Credit Scores and Credit Reports, by Evan Hendricks

Chapter 19

Impermissible Access

Benjamin Marchese III must have thought he had found a sure-fire way of making money — fast and easy.

As the son of the owner of Marchese Chevrolet/GEO in the Philadelphia suburbs, Marchese was in charge of credit applications and review. He quickly saw the value of credit reports and the valuable data they contained. Beginning in 2001 and continuing for more than a year, Marchese allegedly pulled the credit reports of 150 individuals and used the information to pocket $4 million. Marchese was arrested in 2003 and charged with fraud. He was awaiting trial when this book went to press.³¹³

³¹³ Michael M. Ciccarone, et al. v. B.J. Marchese, Inc., et al.: U.S. Dist. Ct. - Eastern Dist. of Penn.; C.A. No. 03-1660; class action complaint filed March 19, 2003. Plaintiffs are represented by Cary L. Flitter, Timothy T. Myers and Mark A. Kearney.

Bruce Castor, District Attorney for Montgomery County (Penn.) informed banks and lending institutions that victims like Rhonda and Michael Meksoh were not at fault, but they continued to be harassed by creditors and collectors seeking payments.³¹⁴

Rhonda Meksoh of Pottstown, said the fraud caused extreme damage to her credit. "We're going to have to tell our son, 'Mom and Dad can't help you apply for a car loan'. And (the interest rates on) our credits cards are getting raised because of someone else."³¹⁵

The Purpose Test

The Fair Credit Reporting Act (FCRA) specifies that credit reports can only be used for "permissible purposes," meaning for credit, insurance, or employment.

It is not allowed to use credit reports to snoop into the finances of an ex-spouse or prospective lover, or a critic of your organization, or an opponent in litigation. It is also not permissible to access credit reports for the purpose of committing identity theft.

But these things happen — all of them and more.

If someone wants to invade your privacy, the credit report is the first document of choice. It's a convenient roadmap to your financial standing and relationships. The FCRA imposes civil and criminal penalties for impermissibly accessing credit reports.

To detect impermissible access to your credit report, you need to examine the "inquiries section," which lists the companies who have obtained your credit report and their stated reason for doing so.

In addition to the FCRA, companies are bound by the contracts they sign with Equifax, Experian, and Trans Union to only use credit reports for permissible purposes.

Clearly for many entities, it has proved a tremendous convenience and privilege to enjoy instant access to the consumer reports of some 200 million Americans. However, with that privilege goes major responsibilities.

³¹⁴ Melissa Milewski, "Bill Would Protect Identity Theft Victims," Buck County Courier Times, Oct. 21, 2003; http://www.phillyburbs.com/pb-dyn/news/111-10212003-181732.html
³¹⁵ Id.

Accordingly, it is incumbent upon companies to ensure that their employees only use credit reports for permissible purposes. Several courts have ruled that if an employee illegally accesses someone's credit report, the company he works for can be held liable.

Companies Are Liable

The potential for abuse of consumer reports, as well as the importance of users of consumer reports being vigilant about their duty to obey the FCRA's permissible purposes restriction, was illustrated by a 1987 court case. An attorney (Ms. Ryan) used her connection with a credit union to access the credit report of her ex-husband. The U.S. Court of Appeals for the Fourth Circuit ruled that obtaining consumer reports under such false pretenses subjected both the attorney and the credit union to civil and criminal liability.³¹⁶ The credit union was on the hook because of a legal doctrine known as "respondeat superior," which imposes vicarious liability on organizations for the actions of their agents who have "apparent authority."

"Ryan was an agent of the Credit Union and had apparent authority to obtain the credit report, even if Ryan lacked actual authority to do so," the Fourth Circuit panel wrote. "Accordingly, the Credit Union is liable to Yohay (the ex-husband) for Ryan's wrongful actions as its agent pursuant to the doctrine of respondeat superior. A principal is liable for the acts of an agent who had apparent authority to act regardless of whether the principal benefited by the acts of the agent or ratified the acts of the agent, if either the plaintiff or a third-party relied upon the principal's representations which created apparent authority."

