Author: Mike Edwards
“Do you know where we can obtain a sample authorization form to use when we get requests from some of our commercial insureds to provide them with copies of the MVRs on their drivers? We often provide these to our commercial insureds as a value-added service, but want to be sure we comply with any legal requirements, if any.”
I do not know if there is any “official” or “authorized” sample letter that grants permission for an insurance agency to provide MVRs on drivers to an employer. And I don’t want to rain on your parade, but I would recommend that the agency not engage in the practice of furnishing MVRs to employers at all.
In my comments that follow, keep in mind that I am responding only as an Insurance Nerd, and not as an attorney. The use of MVRs falls under the federal Fair Credit Reporting Act (FCRA), which is regulated by the Federal Trade Commission (FTC). In order to protect the privacy of consumers, the FCRA restricts access to a wide assortment of “consumer reports,” which include MVRs and CLUE Reports. Here is how the FCRA defines “consumer reports.”
603. Definitions [15 U.S.C. § 1681a]
(d) Consumer Report
(1) In general. The term “consumer report” means any written, oral, or other
communication of any information by a consumer reporting agency bearing on a
consumer's credit worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in
establishing the consumer's eligibility for:
(A) credit or insurance to be used primarily for personal, family, or household
purposes;
(B) employment purposes; or
(C) any other purpose authorized under section 604 [§ 1681b]
In today’s legal climate, an employer is well within their rights to require a wide variety of personal information from a current or prospective employee, such as an MVR, credit report, criminal background report, drug test, etc. At the same time, the employee is granted significant safeguards regarding the access and use of such information for employment.
Under the FCRA, when any consumer report will be used for employment, the employee or prospective employee must first give written permission for such information to be obtained by the employer. When the employer requests this information from a "consumer reporting agency" (CRA) such as Equifax, Experian, TransUnion, etc., there are certain federally-mandated documents and procedures which must accompany the transaction between the CRA, the employer, and the employee. For details, see the brochure from the FTC titled “Using Consumer Reports: What Employers Need to Know.”
An insurance agency may pull an MVR in conjunction with "the underwriting of insurance," as prescribed in the FCRA, Section 604, as follows:
604. Permissible purposes of consumer reports [15 U.S.C. § 1681b]
(a) In general. Subject to subsection (c), any consumer reporting agency may furnish a consumer report under the following circumstances and no other:
(3) To a person which it has reason to believe
(C) intends to use the information in connection with the underwriting of
insurance involving the consumer;
Under the FCRA, there is no requirement to obtain a consumer’s written permission to access his/her MVR, where the agency is only underwriting drivers for a commercial risk, for example.
Therefore, when the commercial insured/employer sends a request to the agency to pull the MVR on a new employee in conjunction with adding the employee as a driver under the Business Auto Policy, the agency can do so without the written permission of the new employee.
In addition, to inform a commercial insured that a new driver does or does not qualify as a driver for underwriting purposes would seem to be a part of "the underwriting of insurance." For additional information on the use of consumer reports in insurance, see the FTC brochure “Consumer Reports – What Insurers Need to Know.”
However, many experts believe that if the agency shares the specific contents of an MVR with the employer, in whole or in part, via email, fax, or phone, the agency is no longer "underwriting insurance," but is now acting as a "consumer reporting agency” (CRA),and must follow all the steps and procedures required under the FCRA.
Here is how the FCRA defines a “"consumer reporting agency.”
603. Definitions [15 U.S.C. § 1681a]
f) The term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
On the FTC web site are posted many Staff Opinion Letters about the FCRA. These letters are in response to specific question from various business entities which conduct activities that fall under the FCRA. There are no Staff Opinion Letters posted from any insurance agency, regarding the question of whether or not the furnishing of MVRs to commercial insureds would cause the agency to fulfill all the requirements of a consumer reporting agency (CRA). However, there is a question from a law firm that is almost identical to the issue for insurance agents. Here is the question and the FTC response:
Question: Is a law firm that researches the criminal records of job applicants for its clients a "consumer reporting agency" for FCRA purposes?
