Search CFPB

After analyzing public feedback, as well as information gathered from the five providers of Buy Now, Pay Later (BNPL) products, the Consumer Financial Protection Bureau (CFPB) issued a report, making it clear that the CFPB plans to increase regulation of the BNPL industry.

A form of credit that allows a consumer to split a retail transaction into smaller, interest-free installments and repay over time, the typical BNPL structure divides a $50 to $1,000 purchase into four equal installments. While BNPL credit is interest free, providers make money by charging fees to both sellers and consumers who don’t pay on time. Launched in the mid-2010s as an alternative form of short-term credit for online retail purchases, BNPL loan usage increased ten-fold during the pandemic.

Among other takeaways from the report, the CFPB found:

  • The financial and operational benefits of the interest-free, accessible at your fingertips product over legacy credit products are real and sizeable. According to the CFPB, however, those same benefits may lead to two forms of borrower overextension: loan stacking (the risk of overconsumption from BNPL usage at multiple concurrent lenders) and sustained usage (the risk of long-term BNPL usage causing stress on borrowers’ ability to meet other, non-BNPL financial obligations).
  • Consumer reporting companies have been slow to develop credit reporting protocols with respect to BNPL. Mortgage and auto lenders have raised concerns that the growth of BNPL with no associated credit reporting makes it more challenging to know whether a borrower can afford a mortgage or auto loan.
  • Credit performance is deteriorating on BNPL loans. In 2020, 2.9% of borrowers “charged off” a BNPL loan, while that number jumped to 3.8% in 2021. Public filings show this upward trend continuing through the first half of 2022.
  • BNPL lenders often collect a consumer’s data, as well as deploy models, product features, and marketing campaigns based on that data, to increase the likelihood of incremental sales. The CFPB claims that in addition to the general data harvesting risks, BNPL lenders’ use of consumer data for revenue-generating purposes can potentially increase overextension risks by engendering repeat usage.

Director Chopra also released prepared remarks on the report, acknowledging both the advantages and disadvantages of this new product. “Since taking office, I have directed our staff to identify ways to invite more competition into markets for consumer financial products and services. Buy Now, Pay Later firms are challenging existing players and offering new options to retailers and borrowers.” Director Chopra noted, however, that “[m]any Buy Now, Pay Later lenders are not offering the same clear set of dispute protections that credit card issuers have long been required to offer, which is creating chaos for some consumers when they return their merchandise or encounter other difficulties. Many Buy Now, Pay Later lenders do not offer clear and comparable disclosures of the terms of the loan like other lenders.”

The report and prepared remarks state actions the CFPB intends to take as a follow up to the report. These includes:

  • Identifying potential interpretive guidance or rules to issue to ensure that BNPL firms adhere to many of the baseline protections that Congress has already established for credit cards.
  • Identifying data surveillance practices that may need to be curtailed — specifically, examining some of the types of demographic, transactional, and behavioral data collected for uses outside of the lending transaction, including for the purpose of sponsored ad placements, sharing with merchants, and developing user-specific discounting practices.
  • Identifying options for appropriate and accurate credit reporting on these products.
  • Ensuring that BNPL companies are subjected to appropriate supervisory examinations, just like credit card companies.
  • Ensuring that the CFPB and the Federal Reserve System methodology used to estimate household debt burden reflects the reality of today’s market.

Director Chopra’s statement noted that “the report prepared by the CFPB staff does not seek to determine whether the rise of the Buy Now, Pay Later market is a positive or negative development. I believe that Buy Now, Pay Later can grow and serve consumers well if we can collectively address some of the gaps I’ve just outlined. If Buy Now, Pay Later lenders incorporate the protections and protocols that we observe in other financial products, this would go a long way to ensure that there is healthy competition where consumers have a baseline level of protections.”

The CFPB’s report denotes the latest action taken to reign in the burgeoning BNPL industry. As we posted here, here, and here, in November 2021, the House Financial Services Committee’s Task Force on Financial Technology held a “Buy Now, Pay More Later? Investigating Risks and Benefits of BNPL and Other Emerging Fintech Cash Flow Products” hearing. For the hearing, the task force invited both consumer advocates and industry tradespeople to address concerns that these products are designed in such a way that the disclosure requirements under the Truth in Lending Act and other credit laws may not apply. Next, in December 2021, the CFPB ordered five BNPL companies to answer a series of questions about the products. In January 2022, the CFPB then issued a notice and request for comment related to the products. In response, the Consumer Bankers Association sent a letter to the CFPB in March 2022, encouraging regulation of the industry.

