Search CFPB

As discussed here, on October 27, 2022, the CFPB released an Outline of Proposals and Alternatives Under Consideration for public comments on the CFPB’s Section 1033 rulemaking. The window for providing written feedback closed on January 25, 2023. Below we have highlighted some of the submissions by industry and consumer groups.

The proposed rules are limited, at this time, to deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts. The proposed rules being considered, amongst other things, would:

  • Require a defined subset of Dodd-Frank Act covered persons that are data providers to make consumer financial information available to a consumer or an authorized third-party.
  • Require covered data providers to make available information such as: periodic statements; information regarding prior transactions and deposits that have not yet settled; information about prior transactions not typically shown on periodic statements or online financial account management portals; online banking transactions that the consumer has set up but that have not yet occurred; and account identity information.
  • Ensure that data providers transmit consumer information accurately through third-party access portals.
  • Limit third parties’ collection, use, and retention of consumer information to what is reasonably necessary to provide the product or service the consumer has requested.

The CFPB proposals reflect an “open banking” vision that would shift away from the current practice of “screen scraping” financial information to a system in which banks set up application programming interfaces (APIs) and data portals for transferring consumer information to so-called “data aggregators” purportedly acting on behalf of consumers.

The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA) required the CFPB to elicit feedback on the impact on small entities of its proposed rulemaking and many industry groups took advantage of this comment window to express concerns on, amongst other things, data security risks, potential liability from data breaches, and implementation time.

Data Security:

The American Bankers’ Association (ABA) emphasized in its letter that the industry is committed to “consumers’ ability to access and share their financial data in a secure, transparent manner that gives them control,” but it identified multiple concerns with the CFPB’s proposed rulemaking, including the CFPB’s failure to adequately address data security. “The information that data aggregators are able to collect — which includes not just information from a single account of the consumer but potentially all of the consumer’s financial accounts — makes data aggregators an attractive target for bad actors as well as potential channel for criminals to obtain and use sensitive information.” The ABA proposed one way to address this concern was for the CFPB to allow for situations in which data providers may refrain from fulfilling a request for access notwithstanding consumer consent. The ABA further emphasized the need for the CFPB to extend its supervision to cover data aggregators.

The Credit Union National Association (CUNA)’s comments to the CFPB proposed that the CFPB address data privacy concerns by taking ownership of the required verifications before access to consumers’ financial information is provided to third parties. Specifically, CUNA recommended that the CFPB: 1) authenticate third parties on behalf of covered data providers, including credit unions; 2) provide a database of authenticated third parties and specify that reliance on the CFPB’s database should be a safe harbor from CFPB action or litigation; and 3) pare back the categories of information required to be made available by covered data providers.

The Electronic Privacy Information Center (EPIC)’s letter echoed the need to cull down the categories of required information that could be shared. “[W[e recommend that the [CFPB] impose a more exacting standard for sensitive information, limiting authorized third parties’ collection of sensitive consumer data to what is strictly necessary to provide the product or service the consumer has requested (i.e., data without which it is impossible to provide such product or service).”

In its letter, the Consumer Data Industry Association (CDIA), the trade association for consumer reporting agencies, requested that consumer reports and information derived from consumer reports be explicitly excluded from the definition of covered data. The CDIA also proposed safeguards to ensure data privacy. The CDIA proposed that before a third party is granted access to covered data, the data provider should not only be required to obtain evidence to authenticate the third party, but also be required to authenticate that the recipient requesting access is the third party whose identity has been verified — meaning not only confirming that the third party is who it says it is, but also that the third party identified in the consumer’s authorization is the recipient requesting access.

A multi-step login approach was also advocated by the Financial Technology Association (FTA) who proposed the use of third-party data portals that can encrypt and tokenize login credentials to reduce the risk that sensitive information is inadvertently accessed. Additionally, the FTA proposed a multi-factor authentication process for the consumer requesting its data to be shared.

Shifting Liability:

In agreement with the ABA, the Financial Data and Technology Association of North America (FDATA), an organization advocating for customer-permissioned access to financial data, proposed in its letter that in the case of a data breach the liability should attach to the entity responsible for the breach. “[W]e strongly support the underlying principle that the entity responsible for a data breach that causes financial loss to an end user should be responsible for making that end user whole … .”

The Bank Policy Institute (BPI) agreed stating in its letter, “[i]t is essential that the CFPB address the question of liability for loss or harm caused by the entity with possession, custody or control over the data or which is otherwise responsible for the loss or harm.” Specifically, [f]or data providers, any liability for any incident leading to loss or harm should end when the data leaves the data provider’s portal.”

