Search results for: auto data

In this pivotal episode of The Consumer Finance Podcast, host Chris Willis, alongside colleagues Brooke Conkle and Chris Capurso, explores the Consumer Financial Protection Bureau’s (CFPB) groundbreaking proposal for regular and extensive data collection within the auto finance industry. This episode is part of our special series on auto finance, where we unpack the implications of this initiative, rooted in the authority of Section 1022 of the Dodd-Frank Act, for both the industry and consumers. As the auto finance sector experiences significant growth amid rising prices and rates, we shed light on the CFPB’s strategy to enhance market monitoring and ensure transparency. Join us as we explore the potential impacts of this development, the reactions from major auto finance companies, and what this means for the future of consumer financial services. Don’t miss this insightful discussion that navigates the complexities of regulatory changes and their effects on the auto finance landscape.

Continue Reading Navigating the CFPB’s Auto Finance Data Collection Initiative

Comments on the Consumer Financial Protection Bureau’s (CFPB or Bureau) proposal to collect data from auto finance businesses that acquire or originate as few as 500 financing transactions a year are due by March 25, 2024.

Continue Reading Comment Period on CFPB’s Auto Finance Data Project Closing Soon

On February 23, the Consumer Financial Protection Bureau (CFPB or Bureau) announced that it has issued orders to nine of the largest auto lenders requesting information about their auto lending portfolios. According to the CFPB, the nine targeted lenders represent a cross-section of the auto finance market and the data collected in response to these orders will help the CFPB build a data set that provides them with insight into lending channels and loan performance. Notably, the CFPB stated that these collection efforts will inform potential future data collection orders.

These requests are not unexpected, as the CFPB first announced its intention to collect such data in November 2022 and has proceeded to collect public comments regarding the same over the past few months.

The CFPB issued these requests under its authority to monitor the auto finance market under 12 U.S.C. § 5511(c)(3) and not as a supervisory order or civil investigative demand. However, the CFPB expressly reserved the right to use the information gathered for any purpose permitted by law. The data requests are extensive and request information about originations, servicing, and repossessions over the past five years. The stated purpose for the requests is to help the CFPB better understand trends, changes in the marketplace, and how the components of auto loan transactions have changed over time.

The CFPB identified three areas where it believes the requested data will increase visibility into the market:

  • Lending Channels
    • The data requests require lenders to identify whether each loan is direct or indirect.
  • Data
    • According to the CFPB, thorough auto lending analyses are “nearly impossible” due to variations in existing data and the difficulty in creating a comprehensive data set from existing sources.
  • Repossessions
    • Specifically, the CFPB requests information on the circumstances leading up to a repossession, and the impact of a repossession on the borrower and lender. The Bureau indicated it is interested in the potential correlation between delinquency and geography, credit score, and income.
    • The data requests also seek information about the kinds of technology used during repossession, such as GPS tracking and starter-interrupt devices.

We see a significant focus not only on repossessions in these requests, but also on “ability to repay” issues and the sale of ancillary products, both of which were featured issues in a recent enforcement action filed by the CFPB. These requests seem to indicate that auto finance will remain a front and center area of interest for the CFPB. Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

On November 17, the Consumer Financial Protection Bureau (CFPB) announced it is seeking public comment on its proposal to develop a new data set to better monitor the auto loan market. According to the CFPB, greater visibility into market trends would allow lenders and investors to spot emerging opportunities, improve risk management practices, and ultimately expand access to credit and refinancing. The CFPB will be accepting comments on its proposal until December 19.

The CFPB explained its main reasoning behind the proposed new data collection as follows: “Financial markets and policymakers have long had access to granular mortgage data that has provided insight into patterns in lending and risk. Because student loans are largely administered by the federal government, we know more about them too. But, despite its size, we know much less about the auto lending market. As a result, the CFPB is announcing an effort to work with industry and other agencies to develop a new data set to better monitor the auto loan market.”

Another reason the CFPB states is behind the proposed data collection is the purported rapid changes in the industry. According to the CFPB, auto lending represents approximately one-third of nonmortgage consumer debt, and the amount of outstanding loans has doubled over the last 10 years. Over the past two years, car prices have risen significantly, leading to larger loan amounts and higher monthly payments. The CFPB states these loan size increases are beginning to negatively impact consumers and households, including an increase in auto loan delinquencies and some consumers being priced out of the market.

