Search results for: auto data

In this episode of Moving the Metal: The Auto Finance Podcast, hosts Brooke Conkle and Chris Capurso dive into the latest Experian auto finance quarterly report to explore the latest trends in auto finance for the second quarter of 2025. They discuss key findings, including the rise in new and used vehicle financing, shifts in market share among banks, captives, and credit unions, and the surprising increase in loan amounts and monthly payments. The conversation also covers the growing trend of refinancing and its implications for the auto finance industry. Tune in to understand how these trends impact dealers and finance companies, and what they mean for the future of auto finance.

Continue Reading Quarterly Insights: Driving Through Q2 Auto Finance Data

In this episode, hosts Brooke Conkle and Chris Capurso delve into the latest TransUnion report on credit industry insights for the fourth quarter of 2024. With auto finance trends revealing rising loan-to-value ratios, increasing monthly payments, and growing account delinquencies, the industry potentially faces expected – and unexpected – challenges in the coming months. Join us as we explore the implications for dealers and auto finance companies, discuss strategies for managing consumer relationships, and prepare for the challenges ahead.

Transcript: Driven by Data: Auto Finance Trends Uncovered (PDF)

In this pivotal episode of The Consumer Finance Podcast, host Chris Willis, alongside colleagues Brooke Conkle and Chris Capurso, explores the Consumer Financial Protection Bureau’s (CFPB) groundbreaking proposal for regular and extensive data collection within the auto finance industry. This episode is part of our special series on auto finance, where we unpack the implications of this initiative, rooted in the authority of Section 1022 of the Dodd-Frank Act, for both the industry and consumers. As the auto finance sector experiences significant growth amid rising prices and rates, we shed light on the CFPB’s strategy to enhance market monitoring and ensure transparency. Join us as we explore the potential impacts of this development, the reactions from major auto finance companies, and what this means for the future of consumer financial services. Don’t miss this insightful discussion that navigates the complexities of regulatory changes and their effects on the auto finance landscape.

Continue Reading Navigating the CFPB’s Auto Finance Data Collection Initiative

Comments on the Consumer Financial Protection Bureau’s (CFPB or Bureau) proposal to collect data from auto finance businesses that acquire or originate as few as 500 financing transactions a year are due by March 25, 2024.

Continue Reading Comment Period on CFPB’s Auto Finance Data Project Closing Soon

On February 23, the Consumer Financial Protection Bureau (CFPB or Bureau) announced that it has issued orders to nine of the largest auto lenders requesting information about their auto lending portfolios. According to the CFPB, the nine targeted lenders represent a cross-section of the auto finance market and the data collected in response to these orders will help the CFPB build a data set that provides them with insight into lending channels and loan performance. Notably, the CFPB stated that these collection efforts will inform potential future data collection orders.

These requests are not unexpected, as the CFPB first announced its intention to collect such data in November 2022 and has proceeded to collect public comments regarding the same over the past few months.

The CFPB issued these requests under its authority to monitor the auto finance market under 12 U.S.C. § 5511(c)(3) and not as a supervisory order or civil investigative demand. However, the CFPB expressly reserved the right to use the information gathered for any purpose permitted by law. The data requests are extensive and request information about originations, servicing, and repossessions over the past five years. The stated purpose for the requests is to help the CFPB better understand trends, changes in the marketplace, and how the components of auto loan transactions have changed over time.

The CFPB identified three areas where it believes the requested data will increase visibility into the market:

  • Lending Channels
    • The data requests require lenders to identify whether each loan is direct or indirect.
  • Data
    • According to the CFPB, thorough auto lending analyses are “nearly impossible” due to variations in existing data and the difficulty in creating a comprehensive data set from existing sources.
  • Repossessions
    • Specifically, the CFPB requests information on the circumstances leading up to a repossession, and the impact of a repossession on the borrower and lender. The Bureau indicated it is interested in the potential correlation between delinquency and geography, credit score, and income.
    • The data requests also seek information about the kinds of technology used during repossession, such as GPS tracking and starter-interrupt devices.

We see a significant focus not only on repossessions in these requests, but also on “ability to repay” issues and the sale of ancillary products, both of which were featured issues in a recent enforcement action filed by the CFPB. These requests seem to indicate that auto finance will remain a front and center area of interest for the CFPB. Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

On November 17, the Consumer Financial Protection Bureau (CFPB) announced it is seeking public comment on its proposal to develop a new data set to better monitor the auto loan market. According to the CFPB, greater visibility into market trends would allow lenders and investors to spot emerging opportunities, improve risk management practices, and ultimately expand access to credit and refinancing. The CFPB will be accepting comments on its proposal until December 19.

