WASHINGTON, D.C. — The Consumer Financial Protection Bureau (CFPB) today took action against Xerox Business Services, LLC, now called Conduent Business Services, for software errors that led to incorrect consumer information about more than one million borrowers being sent to credit reporting agencies. The company also failed to notify all of its auto lender clients about known flaws in its software that led to the errors. Today’s consent order requires Xerox to pay a $1.1 million civil penalty, explain its mistakes to its lender clients, and fix its faulty software.
"Xerox provided flawed software that resulted in incorrect or incomplete credit reporting information on more than a million borrowers," said CFPB Director Richard Cordray. "The company compounded the problem by keeping lenders in the dark about the defects. Mistakes on credit reports can greatly harm consumers, so we are ordering Xerox to fix its flawed systems."
Xerox Business Services, based in Dallas, Texas, operated and customized a third-party software application for five auto lenders. The software automatically generated and transmitted information about borrowers’ auto loans to consumer reporting agencies. Lenders use information furnished to the consumer reporting agencies when considering whether to issue a loan and on what terms, so it is essential the information is accurate. Mistakes on credit reports like those caused by Xerox can lead to consumers being denied credit, or not qualifying for lower interest rates or other favorable credit terms. Errors on credit reports can also impact a consumer’s ability to qualify for employment, insurance, and rental opportunities.
Widespread defects in the loan-servicing software that Xerox used led lenders to report inaccurate information about consumers’ performance on their loans. In 2016, its reports for more than one million of the auto lenders’ 6.4 million customer accounts had one or more errors. Xerox had acquired the rights to this software from its creator, an independent software developer. When lenders asked for certain features, Xerox would modify the software’s source code. Between 2004 and 2010, one modification was supposed to enable three of Xerox’s clients to provide consumer data in the Metro 2 Format. Metro 2 is the standard industry format used for furnishing this information in a uniform way to credit reporting agencies. However, Xerox’s modifications were based on a flawed, unreleased version of Metro 2 source code that led to the reporting of incorrect consumer information. This violated the Dodd-Frank Wall Street Reform and Consumer Protection Act. According to the consent order, Xerox:
- Provided flawed software that led to incorrect information being sent to credit reporting companies: Xerox’s use of flawed, unreleased loan-servicing software resulted in the transmission of inaccurate and incomplete information to credit reporting agencies. Missing or incorrect information included the date of borrowers’ first delinquent payment; actual payment amounts; scheduled monthly payment amount; amount past due; amount charged to loss when a loan is charged-off; account status, and other payment and account information.
- Failed to inform lenders about defects in its software: Xerox did not notify all of its client lenders about the errors even after learning that the software it used resulted in the transmission of inaccurate information. Xerox’s clients told the company about faulty data being sent to credit reporting agencies, and ordered it to fix specific errors. But Xerox did not notify its other lender clients about the problems. Xerox also failed to pass along information it learned from the software’s developer about upgrades needed to prevent mistakes. As a result, for years Xerox’s clients persisted in transmitting inaccurate and incomplete information about borrowers and their accounts to the credit reporting agencies.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws. Under today’s consent order, Xerox must:
- Explain the errors to its clients, and act to prevent future mistakes: Xerox has to describe the errors caused by its flawed software to its client auto lenders, inform lenders of any future potential or actual errors within 30 days of its discovery, and explain the correct use of the software to its clients each time the coding is revised.
- Give the CFPB a compliance plan: Xerox must give the CFPB a plan showing that it will identify and fix all defects in its software, and ensure that the software will report accurate information to credit reporting agencies.
- Pay a $1.1 million penalty: Xerox must pay a penalty of $1.1 million to the CFPB Civil Penalty Fund.
The Consumer Financial Protection Bureau (CFPB) is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. For more information, visit www.consumerfinance.gov.