In this pivotal episode of The Consumer Finance Podcast, host Chris Willis, alongside colleagues Brooke Conkle and Chris Capurso, explores the Consumer Financial Protection Bureau’s (CFPB) groundbreaking proposal for regular and extensive data collection within the auto finance industry. This episode is part of our special series on auto finance, where we unpack the implications of this initiative, rooted in the authority of Section 1022 of the Dodd-Frank Act, for both the industry and consumers. As the auto finance sector experiences significant growth amid rising prices and rates, we shed light on the CFPB’s strategy to enhance market monitoring and ensure transparency. Join us as we explore the potential impacts of this development, the reactions from major auto finance companies, and what this means for the future of consumer financial services. Don’t miss this insightful discussion that navigates the complexities of regulatory changes and their effects on the auto finance landscape.

Continue Reading Navigating the CFPB’s Auto Finance Data Collection Initiative

Comments on the Consumer Financial Protection Bureau’s (CFPB or Bureau) proposal to collect data from auto finance businesses that acquire or originate as few as 500 financing transactions a year are due by March 25, 2024.

Continue Reading Comment Period on CFPB’s Auto Finance Data Project Closing Soon

On February 23, the Consumer Financial Protection Bureau (CFPB or Bureau) announced that it has issued orders to nine of the largest auto lenders requesting information about their auto lending portfolios. According to the CFPB, the nine targeted lenders represent a cross-section of the auto finance market and the data collected in response to these orders will help the CFPB build a data set that provides them with insight into lending channels and loan performance. Notably, the CFPB stated that these collection efforts will inform potential future data collection orders.

These requests are not unexpected, as the CFPB first announced its intention to collect such data in November 2022 and has proceeded to collect public comments regarding the same over the past few months.

The CFPB issued these requests under its authority to monitor the auto finance market under 12 U.S.C. § 5511(c)(3) and not as a supervisory order or civil investigative demand. However, the CFPB expressly reserved the right to use the information gathered for any purpose permitted by law. The data requests are extensive and request information about originations, servicing, and repossessions over the past five years. The stated purpose for the requests is to help the CFPB better understand trends, changes in the marketplace, and how the components of auto loan transactions have changed over time.

The CFPB identified three areas where it believes the requested data will increase visibility into the market:

  • Lending Channels
    • The data requests require lenders to identify whether each loan is direct or indirect.
  • Data
    • According to the CFPB, thorough auto lending analyses are “nearly impossible” due to variations in existing data and the difficulty in creating a comprehensive data set from existing sources.
  • Repossessions
    • Specifically, the CFPB requests information on the circumstances leading up to a repossession, and the impact of a repossession on the borrower and lender. The Bureau indicated it is interested in the potential correlation between delinquency and geography, credit score, and income.
    • The data requests also seek information about the kinds of technology used during repossession, such as GPS tracking and starter-interrupt devices.

We see a significant focus not only on repossessions in these requests, but also on “ability to repay” issues and the sale of ancillary products, both of which were featured issues in a recent enforcement action filed by the CFPB. These requests seem to indicate that auto finance will remain a front and center area of interest for the CFPB. Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

On November 17, the Consumer Financial Protection Bureau (CFPB) announced it is seeking public comment on its proposal to develop a new data set to better monitor the auto loan market. According to the CFPB, greater visibility into market trends would allow lenders and investors to spot emerging opportunities, improve risk management practices, and ultimately expand access to credit and refinancing. The CFPB will be accepting comments on its proposal until December 19.

The CFPB explained its main reasoning behind the proposed new data collection as follows: “Financial markets and policymakers have long had access to granular mortgage data that has provided insight into patterns in lending and risk. Because student loans are largely administered by the federal government, we know more about them too. But, despite its size, we know much less about the auto lending market. As a result, the CFPB is announcing an effort to work with industry and other agencies to develop a new data set to better monitor the auto loan market.”