The CFPB explained its main reasoning behind the proposed new data collection as follows: “Financial markets and policymakers have long had access to granular mortgage data that has provided insight into patterns in lending and risk. Because student loans are largely administered by the federal government, we know more about them too. But, despite its size, we know much less about the auto lending market. As a result, the CFPB is announcing an effort to work with industry and other agencies to develop a new data set to better monitor the auto loan market.”

Another reason the CFPB states is behind the proposed data collection is the purported rapid changes in the industry. According to the CFPB, auto lending represents approximately one-third of nonmortgage consumer debt, and the amount of outstanding loans has doubled over the last 10 years. Over the past two years, car prices have risen significantly, leading to larger loan amounts and higher monthly payments. The CFPB states these loan size increases are beginning to negatively impact consumers and households, including an increase in auto loan delinquencies and some consumers being priced out of the market.

According to the CFPB, the available data allows market participants to identify and measure certain trends but is insufficiently granular to fully explore the cause of those trends. For example, publicly available repossession data is based on proprietary estimates and does not provide a level of specificity that allows for deeper analysis. Likewise, while the CFPB’s consumer credit panel (a 1-in-48 sample of consumer credit report data from one of the three nationwide consumer reporting agencies) can fill in some of the gaps, many auto loans are made to consumers with subprime or deep subprime credit scores from lenders that do not furnish data on those loans to credit reporting agencies. The CFPB claims this lack of data could lead to negative consequences for consumers, lenders, and investors, pointing to the lack of visibility into the mortgage market that was a key issue leading up to the Great Recession in 2008.

The proposed data set may include, for example, collecting retrospective data from a sample of lenders that represent a cross section of the auto lending market. Before doing that, the CFPB is gathering input from stakeholders and the public on the current data landscape.

Auto finance continues to be on the top of the CFPB’s radar. As we discussed here, in September 2022, the agency released a blog post, exploring the potential relationship between rising car prices and changes in auto loan performance. Earlier in February 2022, discussed here, it posted about its regulatory priorities in the auto finance market, including steps that the CFPB planned to take to make the market, in its view, more fair, transparent, and competitive.

Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

The Federal Trade Commission has announced a settlement with LightYear Dealer Technologies, LLC, doing business as DealerBuilt, a company that sells software and data services to auto dealers. The FTC alleged that DealerBuilt’s poor data security practices resulted in a breach that exposed the personal information of millions of consumers. A hacker gained unauthorized access to the data of millions of consumers during at least a 10-day period and downloaded the data of 69,283 individuals. DealerBuilt’s customer base is comprised of nearly 320 dealership locations across the country.

The FTC’s complaint against DealerBuilt alleged that its failures led to a breach of the company’s backup systems, allowing a hacker to gain access to the unencrypted personal information of about 12.5 million consumers, including their Social Security numbers, driver’s license numbers, and birth dates, as well as wage and financial information. DealerBuilt, however, did not detect the breach until it was notified by one of its auto dealer customers. The FTC’s complaint states that the company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the problem. The FTC further alleges that DealerBuilt failed to implement reasonable data security practices to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls. The FTC alleges that DealerBuilt’s failures resulted in violations of both the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule.

DealerBuilt’s settlement with the FTC requires the company to put into place an information security program with certain required elements, and provides insight into the type of program that the FTC expects every company to have in place. FTC Chairman Joe Simon was quoted in the announcement of the settlement and explained that the settlement reflects a new benchmark in the agency’s data security orders: “Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.” While the FTC’s order is detailed, its provisions are not ground-breaking and are recitations of what a company’s information security program ideally should already have in place.

