There’s a certain irony in the FTC’s record-setting $20 million settlement with Vivint Smart Home, a national seller of smart home technology platforms, including security devices and monitoring services. One purpose of the company’s products is to help residents ensure that people at their front door are who they say they are. But according to the FTC, Vivint engaged in some identity deception of its own. For example, when a prospective customer couldn’t qualify for financing, the FTC says Vivint’s sales representatives found another person with a similar name and then qualified the customer using that person’s credit report. The complaint charges that Vivint violated the Fair Credit Reporting Act, the FTC Act, and the Red Flags Rule.
With more than 1.5 million customers in the U.S. and Canada, Vivint is a big name in the business. One channel the company uses to get new customers is its door-to-door sales force, many of whom work just in the summer and on a commission-only basis. Vivint equipped its sales reps with tablets loaded with a proprietary system called Street Genie that managed the onboarding process for new customers, including credit verification.
The typical Vivint security set-up costs $1,000 or more, so most customers were interested in financing. As part of the process, the Vivint sales rep used Street Genie to check the person’s credit report. What happened if the potential customer didn’t qualify for the loan? According to the lawsuit, some of Vivint’s commission-only reps used two illegal practices to make the sale.
One method was called “white paging.” As explained in the complaint, the Vivint employee would use the white pages to find an unrelated person with a name that was the same as or similar to the customer who just failed the credit check. The sales rep would enter that unrelated person’s address as a “previous address” in the Street Genie app and re-run the credit check. In effect, the Vivint rep tricked the system into approving a new account for an unqualified customer by illegally using the credit history of a random person who just happened to have the same name – and a better credit score.
Illegal Method #2: According to the FTC, the Vivint rep would ask the prospective customer who failed the credit check for the name of someone else – say, a relative. The rep would then pull the credit report of that person (obviously without their permission) and add their address in the “previous address” field, thereby qualifying the primary account holder. In a variation on the scheme, the rep would add a co-signer on the account that the primary account holder didn’t know, but that the rep thought could pass the credit check. Vivint would then open an account for the unqualified customer based on the innocent third party’s credit record.
But it didn’t stop there. If a customer who qualified for an account only because a sales rep hijacked someone else’s credit later defaulted on the loan, the FTC says Vivint referred the innocent third party to its debt buyer. In other words, people who had nothing at all to do with the transaction – and had never even heard of Vivint – found themselves with blemishes on their credit and debt collectors on their backs.
An isolated incident involving a bad apple or two? No, says the FTC. You’ll want to read the complaint for details about what was going on, but the lawsuit alleges that Vivint was well aware of the problem. Although the company initially terminated sales reps for misconduct, Vivint rehired some of them a short time later. After that, some Vivint employees warned managers that sales reps continued to evade the meager prevention measures the company had implemented. But according to the FTC, Vivint allowed the practices to continue.
The complaint charges that Vivint violated the Fair Credit Reporting Act by permitting its sales reps to get unrelated people’s credit reports without their permission in an effort to qualify a potential customer for an account. The FTC says that practice runs afoul of the FCRA’s requirement that a company must have a “permissible purpose” for receiving a credit report. In addition, the complaint alleges that Vivint’s conduct in turning over bogus debt to debt buyers or collectors was an unfair practice under the FTC Act. The FTC also says Vivint violated the Red Flags Rule by failing to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with covered accounts.
To settle the case, the defendant will pay a $15 million civil penalty – the largest ever in an FTC Fair Credit Reporting Act case – and an additional $5 million to compensate injured consumers. The proposed order also includes provisions to change how the company does business going forward. For example, Vivint must implement an employee monitoring and training program, establish an identity theft prevention program, set up a Customer Service Task Force to verify accounts before turning them over to a debt collector, and get every-other-year assessments by an independent third party to ensure FCRA compliance.
The settlement suggests three takeaway tips for other businesses.
Give the green light to a Red Flags Rule reassessment. If your company is covered by the Red Flags Rule and your Identity Theft Prevention Program is languishing in a file folder, it’s time for the periodic update required by the Rule.
Limit your use of credit reports to the “permissible purposes” mandated by the law. Section 604(f) of the FCRA makes it illegal to get a credit report – or use one – for any reason other than the specific purposes authorized by the law. Given the highly confidential information in credit reports, is someone at your company checking to make sure your practices line up with the FCRA?
Educate and moderate. Whether it relates to the FCRA or any other consumer protection provision, train your staff to comply with the law and monitor what they’re doing to make sure they got the message. Without appropriate supervision, an untrained staff and a commission-only compensation system can be a dangerous combination. Furthermore, don’t look the other way when consumers or employees come to you with credible concerns that your policies aren’t being followed.