Implementation Time:

Depending on the type of organization being represented, there were differing views amongst industry groups on the ideal speed of the CFPB’s implementation schedule for the proposed rule.

FDATA urged the CFPB to “swiftly require availability of all covered data types for covered data accounts once this rule is finalized” arguing that allowing “for the continued use of existing technologies, including credential-based access or PII and account number-enabled access in addition to dedicated data access portals, would facilitate the fastest and easiest transition into compliance and maximize customer benefit, particularly for the thousands of smaller data providers which will not be able to develop credential-less data access portal technology for the foreseeable future.”

Whereas, the ABA cautioned that given the current range of proposals under consideration by the CFPB, its members aren’t in position to even estimate the time it would take to implement the requirements and so the CFPB should proceed slowly. The “implementation period must give banks – and their core providers – sufficient time to develop, implement, and test APIs … And of course, the implementation period must give market participants of all sizes a reasonable opportunity to comply.”

In its letter, the Consumer Bankers Association (CBA) emphasized the Herculean task the CFPB is proposing and suggested a minimum of a year for implementation. “The [CFPB] significantly underestimates the ease with which a third-party access portal can be developed and implemented by data providers. Many data providers, small and large alike, do not currently have an [API] that could provide consumer information, especially to the extent currently under consideration, to authorized third parties. Developing an API from the ground up is costly and would pose a significant financial burden on many data providers. Moreover, data providers that seek to enter strategic partnerships to build out an API would need, at a minimum and under the best circumstances, at least 12 months. Even for data providers that already have a third-party access portal, the cost of maintenance would skyrocket to support the proposals in the SBREFA Outline.”

As discussed here, on December 7, 2022, the Consumer Financial Protection Bureau (CFPB or Bureau) made a preliminary conclusion that a New York commercial financing law was not preempted by the Truth in Lending Act (TILA). The Bureau indicated it was also considering whether to make a preemption determination regarding similar state laws in California, Utah, and Virginia. On January 20, 2023, California Attorney General Rob Bonta submitted a letter to the CFPB agreeing with its preliminary determination that California’s Commercial Financing Disclosures Law (CFDL) is not preempted by TILA because the CFDL only applies to commercial financing and not to consumer credit transactions within the scope of TILA. Attorney General Bonta further urged the CFPB to “revisit the Federal Reserve Board’s (Board) vague and overbroad articulation of the TILA preemption standard. The CFPB should articulate a narrower standard that emphasizes that preemption should be limited to situations where it is impossible to comply with both TILA and the state law or where the state law stands as an obstacle to the full purposes TILA, which is to provide consumers with full and meaningful disclosure of credit terms in consumer credit transactions.”

Continue Reading California AG Agrees with CFPB’s Preliminary Preemption Determination, Urges Bureau to Further Narrow TILA Preemption

Bankers are opposing any effort by the Consumer Financial Protection Bureau (CFPB or Bureau) to reduce or eliminate the late fee safe harbor, citing a potentially significant adverse impact on community banks and credit unions. In a letter dated January 20, the American Bankers Association (ABA), Credit Union National Association (CUNA), Independent Community Bankers of America, National Bankers Association, and National Association of Federally‐Insured Credit Unions (NAFCU) (collectively, the Associations) expressed their concern over the CFPB’s proposed rulemaking regarding credit card late fees, urging the CFPB to convene a Small Business Review Panel (Panel) as required under the Small Business Regulatory Enforcement Fairness Act (SBREFA).

As discussed here, on January 4, the CFPB issued its 2022 Fall Rulemaking Agenda containing pre-rule, proposed rule, and final rules under consideration. In the agenda, the CFPB indicated it was considering whether to propose amendments to the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) relating to penalty fees levied by card issuers, including the safe harbor for penalty fees. For background, the Federal Reserve Board of Governors (Fed) in 2010 voted to implement provisions of the CARD Act that required penalties to be “reasonable and proportional to the omission or violation.” The Fed also included a provision that allowed credit card issuers to escape enforcement scrutiny if they set fees at a particular level, that is, a “safe harbor.” But the Fed stated that it would adjust the safe harbor amount annually, based on changes in the consumer price index. In 2010, the safe harbor limit on late fees was $25 for the first late payment. Since then, the late fee limit has increased to $30 for the first late payment and $41 for subsequent late payments within six billing cycles. Now that inflation has spiked, late fees are expected to rise next year to $33 for the first late payment and $45 for subsequent ones.