The FTC’s settlement requires DealerBuilt’s information security program to satisfy certain minimum requirements, including:

  • Documenting in writing the content, implementation, and maintenance of the information security program (a basic requirement already required in other contexts);
  • Providing the written program and any evaluations thereof or updates thereto to the board of directors or other governing body at least once every twelve  months and promptly after an incident;
  • Designating a qualified employee or employees to coordinate and be responsible for the information security program;
  • Assessing and documenting, at least once every twelve months and promptly following an incident, internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;
  • Designing, implementing, maintaining, and documenting safeguards that control for the internal and external risks identified to the security, confidentiality, or integrity of personal information identified in response annual assessments. Safeguards must also include annual employee training, encryption of Social Security numbers and financial account information, and maintaining policies and procedures to ensure the security of the company’s network devices;
  • Assessing, at least once every twelve months and promptly following an incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of personal information, and modify the information security program based on the results;
  • Testing and monitoring the effectiveness of the safeguards at least once every twelve months and promptly following an incident, and modifying the information security program based on the results;
  • Selecting and retaining service providers capable of safeguarding personal information they access through or receive from the company, and contractually requiring service providers to implement and maintain safeguards for personal information; and
  • Evaluating and adjusting the information security program in light of any changes to the company’s operations or business arrangements, an incident, or any other circumstances that the company knows or has reason to know may have an impact on the effectiveness of the information security program. DealerBuilt is required to evaluate the information security program at least once every twelve months. The settlement, too, can be viewed as a warning to companies engaging in the business-to-business processing of consumer information, given that it represents an expansion of the scope of the FTC’s Gramm-Leach-Bliley Act enforcement activities. The FTC appears to be renewing its focus on supply chain security risks by defining broadly what a “financial institution” subject to the GLBA Safeguards and Privacy Rules is.
  • The proposed settlement also requires DealerBuilt to obtain third-party assessments of its information security program every two years for a twenty-year period. The third-party assessor must conduct independent sampling, employee interviews, and document review, and use these in developing conclusions related to its assessments. A senior corporate manager responsible for overseeing DealerBuilt’s information security program must also certify compliance with the order annually. Finally, the FTC is given authority to approve the assessor selected.

DealerBuilt’s settlement with the FTC should be viewed as a useful guide to what the agency’s data security orders require and, more importantly, to what the agency expects from all companies—including financial services companies that themselves do not directly interact with consumers—even outside a settlement context, to protect data privacy. In light of this, information security officers should consider reviewing their companies’ information security programs against the backdrop of the DealerBuilt settlement.

In this second installment of Moving the Metal: The Auto Finance Podcast’s 2025 auto finance year in review, hosts Brooke Conkle and Chris Capurso unpack three emerging risk hotspots: service member auto lending, changes to Consumer Financial Protection Bureau (CFPB) larger-participant supervision, and state vehicle data privacy laws. They break down the CFPB’s 2025 Servicemember Auto Lending Report, proposed shifts to the auto larger-participant threshold, and New Jersey’s first-of-its-kind vehicle data deletion law — along with what each development means for compliance programs, dealer oversight, and litigation risk. Tune in to hear how federal and state trends are reshaping auto finance risk and what companies should be doing now to stay ahead in 2026.

Continue Reading Auto Finance Year in Review, Part 2: Security Clearances, Supervisory Lines, and Connected Cars

In this episode of Moving the Metal: The Auto Finance Podcast, hosts Brooke Conkle and Chris Capurso break down two major developments turning up regulatory pressure on the auto finance industry. They unpack the FTC’s “WARNING LETTER” campaign targeting nearly 100 dealers, focused on UDAAP risks in pricing and advertising, including hidden fees, conditional pricing, mandatory add-ons, and unavailable vehicles. They also examine Senator Elizabeth Warren’s sweeping, short-fuse request for granular data comparing servicemember and civilian auto finance outcomes, signaling heightened bipartisan scrutiny of military borrowers. Tune in to hear what these letters really mean, what regulators are looking for, and how auto finance companies and dealers should be preparing now.

Continue Reading Warning Letters and Warren Letters: What the Auto Finance Industry Needs to Know

In this episode of Moving the Metal: The Auto Finance Podcast, hosts Brooke Conkle and Chris Capurso unpack Senator Elizabeth Warren’s February 5 data request to major auto finance companies, buy-here-pay-here dealers, and key industry trade groups about auto repossessions. They walk through the main categories of information sought — repossession activity and errors, consumer complaints and disputes, policies and training, vendor contracts, and handling of personal property — and discuss the tight 11-day response deadline and lack of a clear statutory hook for the request. Brooke and Chris also consider what this move may signal about future regulatory and enforcement activity in the auto finance space.

Continue Reading Soaring Repos and Senate Requests: Warren Targets Auto Finance