On September 17, the Consumer Financial Protection Bureau (CFPB or Bureau) published Circular 2024-05 (Circular) addressing whether a financial institution violates the Electronic Fund Transfer Act (EFTA) and Regulation E by charging overdraft fees for ATM and one-time debit card transactions without proof of the consumer’s affirmative consent to enrollment in covered overdraft services. (According to the CFPB’s press release, the Bureau considers this to be a “phantom opt-in.”) The Bureau’s response is clear: Yes, charging fees in these circumstances can indeed constitute a violation of EFTA and Regulation E.
According to the CFPB, Regulation E mandates an opt-in regime for overdraft services, not an opt-out regime, where the default condition is that consumers are not enrolled in covered overdraft services. Thus, consumers must affirmatively consent to enroll in such services before any fees can be charged. Financial institutions are required to provide consumers with a written or electronic notice describing the institution’s overdraft services prior to opt-in, and to provide consumers with confirmation of their consent in writing or electronically with a notice informing them of their right to revoke such consent. These rules apply specifically to overdraft fees for ATM and one-time debit transactions, not to fees for written checks, recurring debit transactions, or ACH transactions.
In the Circular, the CFPB states that its examinations have revealed instances where institutions have charged overdraft fees but failed to provide evidence of consumer opt-in to covered overdraft services. While some of these institutions had policies in place regarding opt-in requirements, the Bureau found that they did not follow them consistently, leading to violations of Regulation E. The Circular also notes that the Bureau has identified other violations of law relating to overdraft opt-in requirements, such as using deceptive and abusive practices to obtain consumers’ consent.
The Circular emphasizes the importance of maintaining proper records to prove compliance with Regulation E. According to the CFPB, the records required to demonstrate consumer consent vary depending on the channel through which the consumer opted into the covered overdraft services: for in-person or postal mail opt-ins, signed or initialed forms are sufficient; for phone opt-ins, recorded phone calls are sufficient; and for online or mobile app opt-ins, secure, unalterable electronic signatures are sufficient.
Our Thoughts:
The Circular demonstrates that the CFPB’s scrutiny of fees charged to consumers is still a top priority, and that the Bureau will use various methods to attack financial institutions’ fee practices. This guidance aligns with prior enforcement actions regarding overdraft fees, wherein the Bureau has alleged that financial institutions failed to obtain consent to overdraft services as required by the EFTA and Regulation E. In those enforcement actions, the Bureau also alleged that institutions’ fee practices violated the prohibition on unfair, abusive, and deceptive acts and practices. The Circular suggests that, in addition to examining institutions’ fee practices for possible violations of the EFTA and Regulation E, the CFPB will examine such practices for possible UDAAP violations, as the Circular mentions in a footnote that the Bureau could find that overdraft practices constitute an unfair, deceptive, or abusive act or practice.
This focus on overdraft fees is part of the CFPB’s continued war on alleged “junk fees” since January 2022. Indeed, the Bureau has highlighted this agenda in two special editions of its Supervisory Highlights in the winter and fall of 2023, discussed here and here, and in another special edition of its Supervisory Highlights in the spring of 2024, discussed here. As it appears that the Bureau does not plan to shift its focus away from consumer fees, and that its focus may place more emphasis on consumer consent, institutions should ensure that they have robust EFTA and Regulation E policies and procedures in place, that those policies and procedures are followed, and that records demonstrating consumer consent are adequately maintained.