FTC Response: In the situation that you describe -- an attorney checks criminal records of consumers who apply for jobs with a client -- the attorney's activities appear to meet the definition of a CRA so long as records checks are a "regular" course of action on the part of the attorney and the attorney directly or indirectly charges for this service. The information relates, at the very least, to the "character" and "general reputation" of applicants for employment, and thus qualifies as consumer report information since it is provided for one of the purposes specified in the definition of "consumer report" in Section 603(d) of the FCRA. The fact that the information is "public record" information makes no difference. By collecting this information from public record sources the attorney is, at the very least, "assembling" the information and therefore meets the definitional requirements of a consumer reporting agency in Section 603(f) of the FCRA. In effect, the attorney is functioning as an employment screening agency. Accordingly, the attorney should ensure that his or her activities comply with the FCRA
As discussed above, the FCRA places a number of very specific requirements on consumer reporting agencies, such as
Equifax, Experian, TransUnion, etc., and the employer. But if an insurance agency inadvertently fell into the CRA category, it seems that the agency could also be required under the FCRA to comply with those procedures.
Even in the event the agency was not deemed to be acting as a CRA, or if it believed it was, and followed all the procedures required of a CRA, there remain some additional issues for the agency to deal with. While the practice of an insurance agency furnishing MVRs to commercial insureds on their current or new employees can be "legal" under the FCRA, virtually all sources from whom the agency obtains the MVRs expressly prohibit the practice in their contract with the agency. Following are excerpts from the contracts of two MVR providers that many insurance agencies use.
MVR Company A:
"The Consumer Reports provided by Company A are for the sole and internal use of the Insurance Agency, and may not be resold, sub-licensed, delivered or displayed in any way or used by any third party. Insurance Agency certifies that it shall order, receive, disseminate and otherwise use the Consumer Reports in compliance with all applicable federal, state and local statutes, rules, codes and regulations. Insurance Agency agrees to indemnify and hold harmless Company A from any and all damages, costs, judgments and expenses."
MVR Company B:
"All reports, whether oral or written, will be kept strictly confidential; except as provided by law, no information from reports will be revealed to any person except the subject of the report. No information will be requested for the use of any other person, agency or organization except with the written permission of Company B. Reports may not be resold or transferred to any other person. The unlawful ordering or use of consumer reports can subject you to criminal and civil penalties in accordance with both federal and state laws."
Recently, one of the largest MVR Companies in the nation sent this memo to all insurance agency customers:
"It has recently come to our attention that some insurance agencies may be furnishing MVRS obtained for commercial underwriting purposes to the commercial insurance buying customer." Please be aware that the consumer reports you obtain from us may not be used beyond the purpose for which they were ordered and cannot be sold or given to parties outside the ordering insurance company or insurance agency. Allowing an employer to receive an MVR that was provided to you for commercial underwriting purposes would be a violation of law as well as a violation of your agreement with us."
Thus, the practice of an insurance agency furnishing MVRs to commercial insureds on their current or prospective employees is not permitted by most MVR providers, although the practice can be "legal" under the FCRA.
Legal experts caution insurance agencies about getting involved in employee screening on behalf of their commercial insureds, even if intended as only a value added service. As employers, commercial insureds not only have a right to conduct background checks on employees; in today's legal climate, they almost certainly also have a duty to do so.
However, there are countless employee screening services that can conduct proper, legal and permissible background checks on employees. Agencies should refer their commercial insureds to these screening services. Since every employer needs to conduct robust background checks on employees, they must look beyond just the MVR anyway.
It is imperative that agencies distinguish between "insurance underwriting" functions and those which cross the line into "employee screening" activities. While agencies obtain MVRs and other consumer reports as a part of underwriting, there must be clear guidelines limiting their disclosure for any other purpose.
One additional issue which faces any business that has legal access to consumer reports is the potential for misuse of such reports by its own employees. There are numerous cases where employees of businesses, including insurance agencies, pulled credit reports, MRVs, CLUE Reports, and other consumer reports on their ex-spouses, people they were dating, and so forth. In most cases, the businesses have been held vicariously liable for the violations of the FCRA by their employees.
Therefore, one loss control procedure that legal experts recommend is that agencies include specific guidelines in their employee manual on the handling of all protected consumer information. This includes information protected by the FCRA, Gramm-Leach-Bliley Act (GLBA) for personal financial information, and HIPAA (health information). In far too many of the lawsuits brought against these businesses, their defense was weakened by the absence of any written procedures or guidelines in their employee handbooks.
Back to your original question, about sample forms being available which are intended to authorize an agency to run an MVR on a driver for a commercial insured, and then relay the information to the employer, who will use the MVR as a tool in a hiring decision. The main reason I think such forms are not readily available is due to the concern that when an agency furnishes MVRs to third parties, it might be deemed to be acting as a “consumer reporting agency” (CRA), and not as an insurance agency, by undertaking that action.