According to Director Chopra, “As BNPL products continue to grow in popularity and the industry continues to add products and services to meet consumer need, a measured approach to regulation will be necessary to preserve market options and to protect consumers’ interests.”

Please join Consumer Financial Services Partner Kim Phan and her guests and colleagues Alan Wingfield and David Anthony in the second episode of a special four-part series on recent developments with the Consumer Financial Protection Bureau (CFPB). In this episode, topics include the CFPB’s position on preemption issues, Fair Credit Reporting Act (FCRA) state law infringement, and the CFPB’s general position on state interactions and enforcement.

Continue Reading Keeping Up With the Bureau Episode 2: FCRA Preemption Issues, Infringing State Laws, and the CFPB’s Position

Please join Consumer Financial Services Partner Chris Willis and his guests and colleagues Ashley Taylor and Stefanie Jackman in the first episode of a special four-part series about recent developments with the Consumer Financial Protection Bureau (CFPB). In this episode, topics discussed include:

  • Historical background about the cooperation between the CFPB and state attorneys general;
  • Efforts by the CFPB under its new leadership in the current administration directed toward cooperation with state attorneys general;
  • Differences between CFPB and state attorneys general enforcement investigations;
  • Areas where states may take up the CFPB’s invitation to investigate issues under federal law that they might not have done before; and
  • How we think the state attorneys general will find those cases to investigate.
Continue Reading Keeping Up With the Bureau Episode 1: Overview of CFPB and State AG Initiatives/Expansion

Banking trade groups are challenging a request for information (RFI) issued by the Consumer Financial Protection Bureau (CFPB) regarding customer service at large financial institutions. In a joint letter dated August 22, the Bank Policy Institute, Consumer Bankers Association, and the American Bankers Association objected to the CFPB’s insinuation that big banks are providing a sub-par customer experience and challenged the CFPB’s authority to regulate customer service.

“Customer service is an important and essential priority for banks. The CFPB’s statements in the RFI unfairly characterize the quality of customer service provided by banks and appear to reflect the CFPB’s pre-determined conclusions that banks do not provide high quality customer service. This approach is unhelpful to consumers … and is likely to confuse them.” The groups cite to recent studies reporting high overall customer satisfaction to support their claim.

The letter takes aim at the CFPB’s authority under the Dodd-Frank Act, noting that it says nothing about customer service or relationship banking and does not “grant the CFPB the authority to dictate, via regulation or otherwise, the type of customer service banks provide or the manner in which they provide service.” Although the CFPB maintains its authority under Section 1034(c) of the Dodd-Frank Act, which requires depository institutions with more than $10 billion in assets to provide timely responses to consumers requests for information about a financial product or service that the consumer obtained from the depository institution, the groups dispute the CFPB’s asserted authority under this section, stating “a bank’s obligation to provide a consumer particular information or data ‘in a timely manner’ in response to a specific request for such information is very different from an obligation to serve customers on particular terms or in a certain manner more generally … it appears that the CFPB is attempting to use this RFI to create a legal authority that it does not have: the right to dictate the type of customer service banks provide and the manner in which they do so.”

The groups also challenge the notion that the embrace of technology by financial institutions has led to a decrease in customer satisfaction, stating that the RFI “creates the false impression that the adoption of digital banking tools diminishes customer service. In reality, consumer demand drove banks to develop these tools and continued and increasing demand has encouraged banks to retain and grow these platforms.”

In the RFI published in late June, the CFPB invited comments from the public regarding what customer service obstacles consumers face in the banking market, and specifically, what information would be helpful for consumers to obtain.

Troutman Pepper will continue to monitor important developments involving the CFPB and the banking customer relationship RFI and will provide further updates as they become available.

In this episode of The Crypto Exchange, Troutman Pepper Consumer Financial Services Partner Kalama Lui-Kwan welcomes back Keith Barnett and Carlin McCrory to discuss consumer protection under Regulation E and a recent letter from democratic senators, urging the CFPB to hold banks liable for consumer losses when the consumers provide alleged fraudsters with access to their own accounts through payment apps. Keith and Carlin examine the senators’ concerns, as well as how any potential changes that the CFPB makes could impact financial institutions significantly. Continue Reading Senators Urge CFPB to Increase Consumer Protection Against Payment App Scams

On August 11, the Consumer Financial Protection Bureau (CFPB) published a circular, answering the question “Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?” with a resounding “yes.” Specifically, the CFPB pointed to three practices — inadequate authorization, poor password management, and lax software update policies — as examples of data security practices that would likely cause substantial unavoidable injury to consumers without a countervailing benefit and that could trigger liability for financial institutions and/or their service providers. Failure to comply with these requirements may violate the CFPA’s prohibition on unfair acts or practices.