³¹⁶ Yohay v. City of Alexandria Employees Credit Union, Inc. (827 F.2d 967).

The court reasoned that the employer was in the best position to protect consumers with internal safeguards. "Seemingly anyone who used the Credit Union's computer to access [the CRA's] files appeared — from [the CRA's] perspective — to have authority to gain such access. In that regard it is to be noted that the Credit Union had not posted any guidelines to users of the computer informing them of the circumstances under which such credit information could be obtained," the Fourth Circuit wrote.

Sixth Circuit

In a 1998 case, the U.S. Court of Appeals for the Sixth Circuit came to the same conclusion, finding that whenever a creditor has expressly allowed an employee to access consumer reports on its behalf, that person will invariably have apparent authority in the eyes of the CRA to request and receive a consumer report. Thus, the credit grantor can be liable for that employee's actions.

"Protecting consumers from the improper use of credit reports is an underlying policy of the FCRA. An apparent authority theory is in keeping with FCRA's underlying deterrent purpose because employers are in a better position to protect consumers by use of internal safeguards," the Sixth Circuit wrote, citing the Fourth Circuit's opinion in Yohay.³¹⁷

"Because application of the apparent authority doctrine advances the FCRA's goals and produces no inconsistencies with other FCRA provisions, we conclude that such a theory of liability is an appropriately operative theory of liability under the statute," it continued.

³¹⁷ Jones v. Federal Fin. Reserve Corp. (144 3d 961)

"Failure to impose vicarious liability on a corporation like Federated would allow it to escape liability for 'willful' and 'negligent' violations of the statute. Because a company like Federated can act only through its agents, it is difficult to imagine a situation in which a company would ever be found to have willfully violated the statute directly by obtaining a credit report for an impermissible purpose. The FCRA's deterrence goal would be subverted if a corporation could escape liability for a violation that could only occur because the corporation cloaked its agent with the apparent authority to request credit reports," the Sixth Circuit wrote.

Another court commented that sloppy practices, like posting computer access codes where anyone could see them, "would almost invite violations" of the FCRA.³¹⁸

Car Dealers

Unfortunately, it seems many companies that regularly use credit reports never got around to installing safeguards and conducting the employee training necessary to discourage misuse of credit reports.

Car dealers have emerged as one problematic sector — and for understandable reasons. When someone walks into a showroom, a salesman naturally would like to know if that person is a serious candidate for a car purchase, or just a "window shopper" on whom it would be better not to waste time. Pulling a credit report can help the salesman "size up" a consumer and see what they can afford and for what kind of financing they would qualify. It's easy to do while the consumer's out for a test drive and the auto dealer is holding his drivers license.

But it's illegal. On more than one occasion, auto dealers have been told that it's illegal.

Window Shoppers?

In fact, the Texas Automobile Dealers Association (TADA) in 1997 wrote a letter asking the Federal Trade Commission if it was permissible for salesmen to pull credit reports on window shoppers.

³¹⁸ Kodrick v Ferguson 54 F. Supp.2d 788 (N.D. Ill. 1999)

The FTC responded with an emphatic "no," stating that dealers only have a permissible purpose when the prospective customer applies for financing or otherwise consents to use of his credit report to see if he qualifies.

David Medine, then associate director of the FTC's Division of Credit Practices, wrote that a dealer is not justified in pulling a credit report when a consumers asks about prices, takes part in comparison shopping, or goes for a test drive. Dealers also can't pull credit reports when the consumer pays cash.

If the dealer would like to see a consumer's credit report before answering general questions about the availability of financing, this must be explained to the consumer and written permission must be obtained.

Only in those circumstances where it is clear both to the consumer and to the dealer that the consumer is actually initiating the purchase or lease of a specific vehicle and, in addition, the dealer has a legitimate business need for consumer report information, may the dealer obtain a report without written permission.³¹⁹

A "legitimate need" would be to arrange financing or to confirm the creditworthiness of a consumer who wanted to pay by check, Medine wrote.