In June 2022, the CFPB issued an advance notice of proposed rulemaking seeking information from credit card issuers, consumer groups, and the public regarding credit card late fees. The CFPB’s recent agenda stated it was considering the comments it received and would issue a proposed rule in January 2023.

In their letter, the Associations object to the CFPB’s proposed timeline as it would appear the Bureau is proceeding without convening a Panel. Under the SBREFA, the CFPB must convene a Panel if it is considering a rule that could have a significant economic impact on a substantial number of small entities. “Specifically, the Panel is required to collect advice and recommendations from small entities or their representatives … that are likely to be subject to the regulation that the CFPB is considering proposing.” In addition, SBREFA requires the CFPB to consider the advice of the Panel concerning whether the proposed rule would increase the cost of credit for small businesses and whether any alternatives may exist that could accomplish the stated objective of the rule while minimizing the increased cost. According to the Associations, more than half of the credit card-issuing banks and 85% of the credit card-issuing credit unions have assets less than $850 million (the threshold for when a financial institution qualifies as a small business) and any reduction or elimination of the late fee safe harbor could have a significant adverse impact on these entities.

This is not the first time banking groups have voiced their opposition to the CFPB’s proposed amendments to the CARD Act. As discussed here, on August 1, 2022, the ABA, Bank Policy Institute, Consumer Bankers Association, CUNA, and NAFCU expressed their collective displeasure with the proposed rulemaking citing not only the potential harm to small banks and credit unions but also the lack of deterrent for customers to make late payments going forward. “When set appropriately, late fees encourage consumers to pay on time and develop good financial management habits. However, if late fees are too low, consumers are more likely to pay late and miss payments, leading to lower consumer credit scores, reduced credit access, and higher credit costs.”

Troutman Pepper will continue to monitor important developments involving the CFPB, credit card late fees, and the Fed’s safe harbor provision and will provide further updates as they become available.

On January 24, the Consumer Financial Protection Bureau (CFPB) announced it is seeking public comment on how the consumer credit market is functioning as part of its biennial review required by the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act). The CFPB will be accepting comments until April 24.

The CARD Act directs the CFPB to undertake a comprehensive review of the credit card industry to determine whether regulatory adjustments are needed. While public comment is not required for the review, the CFPB has specifically requested feedback on the following topics,

  • Terms of credit card agreements;
    • How have the substantive terms and conditions of agreements changed over the past two years?
  • Effectiveness of disclosures;
    • How effective are current disclosures of rates, fees, and other costs in conveying to consumers the costs of credit card plans?
  • Adequacy of protections against unfair or deceptive acts;
    • What unfair, deceptive, or abusive acts exist in the credit card market and how prevalent are they?
  • Cost and availability of consumer credit cards;
    • How have the costs and availability of credit cards changed over the past two years?
  • Use of risk-based pricing;
    • How have the CARD Act provisions related to risk-based pricing impacted the industry?
  • Product innovation;
    • How have broader innovations in finance (like rewards redemptions for cryptocurrency and environmental causes) and evolving digital tools impacted the credit card industry?

This request for public comment comes on the heels of the issuance of the CFPB’s 2022 Fall Rulemaking Agenda, discussed here, where the CFPB indicated it was considering whether to propose amendments to the CARD Act relating to late payment fees levied by credit card issuers.

Troutman Pepper will continue to monitor important developments involving the CFPB and the CARD Act and will provide further updates as they become available.

Do “negative option” subscription services constitute unfair or deceptive practices under the Consumer Financial Protection Act (CFPA)? According to the Consumer Financial Protection Bureau (CFPB) in its recent circular, these subscription services may violate the CFPA when a seller: 1) misrepresents or fails to clearly disclose the material terms of the program; (2) fails to obtain consumers’ informed consent; or (3) misleads consumers who want to cancel, erects unreasonable barriers to cancellation, or fails to honor cancellation requests.

According to the CFPB, a “negative option” subscription service refers to a situation where a seller may interpret a consumer’s silence, failure to take an affirmative action to reject the service, or failure to cancel an agreement as acceptance of the subscription. Examples include: automatic renewal plans where consumers’ subscriptions are automatically renewed when they expire unless consumers cancel by a certain date; continuity plans where consumers agree to continue receiving a product or service until they cancel the agreements; and trial marketing plans where consumers receive products or services for free (or for a reduced fee) for a trial period and, after the trial period, are automatically charged a recurring fee unless they affirmatively cancel.