According to the CFPB, the available data allows market participants to identify and measure certain trends but is insufficiently granular to fully explore the cause of those trends. For example, publicly available repossession data is based on proprietary estimates and does not provide a level of specificity that allows for deeper analysis. Likewise, while the CFPB’s consumer credit panel (a 1-in-48 sample of consumer credit report data from one of the three nationwide consumer reporting agencies) can fill in some of the gaps, many auto loans are made to consumers with subprime or deep subprime credit scores from lenders that do not furnish data on those loans to credit reporting agencies. The CFPB claims this lack of data could lead to negative consequences for consumers, lenders, and investors, pointing to the lack of visibility into the mortgage market that was a key issue leading up to the Great Recession in 2008.

The proposed data set may include, for example, collecting retrospective data from a sample of lenders that represent a cross section of the auto lending market. Before doing that, the CFPB is gathering input from stakeholders and the public on the current data landscape.

Auto finance continues to be on the top of the CFPB’s radar. As we discussed here, in September 2022, the agency released a blog post, exploring the potential relationship between rising car prices and changes in auto loan performance. Earlier in February 2022, discussed here, it posted about its regulatory priorities in the auto finance market, including steps that the CFPB planned to take to make the market, in its view, more fair, transparent, and competitive.

Troutman Pepper will continue to monitor important developments involving the CFPB and the proposed data collection and will provide further updates as they become available.

The Federal Trade Commission has announced a settlement with LightYear Dealer Technologies, LLC, doing business as DealerBuilt, a company that sells software and data services to auto dealers. The FTC alleged that DealerBuilt’s poor data security practices resulted in a breach that exposed the personal information of millions of consumers. A hacker gained unauthorized access to the data of millions of consumers during at least a 10-day period and downloaded the data of 69,283 individuals. DealerBuilt’s customer base is comprised of nearly 320 dealership locations across the country.

The FTC’s complaint against DealerBuilt alleged that its failures led to a breach of the company’s backup systems, allowing a hacker to gain access to the unencrypted personal information of about 12.5 million consumers, including their Social Security numbers, driver’s license numbers, and birth dates, as well as wage and financial information. DealerBuilt, however, did not detect the breach until it was notified by one of its auto dealer customers. The FTC’s complaint states that the company never performed any vulnerability scanning, penetration testing, or other measures that would have detected the problem. The FTC further alleges that DealerBuilt failed to implement reasonable data security practices to protect personal data stored on its network such as developing, implementing, or maintaining a written information security policy and training for employees; using security measures to monitor its systems and assets; and imposing reasonable data access controls. The FTC alleges that DealerBuilt’s failures resulted in violations of both the FTC Act and the Gramm-Leach-Bliley Act’s Safeguards Rule.

DealerBuilt’s settlement with the FTC requires the company to put into place an information security program with certain required elements, and provides insight into the type of program that the FTC expects every company to have in place. FTC Chairman Joe Simon was quoted in the announcement of the settlement and explained that the settlement reflects a new benchmark in the agency’s data security orders: “Today’s announcement reflects additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices.” While the FTC’s order is detailed, its provisions are not ground-breaking and are recitations of what a company’s information security program ideally should already have in place.

The FTC’s settlement requires DealerBuilt’s information security program to satisfy certain minimum requirements, including:

  • Documenting in writing the content, implementation, and maintenance of the information security program (a basic requirement already required in other contexts);
  • Providing the written program and any evaluations thereof or updates thereto to the board of directors or other governing body at least once every twelve  months and promptly after an incident;
  • Designating a qualified employee or employees to coordinate and be responsible for the information security program;
  • Assessing and documenting, at least once every twelve months and promptly following an incident, internal and external risks to the security, confidentiality, or integrity of personal information that could result in the unauthorized disclosure, misuse, loss, theft, alteration, destruction, or other compromise of such information;
  • Designing, implementing, maintaining, and documenting safeguards that control for the internal and external risks identified to the security, confidentiality, or integrity of personal information identified in response annual assessments. Safeguards must also include annual employee training, encryption of Social Security numbers and financial account information, and maintaining policies and procedures to ensure the security of the company’s network devices;
  • Assessing, at least once every twelve months and promptly following an incident, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of personal information, and modify the information security program based on the results;
  • Testing and monitoring the effectiveness of the safeguards at least once every twelve months and promptly following an incident, and modifying the information security program based on the results;
  • Selecting and retaining service providers capable of safeguarding personal information they access through or receive from the company, and contractually requiring service providers to implement and maintain safeguards for personal information; and
  • Evaluating and adjusting the information security program in light of any changes to the company’s operations or business arrangements, an incident, or any other circumstances that the company knows or has reason to know may have an impact on the effectiveness of the information security program. DealerBuilt is required to evaluate the information security program at least once every twelve months. The settlement, too, can be viewed as a warning to companies engaging in the business-to-business processing of consumer information, given that it represents an expansion of the scope of the FTC’s Gramm-Leach-Bliley Act enforcement activities. The FTC appears to be renewing its focus on supply chain security risks by defining broadly what a “financial institution” subject to the GLBA Safeguards and Privacy Rules is.
  • The proposed settlement also requires DealerBuilt to obtain third-party assessments of its information security program every two years for a twenty-year period. The third-party assessor must conduct independent sampling, employee interviews, and document review, and use these in developing conclusions related to its assessments. A senior corporate manager responsible for overseeing DealerBuilt’s information security program must also certify compliance with the order annually. Finally, the FTC is given authority to approve the assessor selected.