The CFPA defines an unfair act or practice as one that:

  • Causes or is likely to cause substantial injury to customers;
    • Notably, actual injury is not required to satisfy this prong in every case. A significant risk of harm is also sufficient. In other words, this prong of the test is met even in the absence of a data breach if the inadequate data security measures “are likely to cause” substantial injury.
  • Is not reasonably avoidable by consumers; and
    • The circular noted that consumers cannot reasonably avoid the harms caused by a firm’s data security failures as they have no way of knowing whether appropriate security measures are properly implemented and have no control over the creation or implementation of an entity’s security measures.
  • Is not outweighed by countervailing benefits to consumers or competition.
    • The CFPB noted it is unaware of any instance in which a court applying an unfairness standard has found that the substantial injury caused or likely caused by a company’s poor data security practices are outweighed by countervailing benefits to consumers or competition.

While the circular did not state that any particular security practices were required under the CFPA, it did note that the failure to implement the following measures may increase the risk of liability.

  • Multifactor Authentication: This security enhancement requires multiple credentials, such as requiring both a password and a temporary numeric code, for consumers to log in to their account. While not outright requiring this measure, the circular states: “If a covered person or service provider does not require MFA for its employees or offer multi-factor authentication as an option for consumers accessing systems and accounts, or has not implemented a reasonably secure equivalent, it is unlikely that the entity could demonstrate that countervailing benefits to consumers or competition outweigh the potential harms, thus triggering liability.”
  • Adequate Password Management: Unauthorized use of passwords is a common security concern. Usernames and passwords can be sold on the dark web or posted freely on the internet. To combat this, the CFPB now expects covered persons or service providers to have processes in place to monitor for breaches at other entities where employees may be re-using logins and passwords and notifying users when a password reset is required as a result.
  • Timely Software Updates: Software vendors often send out patches and other updates to address emerging threats. When the updates are announced, hackers immediately become aware of the vulnerabilities in the old software and move to exploit them. If covered persons or service providers do not routinely update systems, software, and code or fail to update them when notified of a critical vulnerability, they could be at risk for liability from the CFPB.

Seven Action Items for Financial Services and Other Organizations. While the CFPB guidance focuses on three leading controls that often lead to catastrophic ransomware, data exfiltration, and other cyber impacts, these controls only work in tandem with a comprehensive information security program. To ensure a program is comprehensive, most financial institutions build their security programs around recognized industry frameworks (e.g., ISO 27001, NIST Cybersecurity Framework, Center Internet Security (CIS) 18, and others). In any event, leading companies at a minimum maintain the controls identified in the CFPB guidance as part of the following essential seven industry practices:

  1. Inventory/Scope Location of Company Crown Jewels. Know your organization and maintain a current list of your people and critical software, hardware, network, and sensitive data assets and know how they interrelate with one another. Knowing the boundaries of your IT and location of your data and crown jewels allows for focus and the creation of the baseline of expected processes and behaviors that makes it easier to spot abnormal actions.
    • Implementation Tip: Use It or Lose It. If you don’t need it, then safely discard that asset and turn off access. For example, it’s far too easy to forget about that neglected website that malicious agents can use to access your internal systems. Always remember to remove former employees or vendors access and authorization rights.
  2. Classify the Data and Assess All Risks and Threats to the Data. Once the location, nature, and criticality of your data has been inventoried, many companies are developing data classification policies and performing a risk assessment to identify the various threat actors and risks to the data — not just cyber risks, but physical security vulnerabilities, vendor risks, and knowledgeable insiders).
    • Implementation Tip: Practice Makes Perfect. While historically primarily an IT activity, legal is increasingly involved in both (1) classifying the criticality and sensitivity of data based on the increasing patchwork of privacy and security laws and (2) conducting “mock” assessments of how the CFPB, FTC, OCR, and/or other regulator would review their security program and efforts.
  3. Develop a Comprehensive Information Security Policy Suite. Clearly stated expectations and requirements gives guidance for everyone in the company, as well as vendors and customers.
    • Implementation Tip: Rely or Refer to Industry Standards. Sources can include NIST, ISO, PCI, FFIEC, SEC, PSD2 in the EU, BASEL III, CCPA-related U.S. and international privacy laws, SEC, and other laws.
  4. Maintain and Test Key Access Controls, Including Complex and Unique Passwords and Multifactor Authentication. Given the increasing threat of credential stuffing (i.e., exfiltrating user IDs and passwords at one site and using them at another site where the user has reused the same ID and password), requiring employees and potentially users to use credentials unique to your organization is of increasing importance.
  • Implementation Tip: Be Sure to Zone Out. In addition to password management and multifactor authentication, companies are using network zoning and related techniques to separate highly sensitive systems handling financial data from other production and test systems, and they are managing access controls on a need-to-know and role-based basis.
  1. Software Updates and Patch Management. As lack of patching is the leading cause of catastrophic cyberattacks and exfiltration of data, companies are increasingly rolling out policies and procedures to ensure that their organization keeps software current with the latest patch versions (and contract requirements to ensure that vendors and suppliers do the same).
    • Implementation Tip: Use Threat Intelligence to Get Smart. Many companies are increasingly subscribing to threat intelligence (or using the CIS, NIST, PCI, CSA, and other technical resources) for lists of industry threats and trends, emerging cyber vulnerabilities, and available patches/fixes in an effort to harden systems and thwart breaches.
  2. Encryption and Backup Are a Critical Pairing. While not part of the CFPB guidance, in the event of a ransomware attack or other cyber catastrophe, to be able to recover quickly and restore accurate data, it is critical for companies to encrypt and back up critical data and software and store it in a secure offsite location.
    • Implementation Tip: Hide the Backup. Hackers have been deleting backups found on compromised systems, so it is essential to have data backups stored offline beyond their reach.
  3. Train, Train, Train. As human error is often the root cause of a cyber vulnerability, many companies are increasing the frequency and scope of security training.
    • Implementation Tip. Many companies are running cyber simulations tabletop exercises to conduct a “dress rehearsal” on coordination of roles in the event of a cyber simulation and employing tools to test their staff preparedness to detect and avoid various phishing techniques and scams used by hackers to gain access to financial systems.

Troutman Pepper will continue to monitor important developments involving the CFPB and data security enforcement and will provide further updates as they become available.

Please contact Jim Koenig, Kim Phan, or Ronald Raether or any member of our Privacy + Cyber Practice Group with questions.

On August 10, the Consumer Financial Protection Bureau (CFPB or Bureau) issued an interpretive rule, detailing when digital marketing providers for financial firms must comply with federal consumer financial protection laws. The interpretive rule addresses digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” According to the Bureau, when digital marketers are involved in the identification or selection of prospective customers or the selection or placement of content to affect consumer behavior, they are acting as “service providers” subject to the CFPB’s jurisdiction and can be held liable by the CFPB and other law enforcers for committing unfair, deceptive, or abusive acts or practices.

CFPB Director Rohit Chopra explained the reasoning behind the rule: “When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws. Federal and state law enforcers can and should hold these firms accountable if they break the law.”

Digital marketing has become a ubiquitous feature of advertising for consumer financial products and services and allows companies to direct ads to consumers who are more likely to interact with an ad or sign up for a product or service. According to the CFPB, these kinds of digital marketers are typically covered by the Consumer Financial Protection Act (Act) as “service providers.” The Act does provide an exception for companies that solely provide time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media. However, in the interpretive rule, the CFPB made clear that the exception does not cover firms that are materially involved in the development of content strategy. The interpretive rule directly “address[es] digital marketing providers that commingle the targeting and delivery of advertisements to consumers, such as by using algorithmic models or other analytics, with the provision of advertising ‘time or space.'”

When it comes to providing digital marketing for financial firms, the CFPB explained that it may ultimately be the digital marketer that decides which groups the consumer belongs in and which financial services companies desire to advertise to that group, and may even select the specific ad to display to that consumer and when to display the ad. Accordingly, many digital marketing providers are materially involved in the development of “content strategy” by identifying or selecting prospective customers and selecting or placing content to affect consumer engagement, including purchasing or adoption behavior. The CFPB asserts that these activities go well beyond the activities of traditional media sources and come under the purview of consumer financial protection laws. In particular, identifying prospective customers and then attempting to acquire those customers is a significant component of the “offering” of a consumer financial product or service, which is part of the legally relevant test for determining that a firm is a “covered person” under the Act.