The CFPB’s stated impetus for targeting “negative option” subscriptions is in response to consumer complaints, including from older consumers, about being repeatedly charged for services they did not intend to buy or no longer want. This is part of a bigger initiative by the CFPB and the Federal Trade Commission to combat “dark patterns,” or website design features allegedly used to trick or trap consumers, previously discussed here.

In its circular, the CFPB warns covered persons that they risk violating the CFPA if they fail to:

  • Disclose the material terms of the offer.
    • The material terms would typically include: that the consumer is enrolling in and will be charged for the service; the amount that the consumer will be charged; that charges will be on a recurring basis unless the consumer takes affirmative steps to cancel; and that, in a trial marketing plan, charges will begin (or increase) after the trial period unless the consumer takes affirmative action.
  • Obtain informed consent.
    • Consent will generally not be informed if a seller mischaracterizes or conceals the “negative option” feature or provides contradictory or misleading information.
  • Erect unreasonable barriers to cancellation.
    • Such conduct would include hanging up on consumers who call to cancel, placing consumers on hold for an unreasonably long time, providing false information about how to cancel, or misrepresenting the reasons for delays in processing consumers’ cancellation requests.

As discussed here, the CFPB filed a complaint late last year against a company over its “negative option” subscription service. In that case, the CFPB alleged that Active Network LLC tricked people trying to sign up for a fundraising race or other community event into subscribing to its discount club Active Advantage. The Active Advantage trial membership automatically converted to a paid subscription with an annual fee of $89.95, unless consumers opted out or canceled.

Troutman Pepper will continue to monitor important developments involving the CFPB and its “dark patterns” initiative and will provide further updates as they become available. Also, in February, the Consumer Finance Podcast will be releasing an episode discussing autorenewals, including how to avoid liability.

Combatting appraisal bias continues to be a top priority for the Consumer Financial Protection Bureau (CFPB), as recently emphasized by Deputy Director Zixta Q. Martinez during her remarks at the National Fair Housing Alliance event previewing the documentary Our America: Lowballed. Martinez stated that the CFPB has been actively working with the White House Property Appraisal and Valuation Equity (PAVE) Interagency Task Force and the Federal Financial Institutions Examination Council’s (FFIEC) Appraisal Subcommittee to address the issue of appraisal bias and is currently working on developing quality control regulations for Automated Valuation Models to prevent algorithmic bias in home valuations. Deputy Director Martinez serves as the chair of the FFIEC Appraisal Subcommittee and noted in her remarks that the “challenge [of combatting appraisal bias] requires a whole-of-government response.”

In addition to outlining the CFPB’s efforts to remediate appraisal bias, Deputy Director Martinez highlighted the critical role lenders play in ensuring valuations are accurate. The CFPB has warned that lenders that fail to ensure borrowers can seek a reconsideration of their home valuation risk violating federal law. We discussed this issue and what lenders can do to avoid liability on a recent episode of our podcast available here.

Deputy Director Martinez also noted that on January 24, 2023, from 10:00 a.m. to 12:00 p.m. EST the CFPB is hosting the FFIEC’s Appraisal Subcommittee for a hearing on this issue. The hearing is open to the public and the CFPB and Appraisal Subcommittee are accepting written comments until February 8. Additional information about the hearing can be found here.

On January 11, the Consumer Financial Protection Bureau (CFPB) announced it reached a settlement with law firm Forster & Garbus, LLP in its lawsuit over alleged illegal debt collection practices. Specifically, the CFPB alleged that, from 2014 through 2016, fewer than a dozen attorneys filed more than 99,000 debt collection lawsuits, while having the requisite supporting documents in only a fraction of those cases. In doing so, the CFPB alleged (similar to its previous actions involving the law firms Frederick J. Hanna & Associates and Pressler & Pressler, LLP) that Forster & Garbus falsely represented to consumers that attorneys were meaningfully involved in preparing and filing the lawsuits, violating the Fair Debt Collection Practices Act’s prohibition against using misleading representations in the collection of debts and the Consumer Financial Protection Act’s prohibition against deceptive acts and practices. Under the settlement agreement, the law firm agreed to obtain proper supporting documents before filing collection lawsuits and also to pay a $100,000 civil penalty.

