WASHINGTON, D.C. — The Consumer Financial Protection Bureau (CFPB) today took action against Xerox Business Services, LLC, now called Conduent Business Services, for software errors that led to incorrect consumer information about more than one million borrowers being sent to credit reporting agencies. The company also failed to notify all of its auto lender clients about known flaws in its software that led to the errors. Today’s consent order requires Xerox to pay a $1.1 million civil penalty, explain its mistakes to its lender clients, and fix its faulty software.
"Xerox provided flawed software that resulted in incorrect or incomplete credit reporting information on more than a million borrowers," said CFPB Director Richard Cordray. "The company compounded the problem by keeping lenders in the dark about the defects. Mistakes on credit reports can greatly harm consumers, so we are ordering Xerox to fix its flawed systems."
Xerox Business Services, based in Dallas, Texas, operated and customized a third-party software application for five auto lenders. The software automatically generated and transmitted information about borrowers’ auto loans to consumer reporting agencies. Lenders use information furnished to the consumer reporting agencies when considering whether to issue a loan and on what terms, so it is essential the information is accurate. Mistakes on credit reports like those caused by Xerox can lead to consumers being denied credit, or not qualifying for lower interest rates or other favorable credit terms. Errors on credit reports can also impact a consumer’s ability to qualify for employment, insurance, and rental opportunities.
Widespread defects in the loan-servicing software that Xerox used led lenders to report inaccurate information about consumers’ performance on their loans. In 2016, its reports for more than one million of the auto lenders’ 6.4 million customer accounts had one or more errors. Xerox had acquired the rights to this software from its creator, an independent software developer. When lenders asked for certain features, Xerox would modify the software’s source code. Between 2004 and 2010, one modification was supposed to enable three of Xerox’s clients to provide consumer data in the Metro 2 Format. Metro 2 is the standard industry format used for furnishing this information in a uniform way to credit reporting agencies. However, Xerox’s modifications were based on a flawed, unreleased version of Metro 2 source code that led to the reporting of incorrect consumer information. This violated the Dodd-Frank Wall Street Reform and Consumer Protection Act. According to the consent order, Xerox:
- Provided flawed
software that led to incorrect information being sent to credit reporting
companies: Xerox’s use of flawed,
unreleased loan-servicing software resulted in the transmission of inaccurate
and incomplete information to credit reporting agencies. Missing or incorrect
information included the date of borrowers’ first delinquent payment; actual
payment amounts; scheduled monthly payment amount; amount past due; amount
charged to loss when a loan is charged-off; account status, and other payment
and account information.
- Failed to inform
lenders about defects in its software: Xerox
did not notify all of its client lenders about the errors even after learning
that the software it used resulted in the transmission of inaccurate
information. Xerox’s clients told the company about faulty data being sent to
credit reporting agencies, and ordered it to fix specific errors. But Xerox did
not notify its other lender clients about the problems. Xerox also failed to
pass along information it learned from the software’s developer about upgrades
needed to prevent mistakes. As a result, for years Xerox’s clients persisted in
transmitting inaccurate and incomplete information about borrowers and their
accounts to the credit reporting agencies.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws. Under today’s consent order, Xerox must:
- Explain the errors to its clients, and act to
prevent future mistakes: Xerox has to describe the errors caused by its
flawed software to its client auto lenders, inform lenders of any future
potential or actual errors within 30 days of its discovery, and explain the
correct use of the software to its clients each time the coding is revised.
- Give the CFPB a compliance plan: Xerox
must give the CFPB a plan showing that it will identify and fix all defects in
its software, and ensure that the software will report accurate information to
credit reporting agencies.
- Pay a $1.1 million penalty: Xerox must pay a penalty of $1.1 million to the CFPB Civil Penalty Fund.
The Consumer Financial Protection Bureau is a 21st century agency that helps consumer finance markets work by making rules more effective, by consistently and fairly enforcing those rules, and by empowering consumers to take more control over their economic lives. For more information, visit consumerfinance.gov.