DealerBuilt’s settlement with the FTC should be viewed as a useful guide to what the agency’s data security orders require and, more importantly, to what the agency expects from all companies—including financial services companies that themselves do not directly interact with consumers—even outside a settlement context, to protect data privacy. In light of this, information security officers should consider reviewing their companies’ information security programs against the backdrop of the DealerBuilt settlement.

On January 29, the Consumer Financial Protection Bureau (CFPB or Bureau) released a report analyzing the auto lending market’s impact on servicemembers. This report indicates that servicemembers face heightened financial challenges in the auto lending market, including higher loan amounts, interest rates, and monthly payments. Despite these challenges, servicemembers were less likely to experience vehicle repossessions.

Continue Reading CFPB Releases Report Highlighting Auto Lending Challenges for Servicemembers

In this special year-in-review episode of Moving the Metal: The Auto Finance Podcast, hosts Brooke Conkle and Chris Capurso from Troutman Pepper Locke’s Consumer Financial Services Practice Group delve into the significant events and regulatory changes that shaped the auto finance industry in 2024. From the Federal Trade Commission’s CARS Rule and its legal challenges to the Consumer Financial Protection Bureau’s data collection initiatives and supervisory highlights, this episode provides a comprehensive overview of the past year. Tune in to gain insights into the trends and regulatory shifts that will influence the auto finance landscape in 2025.

Continue Reading 2024 Year in Review: Key Developments in Auto Finance

As discussed here, in February 2023, the Consumer Financial Protection Bureau (CFPB or Bureau) launched the auto finance data pilot and issued nine market monitoring orders to three banks, three finance companies, and three captive lenders. This initiative aimed to gather comprehensive data on auto lending portfolios. Yesterday, the CFPB issued a Repossession in Auto Finance report using the dataset to show that repossession assignments increased for certain consumers post-2020, but many consumers avoided repossession in parts of 2021 and 2022. The data also indicates that repossession forwarders were increasingly involved in repossession activity, potentially resulting in increased repossession costs passed on to consumers.

Continue Reading CFPB Releases Report on Auto Repossessions

In this episode, Brooke Conkle and Chris Capurso, attorneys in the firm’s Consumer Financial Services Practice Group, are joined by Kim Phan, a partner in the firm’s Privacy and Cyber Practice Group. They delve into the latest trends in privacy and their significant impact on the auto finance industry. The discussion covers the evolving landscape of data security, the implications of connected cars and the Internet of Things, and the challenges and opportunities presented by AI. Kim also shares insights on how recent legislative changes and the new administration may shape the future of privacy regulations. Tune in for a comprehensive analysis of these critical issues and their potential ramifications for the auto finance sector.

Continue Reading 2024 Privacy Trends and Their Impact on Auto Finance

In this special crossover episode of The Consumer Finance Podcast and Moving the Metal, Troutman Pepper attorneys Brooke Conkle and Chris Capurso discuss the Consumer Financial Protection Bureau’s (CFPB) new report on negative equity in auto lending. This report, the first of its kind, utilizes data from the CFPB’s 2023 Auto Finance Data Pilot, which was issued to major banks, finance companies, and captive lenders. Brooke and Chris analyze the impact of the report, including what the report may indicate for the CFPB’s upcoming priorities.

Continue Reading The CFPB’s Report on Negative Equity in Auto Lending