Specifically, under the terms of the Stipulated Final Judgment and Order, Forster & Garbus agreed to:

  • Only file debt collection lawsuits when it has in its possession the requisite supporting documents, which include the name of the original creditor, evidence that the consumer authorized the debt, the chain of title for the debt, and a break-down of how the debt amount was calculated.
  • Ensure that any attorney whose name will appear or has appeared on the complaint in any collections lawsuit has:
    • reviewed the supporting documentation and confirmed the complaint is consistent with those documents;
    • logged into the consumer’s account on Forster & Garbus’ computerized account management system or any other software that would create an electronic record that the attorney of record has accessed a consumer’s file;
    • confirmed the statute of limitations has not run on the account;
    • confirmed that the consumer’s debt was not discharged in bankruptcy or subject to a pending bankruptcy proceeding;
    • confirmed the consumer’s correct identity and current address to determine the appropriate venue for a lawsuit; and
    • certified in writing or in Forster & Garbus’ computerized account management system, or any other software program that creates an electronic record, that the initiation of the collections suit complies with the requirements of the proposed order.
  • Ensure that any pending collections lawsuit complies with the above two requirements or, if unable to do so within 120 days of entry of the order, file a motion to voluntarily dismiss that suit.

The conduct provisions in the Stipulated Final Judgment and Order look substantially similar to those in the Hanna and Pressler cases previously entered into by the CFPB.

Notably, in the Stipulated Final Judgment and Order the law firm neither admitted nor denied the complaint’s allegations, except for acknowledging the court’s jurisdiction. The matter remains pending in the district court for the Eastern District of New York awaiting entry of the order by the court.

As forecasted in its 2022 Fall Rulemaking Agenda discussed here, today the Consumer Financial Protection Bureau (CFPB) published a proposed rule with request for public comments that would require certain nonbank covered entities, with limited exceptions, to submit information on terms and conditions in their form contracts that “seek to waive or limit individuals’ rights and other legal protections.” The covered entities would be required to submit this information on a yearly basis and the terms and conditions collected would then be posted in a registry that would be open to the public as well as other consumer financial protection enforcers. The CFPB states that it is proposing the rule pursuant to its authority under the Consumer Financial Protection Act of 2010 to monitor markets for consumer financial products and services that pose risks to consumers and to conduct a risk-based non-bank supervision program for the purpose of assessing compliance with federal consumer financial laws. According to the CFPB, the information gathered will facilitate its “prioritization and implementation of examination work in its statutorily-mandated risk-based non-bank supervision program.”

The CFPB’s rationale for the rule is to reduce the risk to consumers from form contracts, commonly referred to as contracts of adhesion. According to the CFPB, consumers lack the incentive to carefully review form contracts because they are largely non-negotiable. Further, the CFPB believes that public policy disfavors form contract terms that seek to waive or limit legal protections because they risk harming consumers.

The proposed rule is broadly focused on the following types of terms and conditions, which the CFPB argues have long been disfavored as a matter of public policy:

  • Waivers of claims a consumer could file in a legal action.
  • Limits on the consumer’s ability to bring legal action by dictating the time frame, forum, or venue for a legal action.
  • Limits on the ability of a consumer to bring or participate in collective legal actions, including class actions.
  • Limits on the ability of consumers to complain or post reviews.
  • Arbitration agreements.

The CFPB would use the information to inform its examination process as follows:

“[I]f the [CFPB] scheduled an examination at an entity who had registered its use of a covered term or condition that appeared to be prohibited by [f]ederal consumer financial law, the [CFPB] likely would incorporate the use of this term or condition into the scope of an exam …. That review could inform examiners’ conclusions concerning the presence of a UDAAP, a risk of a UDAAP, or a compliance management system concern. Examiners also could coordinate with other regulators about their findings, especially if they implicate consumer legal protections administered by the other regulators.”

Interested parties may submit comments on the proposed rule until the later of March 13, 2023 or 30 days after publication of the proposed rule in the Federal Register.

On January 4, the Consumer Financial Protection Bureau (CFPB) issued its 2022 Fall Rulemaking Agenda containing pre-rule, proposed rule, and final rules under consideration. The CFPB releases regulatory agendas twice a year in voluntary conjunction with a broader initiative led by the Office of Budget and Management to publish a Unified Agenda of Regulatory and Deregulatory actions across the federal government. In the preamble to the Federal Register notice, the CFPB states that the information is current as of September 30, 2022 and identifies regulatory matters the CFPB “reasonably anticipates” having under consideration during the period from December 1, 2022, to November 30, 2023. The CFPB has not yet posted a blog or issued a press release about the agenda. Continue Reading The CFPB Issues Its 2022 Fall Rulemaking Agenda

Please join Consumer Financial Services Partner Dave Gettings and his fellow Partner Ron Raether as they discuss the Consumer Financial Protection Bureau and its supervision of the tenant screening industry. During this episode, Dave and Ron also examine issues facing tenant screening companies and what can be done in the industry.

Continue Reading CFPB’s Involvement in Tenant Screening