Of the “homemade” forms I’ve seen over the years, which were developed in-house at the agency, and often include the agency’s logo, many use a format which is actually found in a suggested form letter developed by the Independent Insurance Agents & Brokers of America (IIABA). In the Legal Advocacy section of the IIABA’s home page, there is a very informative report on the FCRA. Here is a link to the FCRA report:
Near the end of the report (page 16), there is a document titled “Appendix A – Sample Letter Authorizing Consumer Reports and/or Driving Records to be Obtained – Signed by Insurance/Employment Applicant.”
Here is the pertinent language from that sample letter:
“I, (Name of Insurance/Employment Applicant), authorize (Name of Insurance Agency/Employer) (“Company”) to obtain consumer reports covered by the federal Fair Credit Reporting Act and any comparable state laws that are applicable, as well as my driving record, covered by the federal Drivers Privacy Protection Act and any comparable state laws that are applicable, to assess my insurability and/or employability and for any other legally permissible purposes. By signing this authorization, I hereby provide my consent to the Company to procure such consumer reports and driving records about me from time to time, as it deems appropriate, to evaluate my insurability and/or employability and for any other legally permissible purposes.”
As the title suggests, this letter can be used for certain insurance, as well as employment, situations.
This letter could be used for employment situations as follows. Where a consumer report (such as an MVR) is being used by an employer to evaluate a current or prospective employee, the FCRA requires that the individual provide written permission, and this sample letter would seem to be ideal for that purpose. For example, if Smithco Systems was looking to hire a new employee whose duties would include driving a company vehicle, the FCRA requires that Smithco have the job candidate complete this form in order authorize Smithco to obtain his/her MVR, or other consumer report. Then, when Smithco contacts a job-screening service (acting as CRA) to obtain the desired consumer reports, the CRA would require Smithco to first verify that it had in its possession a signed letter of authorization, before the CRA would release any consumer reports to Smithco on its job candidate.
That’s a textbook case of how the process works. However, if Smithco sends this letter of authorization to its insurance agency, so they will run the MVR and send it to Smithco, this appears to many experts that the insurance agency is acting as a consumer reporting agency (CRA). (Refer to the FCRA’s definition of “consumer reporting agency” above, and the subsequent comments from the FTC Staff Opinion Letter.)
On the other hand, this letter would be needed in an insurance transaction only under very limited circumstances. In general, the FCRA does not require the written permission of a consumer for his/her consumer report to be obtained for any transaction initiated by the consumer (such as applying for insurance). However, where an insurance agency has utilized pre-screened lists for marketing, which rely heavily on selecting candidates based on certain criteria in consumer reports, at some point the consumer must give written permission for this practice.
The scope of this sample letter above is only to give permission to procure a consumer report, and does not provide permission for the agency to share the information in such consumer report with the employer.
If I’m raining on your parade, this might add a torrential downpour. The FCRA has two categories of violations: “negligent noncompliance” (Section 617) and “willful noncompliance” (Section 616). The first one is more of an “oops!” event, whereas the second is more a case of, “I don’t care what the law says, I’m doing it anyway.” For “willful noncompliance,” there can be fines per violation, plus a lawsuit for actual damages by the consumer and the consumer reporting agency, plus punitive damages, and even imprisonment for up to 2 years.
Also, I have talked to E&O attorneys over the years about various issues in the FCRA. In particular, in a case of “willful noncompliance,” some have concerns that this might be considered an intentional act, and possibly excluded from the E&O policy.
Processing MVRs has been such a routine function in the insurance agency for so long that it is easy to lose sight of how much care must be exercised in handling them. By comparison, everyone is aware of the need to be careful in the use of health and medical information. But in actual fact, MVRs, CLUE Reports, personal financial information, and all other forms of protected consumer information must be handled in the same careful, cautious manner as health and medical information.
This leads to a closing comment about the role of the agency in providing certain “value added” services. Without question, service is the cornerstone of what independent agents provide policyholders. However, some well-meaning services can be a double-edged sword, such as the case of providing MVRS to commercial insureds. A friend who is an E&O attorney recently presented a program on agents E&O at an insurance convention. One of his main topics was titled, “E&O That Comes From Being Too Helpful.” Therefore, value added services must be carefully evaluated by the agency.
Additional VU articles: