Commercial Transactions Due Diligence Archives

The Fair Credit Reporting Act and Commercial Transactions

Does the Fair Credit Reporting Act (FCRA) apply to commercial transactions?

Although the FCRA is generally limited to consumer-purpose transactions (e.g., those primarily for personal, family, or household purposes), there is no straightforward answer regarding commercial transactions. This is because the FCRA defines a “consumer” as just an “individual.” The FCRA does not require the consumer/individual to obtain the loan specifically for a consumer purpose. Whether and how the FCRA applies depends on the facts and circumstances regarding the commercial transaction.

Commercial Loans, Personal Liability, and the Permissible Purpose Requirement

When an individual applies for a loan primarily for personal, family, or household purposes, the lender has a permissible purpose under the FCRA to obtain the individual’s consumer report.

However, a commercial transaction does not give rise to a permissible purpose except for a report on an individual – such as a sole proprietor or principal of a company – who will be personally liable for the debt. In a Federal Trade Commission (FTC) staff opinion letter dated in 2001, the FTC stated that “it is reasonable to view a business transaction in which an individual has accepted personal liability for the business debt as involving the consumer, thus providing a permissible purpose for the lender to obtain a consumer report under Section 604(a)(3)(A).”

A follow-up question is whether the commercial loan application itself is enough of a permissible purpose when the individual is only a guarantor and not otherwise related to the transaction or debtor. Another 2001 FTC opinion letter concluded that if an individual has any personal liability on a business loan, including just a guarantee, there would be a permissible purpose by means of the application for credit.

These opinion letters have been reaffirmed in subsequent FTC publications.

As a caveat, however, it is important to remember that these opinion letters are merely informal guidance and are not binding on the FTC, the courts, or other governmental regulators. That is why we think the best practice is to get written authorization from the individual (another form of permissible purpose under the FCRA) before preparing the report.

Reporting Adverse Information

When the FCRA applies to a commercial transaction, the restrictions for reporting adverse information should be followed. The restrictions generally prohibit reporting adverse information that pre-dates the report by seven years. Bankruptcies that pre-date the report by 10 years cannot be reported. Criminal convictions can be reported regardless of the date.

The FCRA also provides an important exemption to these reporting restrictions. If a credit transaction involves, or may reasonably be expected to involve, a principal amount of $150,000 or more, the restrictions on reporting adverse information do not apply.

Adverse Action Notice

When the FCRA applies to a commercial transaction, does the adverse action notice requirement apply? The general rule in the FCRA is that if the lender obtains a consumer report and takes adverse action based, in whole or in part, on any information in the report, the lender must give the consumer an adverse action notice. Therefore, in the commercial context, the lender should give the consumer an adverse action notice if the loan application is denied.

What about guarantors? Although the FCRA is silent on whether guarantors are included for purposes of an adverse action notice, the FTC clarified the issue in a 2000 advisory letter. If the consumer is only a guarantor (i.e., secondarily liable on the loan), then an adverse action notice would not be required to be provided to the guarantor. This is true even if the application is denied based on information in the guarantor’s consumer report.

February 13th, 2025|Commercial Transactions Due Diligence|

Civil Judgments v. Judgment Liens: What is the Difference?

A civil judgment and a judgment lien are not the same things, although they do relate to the same debt.

A civil judgment is an official decision by the court regarding a civil lawsuit. If the judgment is in favor of the plaintiff (the party filing the lawsuit), the judgment typically awards the plaintiff a sum of money that must be paid by the defendant (the party sued by the plaintiff). A civil judgment can be located in a search of civil court records.

If the judgment debtor (the defendant who lost the lawsuit) fails to voluntarily pay or “satisfy the judgment,” it is up to the judgment creditor (the plaintiff who won the lawsuit) to enforce or collect the judgment.

There are a variety of ways to enforce a civil judgment. A common method of enforcing a judgment is for the judgment creditor to file a judgment lien, which is also often referred to as an “abstract of judgment.” This is an involuntary lien that the judgment creditor files to attach to the judgment debtor’s property in the jurisdiction where the judgment lien is filed. The judgment lien is typically filed in the county recorder’s office but may also be filed at the courthouse in some jurisdictions. In general, the lien is satisfied from the sale proceeds when the judgment debtor sells the property or when a refinance occurs.

July 14th, 2022|Commercial Transactions Due Diligence|

Company Legal Name v. DBA

Every business has a “legal” or “true name.” When researching a company, it is important to identify its legal name. In the case of a corporation or limited liability company, the legal name is the one on its formation document — e.g., the articles of incorporation or articles of organization. As an example, Scherzer International’s legal name is Scherzer International Corporation.

If the company does business under another name, it is commonly referred to as a DBA – which stands for “doing business as.” DBAs are also sometimes referred to as an “assumed name,” “fictitious business name,” or “trade name.” State and local laws generally require a company to register a DBA it is using; however, it is important to note that registering and doing business under a DBA name is not the same as forming a business or a business entity.

June 16th, 2022|Commercial Transactions Due Diligence|

Consent for International Searches

A basic principle of conducting international searches on an individual is that you need a lawful basis for processing personal data. This principle applies to both employment-purpose and commercial background checks.

Although the number and type of lawful bases vary from one country to another (especially with the enactment of new data protection and privacy laws in many countries over the last several years), a lawful basis for processing personal data common to all international searches is the consent of the individual search subject. From a compliance perspective, obtaining an individual’s consent for the searches is the best practice.

Other than the requirements that the subject’s express consent be unambiguous and freely given, there is no universally prescribed format or wording for an international consent form.

If the subject’s consent cannot be obtained, you can look to a country’s data protection and privacy laws to determine if a different legal basis may be applicable for processing personal data that does not require the subject’s consent. It is always up to the controller of the data to determine the appropriate legal basis for processing personal data.

For individuals located in the EU or UK, there are several legal bases that will satisfy the compliance requirements under the EU GDPR, the UK GDPR and the Data Protection Act of 2018 (UK) if consent cannot be obtained. The controller can still request these searches if it has a legitimate interest in obtaining the individual’s personal data or needs the data to perform a contract.

If the request for the searches is based on a legitimate interest or performance of a contract, the individual must receive a notice of the controller’s intention to process the data. Notice can be given in several different ways, including directly to the individual, in an engagement letter or similar document, or by publication on the client’s website. The way the controller gives notice is their decision.

February 25th, 2022|Commercial Transactions Due Diligence|

Civil Cases and Garnishees

A common occurrence when searching civil case records for a company is to locate a record that identifies the company’s role in the case as a “garnishee.” What’s a garnishee and should these cases be included in background reports?

A garnishee can be any company (or person) who holds property (including money) owed to a debtor – that is, someone who has an unpaid judgment against them.

Employers often become a garnishee because they hold wages to be paid to an employee who is a debtor. A creditor can use a procedure called a wage garnishment, which is a court order, that requires the debtor’s employer to hold the debtor’s wages to pay the creditor. The employer as garnishee simply pays the employee-debtor’s wages to the court.

Because a garnishee’s involvement in a civil case is neither negative nor noteworthy, it typically should not be included in the report.

November 16th, 2021|Commercial Transactions Due Diligence|

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft? First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Commercial Transactions Due Diligence|

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

Read CFPB Compliance Bulletin 2015-01

May 8th, 2015|Commercial Transactions Due Diligence|

Securities class actions remain popular

For regulated entities, an enforcement action by a government agency is practically guaranteed to result in a parallel consumer class action.

Nowhere is that more clear than for publicly traded companies regulated by the Securities and Exchange Commission (SEC). Securities class actions were considered to be so rampant that in 1995, Congress enacted the Private Securities Litigation Reform Act (PSLR) to curb what the industry believed were abusive practices.

While the statute raised the bar for private enforcement actions, it certainly did not close the courtroom doors to plaintiffs. Although there are fewer suits brought today, complaints are still filed lockstep with an agency enforcement action and in significant enough numbers to keep companies on their toes.

Industry watchers predicted that a seminal case decided by the U.S. Supreme Court last term, Halliburton Co. v. Erica P. John Fund (Halliburton II), would result in a decrease in class actions filed. That case involved a popular theory known as “fraud on the market,” where plaintiffs were not required to demonstrate that each individual class member relied on any allegedly misleading statements if the security at issue could be shown to be “efficient,” or with a market price reflecting all of its publicly available information.

While the Court did not toss the theory, the justices held that defendants can rebut the presumption prior to class certification. The June decision appeared to have little impact on the figures for 2014 filings. For example, NERA Economic Consulting reported that 221 securities class actions were filed last year, compared to 222 in 2013 and 212 in 2012.

Interestingly, although the number of complaints in securities class actions has not fluctuated much over the last few years, the aggregate amount of investor losses has declined, NERA found. 2014 saw a drop to $154 million from $159 million in 2013, down significantly from $243 million in 2012 and $248 in 2011. Are certain industries facing more lawsuits than others? NERA reported that one quarter of all of the securities class actions were filed against companies in the health technology and services area. Other major players: the finance industry, in second place with 19 percent of the suits, followed by the electronic technology and service sector with 13 percent.

Securities class action plaintiffs are also continuing a trend of settling prior to trial. Of all the pending and newly filed cases in 2014, just one lawsuit was actually tried to verdict (resulting in a plaintiff victory). Almost half of the cases ended on the defendant’s motion to dismiss (48 percent last year with an additional 21 percent dismissed in part), NERA found; 75 percent of the cases that survived settled prior to the class certification stage of litigation.

Read the U.S. Supreme Court’s opinion in Halliburton II.

February 23rd, 2015|Commercial Transactions Due Diligence|

Asset searches: who can get bank information and why

Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.

Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.

Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.

International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).

What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.

Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.

For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.

Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.

February 23rd, 2015|Commercial Transactions Due Diligence|

Beware of loopholes in reporting on securities brokers

When considering the track record of a securities broker or dealer, investors should be cognizant of loopholes in background reporting.

The Financial Industry Regulatory Authority (FINRA) oversees the regulation of brokers and operates BrokerCheck, an online database that contains disciplinary records of registered brokers. But a review by the Wall Street Journal found that BrokerCheck is sorely lacking a wealth of information about registered brokers, some of which can be found in the records of state regulators. At least 38,400 brokers have regulatory or financial red flags that appear only on state records, according to the WSJ’s investigation; of those brokers, at least 19,000 had clean BrokerCheck records. One significant area omitted by FINRA: internal reviews.

The WSJ identified 4,346 brokers with one or more internal reviews reported on their state records but not on BrokerCheck. Other regulatory red flags not spotted on FINRA’s database: personal bankruptcies filed more than 10 years ago, judgments and liens that have been satisfied, and certain employment terminations.

FINRA’s records do include complaints against brokers, regulatory actions, terminations for cause, and personal bankruptcies filed within the last decade, which the agency says is consistent with the Fair Credit Reporting Act. But in light of the gaps – and a proposal from FINRA to the Securities and Exchange Commission to expand the obligations of financial institutions with regard to the background screening of applicants (https://www.scherzer.com/sec-considers-background-check-rule-proposed-by-finra/) – investors should consider checking state regulatory records to form a more complete picture of a broker’s history.

In response to the WSJ’s inquiry, FINRA launched a review of its database and said the agency is studying the current rules about the information disclosed on BrokerCheck. The agency is also attempting to patch a separate loophole by coordinating its efforts with state insurance regulators. Following reports that insurance and securities regulators struggle to share data – and that individuals take advantage of the gap by continuing to sell insurance products despite losing a securities license, for example – FINRA vowed to take action. Beginning this month, the agency said it will provide a monthly report of its disciplinary actions against securities brokers not only to state securities regulators but state insurance regulators as well.

January 29th, 2015|Commercial Transactions Due Diligence|