I am astounded at the attention credit reporting has received lately. And I don’t just mean from regulators. I’m referring to banks, finance companies, buy-here, pay-here dealers, software vendors and, well, the list goes on.

How did we end up here? It has a lot to do with the Consumer Financial Protection Bureau. Considering that the CFPB is less than five years old — and much of the regulatory guidance even younger than that — the breadth of power this institution wields over our industry is sobering.

In August 2014, the CFPB issued its first major ruling against First Investors Financial Services Group. They were fined $2.75 million for inaccuracies in their reporting. Then, just a few months later, the CFPB slapped DriveTime with an $8 million fine.

But federal oversight is not our only concern. In some circumstances, state courts have allowed consumers to bring defamation suits against “data furnishers,” which includes any entity that feeds a consumer reporting agency. If you already furnish data or you are even thinking about it, listen up: You absolutely must know what you’re getting into before committing to credit reporting, because the ramifications cannot be ignored.

1. Know Your Legal Responsibilities

Surprise! If you use a third-party vendor,  you are responsible for your own actions as well as the actions of your vendors. You can outsource the task, but not the liability.

When furnishing data, we see two situations arise that make selecting and managing third-party vendors a critical area of concern:

Scenario One: Company A sends their data to Company B. Company B creates the “Metro2” file (the current standard format for reporting credit) and sends it to the consumer reporting agencies on behalf of Company A.

Scenario Two: Company A uses a software made by Company B to generate the Metro2 file themselves. Company A then sends the file to the consumer reporting agencies.

In both cases, you fully rely on that third-party provider to get it right. Unfortunately, as the First Investors and DriveTime rulings have indicated, you — the data furnisher — are ultimately responsible for what is sent.

Here are a few questions to ask your provider to ensure they won’t put you at risk:

  • What are your policies and procedures for maintaining accurate credit reporting?
  • What kind of credit reporting training do your employees and developers receive?
  • Do your employees participate in annual training with the Consumer Data Industry Association (CDIA), the international trade association that educates companies on the responsible use of consumer data?
  • Do you perform periodic internal audits and document those processes?

You should also develop your own internal controls. This means periodically auditing the work of your vendor to ensure data submitted to the consumer reporting agencies is correct. Finally, don’t forget to review your contract to understand your liabilities if the vendor makes a mistake — and whether you have any recourse when it happens.

2. Implement Policies and Procedures to Audit the Accuracy of Your Information

Are your policies and procedures “stored in your head”? That’s not good enough for regulators. On the other hand, it’s futile to write a perfectly worded document that no one follows. You must have both.

Your policies and procedures also must meet the regulators’ definition of “reasonable.” Arguably, the single most important statement in the DriveTime ruling was that the company did not have policies and procedures that were “appropriate to the nature, size, complexity and scope” of its activities.

Based on CFPB guidance on furnisher requirements in the Fair Credit Reporting Act, these procedures should address deleting, updating and correcting information in your records, as appropriate, to avoid furnishing inaccurate information. Beyond that, how you should determine what constitutes “reasonable procedures” is not clearly defined.

Competent legal counsel can guide you here. Just keep this in mind: If you receive 22,000 disputes per year, you probably need more than a two-page written document and a staff of two people to handle the disputes.

Another contributing factor is whether you conduct monthly, quarterly and annual internal audits. Remember, self-policing is the first column of the CFPB’s definition of “responsible conduct.” Try to identify areas in your existing practices that may compromise the accuracy and integrity of your furnished data and fix them.

A dispute tracking system should also be implemented to clearly track every dispute’s lifecycle. Depending on the complexity of your operation, this could be as simple as a spreadsheet or could require standalone, third-party software. Whichever method you choose, make sure the tracking and resolution of each dispute is centralized in your operations.

Finally, assess your (or your vendor’s) data-retention policies. Could you access the information to respond to a dispute five years from now? Data-retention timelines can vary depending on the specifics of the account. Bankruptcies can remain on an account for 10 years, but other reports can stay for up to seven years from the date of first delinquency. All these activities must be documented, and the documentation should be reviewed periodically to ensure it’s up to date and continues to match your organization’s needs.

3. Frequent Employee Training Is an Absolute Must

Training is a too often overlooked tool to ensure credit-reporting compliance. While I’ve seen improvement over the last several years, I would argue that untrained staff is still one of the weakest links in the credit-reporting chain.

The best source of training is the CDIA.They offer simple training courses I would recommend to anyone involved in credit reporting. The classes are taken online, allow students to work at their own pace and can be completed in just a few hours.

But beware: You can’t take a class once and consider it done. Laws and regulations evolve, so training must be ongoing. Even the interpretations of some requirements are modified year-to-year.

The certification of employees involved in credit reporting can help your organization mitigate future liability. No matter what you do, though, there will always be an inherent risk in reporting credit on your customers. People and software make mistakes. You are going to have disputes. It is what you do to prevent them, how you respond to them and how you document those activities that really matter. That is how you truly mitigate risk.

Besides, our customers are our most valued assets. I believe we have an obligation to protect them.

Richard Hudson is director of iDMS support at DealerSocket. No part of this article is intended to be legal advice and should not be taken as such. [email protected]