At least one trade association has warned its members not to abuse their access to credit reports, particularly in light of the FTC opinion letter and the 1996 Amendments to FCRA. The Independent Automobile Dealers Association (IADA) posted a column — written by Keith E. Whann — on its Web site entitled, "Permissible Purposes To Run A Credit Report:"

³¹⁹ Staff Opinion Letter, David Medine to Karen Coffey, Chief Counsel, Texas Automobile Dealers Assoc., Feb. 11, 1998 (www.ftc.gov/os/statutes/fcra/coffey.htm)

While it is naturally important to have some sense of the consumer's ability to qualify for financing prior to spending a great deal of time with that customer throughout the sales process, the dealership must understand what constitutes a legitimate business need and, more importantly, the consumer's initiation of the transaction.

A consumer merely asking questions about prices and financing is not necessarily indicating intent to purchase a vehicle from that particular dealership. Accordingly, the dealership does not then have a legitimate business need for a credit report in this situation. If the consumer is simply comparison-shopping, as they would be in a situation such as this, the dealer would have to obtain written permission from the consumer prior to obtaining a credit report. Similarly, a request by a consumer to test drive a vehicle does not indicate an intent to initiate the purchase of a vehicle.³²⁰

Not An Isolated Incident

Over the years, there have been a string of cases involving auto dealers' unauthorized access to credit reports. On December 8, 1993, The New York Times reported that the Secret Service had arrested 15 salesmen in the Autoland car dealership in Springfield, N.J. for fraudulent purchases that stemmed from salesmen's access to credit bureau databases. The arrests were part of a crackdown on a fraud ring.

Daniel Greenstone, an Assistant U.S. Attorney who prosecuted the case, said, "Merchants and credit reporting agencies have to be more vigilant in insuring that those who access credit reports are authorized to do so. This case shows it's too easy."

³²⁰ Whann, Keith, "The Fair Credit Reporting Act Made Simple" http://www.independentdealer.com/finance/finance18.asp

In the same article, Janis Lamar, a TRW spokeswoman, said the credit reporting agency, beginning January 1, 1994, would stop giving auto dealers the account number for individuals' credit card and charge accounts. In the Autoland cases, the frauds generally involved ordering credit cards or loans in other peoples' names and then collecting large cash advances. Usually, the most credit-worthy people, with few charge accounts or bad debts, were picked out, and applications were made by the fraud ring.

Autoland changed its procedures. Previously it allowed its 170 salespeople to search the credit histories from any of the company's 21 terminals. After the fraud case, Autoland designated two employees as authorized to access credit bureau databases, according to the New York Times.

In October 2001, a federal jury in Miami returned a 34-count indictment against a car salesman for pulling credit reports without authorization and allegedly selling consumers' data to identity thieves. According to the Oct. 26, 2001 Consumer Financial Services Law Report (CFSLR), the indictment charged that from April to September 2001, the salesman gained access to the Equifax and Experian credit files on 130 consumers.

Potential losses were estimated at $1 million, according to the CFSLR.

At Wayzata Nissan in Minnesota, salesman Chris Ochtera apparently felt he was not performing up to expectations, so he began accessing the reports of past customers with good credit histories to help less-qualified individuals qualify for financing. Before getting caught, he pulled the credit reports of 34 unsuspecting consumers, many of whose credit histories were damaged and whose current and previous addresses were changed. Ochtera was sentenced for identity theft and mail fraud and sentenced to federal prison.³²¹

³²¹ Andrea M. Johnson, et al. v. Wayzata Nissan LLC, et al.: U.S. Dist. Ct. - Minnesota; C.A. No. 03-4553; plaintiffs were represented by Tom J. Lyons and Associates of Little Canada, MN. The case was settled.

Continue to Next Chapter

Credit Repair Specialists are Ready to Help!

Call Veracity and Begin Improving Your Credit Score Today!