily because of fraud suspicions, but simply due to underlying market conditions. (In Madoff’s case, the fund could no longer appear legitimate after investors attempted to withdraw $7 billion in late 2008.)

And of course, there is rarely a happy ending to this story as fraudsters attempt to vanish, taking the remaining investment money with them.

Subcommittee approves legislation to protect consumers against data theft

On July 20, 2011, the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved legislation to protect consumers from cyber attacks and identity theft. The Secure and Fortify Electronic Data Act (H.R. 2577), or SAFE Data Act now moves to the full Energy and Commerce Committee for consideration.

The Act would require all businesses that maintain personal information to implement security programs, which, among other mandates, would include a protocol to notify affected individuals of an information security breach. Preempting over 45 existing state information security and breach notification laws, the Act would task the Federal Trade Commission with developing the security rules.

According to its author, Chairman Bono Mack, the Act will enhance protection of personal information by establishing uniform national standards for data security and data breach notification. The preemption provision also would provide certainty for businesses in addressing information security breaches that now are subject to the multitude of state requirements.

Some legislators and advocates have criticized the proposed law as too narrow, as it would require breach notifications only when an individual’s name, telephone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, or biometric data alone (without the individuals name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act.

Go to Top