Another reason the CFPB states is behind the proposed data collection is the purported rapid changes in the industry. According to the CFPB, auto lending represents approximately one-third of nonmortgage consumer debt, and the amount of outstanding loans has doubled over the last 10 years. Over the past two years, car prices have risen significantly, leading to larger loan amounts and higher monthly payments. The CFPB states these loan size increases are beginning to negatively impact consumers and households, including an increase in auto loan delinquencies and some consumers being priced out of the market.

According to the CFPB, the available data allows market participants to identify and measure certain trends but is insufficiently granular to fully explore the cause of those trends. For example, publicly available repossession data is based on proprietary estimates and does not provide a level of specificity that allows for deeper analysis. Likewise, while the CFPB’s consumer credit panel (a 1-in-48 sample of consumer credit report data from one of the three nationwide consumer reporting agencies) can fill in some of the gaps, many auto loans are made to consumers with subprime or deep subprime credit scores from lenders that do not furnish data on those loans to credit reporting agencies. The CFPB claims this lack of data could lead to negative consequences for consumers, lenders, and investors, pointing to the lack of visibility into the mortgage market that was a key issue leading up to the Great Recession in 2008.

The proposed data set may include, for example, collecting retrospective data from a sample of lenders that represent a cross section of the auto lending market. Before doing that, the CFPB is gathering input from stakeholders and the public on the current data landscape.

Auto finance continues to be on the top of the CFPB’s radar. As we discussed here, in September 2022, the agency released a blog post, exploring the potential relationship between rising car prices and changes in auto loan performance. Earlier in February 2022, discussed here, it posted about its regulatory priorities in the auto finance market, including steps that the CFPB planned to take to make the market, in its view, more fair, transparent, and competitive.

Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

The Federal Trade Commission has announced a settlement with LightYear Dealer Technologies, LLC, doing business as DealerBuilt, a company that sells software and data services to auto dealers. The FTC alleged that DealerBuilt’s poor data security practices resulted in a breach that exposed the personal information of millions of consumers. A hacker gained unauthorized access to the data of millions of consumers during at least a 10-day period and downloaded the data of 69,283 individuals. DealerBuilt’s customer base is comprised of nearly 320 dealership locations across the country.

The FTC’s complaint against DealerBuilt alleged that its failures led to a breach of the company’s backup systems, allowing a hacker to gain access to the unencrypted personal information of about 12.5 million consumers, including their Social Security numbers, driver’s license numbers, and birth dates, as well as wage and financial information. DealerBuilt, however, did not detect the breach until it was notified by one of its auto dealer customers. The FTC’s complaint states that the company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the problem. The FTC further alleges that DealerBuilt failed to implement reasonable data security practices to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls. The FTC alleges that DealerBuilt’s failures resulted in violations of both the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule.

DealerBuilt’s settlement with the FTC requires the company to put into place an information security program with certain required elements, and provides insight into the type of program that the FTC expects every company to have in place. FTC Chairman Joe Simon was quoted in the announcement of the settlement and explained that the settlement reflects a new benchmark in the agency’s data security orders: “Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.” While the FTC’s order is detailed, its provisions are not ground-breaking and are recitations of what a company’s information security program ideally should already have in place.

The FTC’s settlement requires DealerBuilt’s information security program to satisfy certain minimum requirements, including:

  • Documenting in writing the content, implementation, and maintenance of the information security program (a basic requirement already required in other contexts);
  • Providing the written program and any evaluations thereof or updates thereto to the board of directors or other governing body at least once every twelve  months and promptly after an incident;
  • Designating a qualified employee or employees to coordinate and be responsible for the information security program;
  • Assessing and documenting, at least once every twelve months and promptly following an incident, internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;
  • Designing, implementing, maintaining, and documenting safeguards that control for the internal and external risks identified to the security, confidentiality, or integrity of personal information identified in response annual assessments. Safeguards must also include annual employee training, encryption of Social Security numbers and financial account information, and maintaining policies and procedures to ensure the security of the company’s network devices;
  • Assessing, at least once every twelve months and promptly following an incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of personal information, and modify the information security program based on the results;
  • Testing and monitoring the effectiveness of the safeguards at least once every twelve months and promptly following an incident, and modifying the information security program based on the results;
  • Selecting and retaining service providers capable of safeguarding personal information they access through or receive from the company, and contractually requiring service providers to implement and maintain safeguards for personal information; and
  • Evaluating and adjusting the information security program in light of any changes to the company’s operations or business arrangements, an incident, or any other circumstances that the company knows or has reason to know may have an impact on the effectiveness of the information security program. DealerBuilt is required to evaluate the information security program at least once every twelve months. The settlement, too, can be viewed as a warning to companies engaging in the business-to-business processing of consumer information, given that it represents an expansion of the scope of the FTC’s Gramm-Leach-Bliley Act enforcement activities. The FTC appears to be renewing its focus on supply chain security risks by defining broadly what a “financial institution” subject to the GLBA Safeguards and Privacy Rules is.
  • The proposed settlement also requires DealerBuilt to obtain third-party assessments of its information security program every two years for a twenty-year period. The third-party assessor must conduct independent sampling, employee interviews, and document review, and use these in developing conclusions related to its assessments. A senior corporate manager responsible for overseeing DealerBuilt’s information security program must also certify compliance with the order annually. Finally, the FTC is given authority to approve the assessor selected.

DealerBuilt’s settlement with the FTC should be viewed as a useful guide to what the agency’s data security orders require and, more importantly, to what the agency expects from all companies—including financial services companies that themselves do not directly interact with consumers—even outside a settlement context, to protect data privacy. In light of this, information security officers should consider reviewing their companies’ information security programs against the backdrop of the DealerBuilt settlement.

On June 20, six federal financial services regulators issued the final automated valuation model (AVM) rule. The AVM rule, initially proposed in June 2023 and discussed here, aims to implement the quality control standards mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act). The final AVM rule is largely identical to the proposed rule and is set to take effect on the first day of the calendar quarter following 12 months after its publication in the Federal Register.

Continue Reading Federal Agencies Finalize Automated Valuation Model Rule

In this special episode, Brooke Conkle and Chris Capurso discuss a recently released circular from the Consumer Financial Protection Bureau (CFPB). They are joined by special guest Caleb Rosenberg, who provides insights into the potential impacts this “quietly released” circular may have on the auto finance industry. Caleb brings a wealth of experience, including assisting businesses with secured and unsecured loan agreements, retail installment sales contracts, credit card agreements, and alternative finance agreements. He also helps clients navigate regulatory inquiries, particularly those concerning the application of state law to alternative financing products. While this marks the final episode of our five-part series on auto finance issues, stay tuned for more content. Be sure to listen until the end for a BIG announcement!

Continue Reading Auto Finance – CFPB Circular Release

Today, the Consumer Financial Protection Bureau (CFPB or Bureau) released a report on the state of negative equity in auto lending. The CFPB says it found that financing negative equity creates increased risks for consumers, and states that the CFPB will be putting negative equity under scrutiny.

Continue Reading CFPB Report Foreshadows Increased Scrutiny of Negative Equity in Auto Lending

Join Troutman Pepper Partner Brooke Conkle and Associate Chris Capurso as they delve into the complexities of ancillary products in the auto finance industry. From GAP waivers to extended warranties, discover the latest regulatory developments and compliance challenges that are shaping the landscape for consumers, dealers, and auto finance companies.

Continue Reading Navigating Ancillary Products in Auto Finance

Troutman Pepper attorneys Brooke Conkle and Chris Capurso discuss the Federal Trade Commission’s “Holder Rule” in the third of five special episodes devoted to auto finance issues. Although the Holder Rule has been around since the 1970s and is a staple of consumer finance contracts, there have been several recent, important developments. Brooke and Chris hop behind the wheel of this installment to review these developments, the position taken by the FTC and courts, and the potential impacts to dealers and finance companies.

Continue Reading Auto Finance – The Holder Rule