As CFPB Director Chopra explained during his remarks at the 2022 National Association of Attorneys General Presidential Summit, social media “allow[s] advertisers to show ads to only men or women, to not show ads to people who may be disabled, and to not show ads to people interested in certain countries. Facebook allowed advertisers to not show ads to people within certain geographic regions or zip codes … . To be clear: Non-selected groups, regardless of protected class, were not shown the ads.”

The CFPB’s interpretive rule explains:

  • Digital marketers provide material services to financial firms: Digital marketers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising. Digital marketers engaged in this type of ad targeting and delivery are not merely providing ad space and time and, thus, do not qualify under the “time or space” exception.
  • The CFPB and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: When digital marketers act as service providers, they are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act.

We view this interpretive rule as a public signal that the Bureau intends to assert jurisdiction directly over social media and web companies that offer targeted advertising services to financial services companies.

We will continue to monitor developments related to the enforcement of consumer financial protection laws in regard to digital marketing at both the federal and state level.

Bankers are gearing up to oppose an effort by the Consumer Financial Protection Bureau (CFPB or Bureau) to prevent an increase in allowable late charges for credit cards. In letters dated August 1, the American Bankers Association, Consumer Bankers Association, Credit Union National Association, and National Association of Federally‐Insured Credit Unions (Associations), as well as the Bank Policy Institute, expressed their collective displeasure with the idea.

In an Advance Notice of Proposed Rulemaking published in late June, the CFPB announced it was seeking data as to whether late fees charged by credit card companies are “reasonable and proportional” to the amount owed. This action was spurred by the fact that the cap on allowable late fees provided under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) is tied to inflation. And, as everyone knows, inflation is at a record high.

As a result, the maximum allowable late fee under the CARD Act could increase by as much as 9% next year — an increase the CFPB has indicated it would try to halt using its regulatory authority under the Truth in Lending Act and Regulation Z. CFPB Director Rohit Chopra explained the CFPB’s position as follows: “Credit card late fees are big revenue generators for card issuers. We want to know how the card issuers determine these fees and whether existing rules are undermining the reforms enacted by Congress over a decade ago. This effort is particularly timely since current rules might give companies the incentive to impose big hikes based on inflation.”

For background, the Federal Reserve Board of Governors (Fed) in 2010 voted to implement provisions of the CARD Act that required penalties to be “reasonable and proportional to the omission or violation.” However, the Fed also included a provision that allowed credit card issuers to escape enforcement scrutiny if they set fees at a particular level, that is, a “safe harbor.” But the Fed also stated that it would adjust the safe harbor amount annually, based on changes in the consumer price index. In 2010, the safe harbor limit on late fees was $25 for the first late payment. Since then, the late fee limit has increased to $30 for the first late payment and $41 for subsequent late payments within six billing cycles. Now that inflation has spiked, late fees are expected to rise next year to $33 for the first late payment and $45 for subsequent ones. Critics of the Fed’s safe harbor provision have called upon the CFPB to put a halt to inflation adjustments, pointing out that financial institutions already charge consumers roughly $12 billion a year in late fees, and there is no reason to presume that the current fees are reasonable and proportional to the impact of consumers’ late payments.

But bankers and trade groups have vehemently opposed any attempts to limit the late fee safe harbor, explaining that late fees act as a deterrent to consumers overextending their means. As the Associations explained in their August 1 letter “When set appropriately, late fees encourage consumers to pay on time and develop good financial management habits. However, if late fees are too low, consumers are more likely to pay late and miss payments, leading to lower consumer credit scores, reduced credit access, and higher credit costs.”

Others say that reducing late fees or eliminating the safe harbor would impact small banks and credit unions because financial institutions would be forced to raise fees elsewhere or increase the cost of credit overall. As explained by the Bank Policy Institute in their August 1 letter, “Any reduction in the safe harbor amount or elimination of the safe harbor would have an impact on the thousands of credit card issuers operating in this market, including small issuers.”

Another unintended impact of the CFPB’s proposed regulation that the Associations noted in their August 1 letter could be that vulnerable communities are disproportionately affected by the limiting of late fees. “Tighter underwriting standards and lower credit lines for new customers would have the greatest impact on those who do not have an established or strong credit history. Without the lever of late fees to mitigate the risk of late payment, issuers may need to be more conservative about approving credit cards for those in this group. Issuers could also reduce credit lines for existing accounts to mitigate risk, an issue about which the Bureau recently expressed concern.”

The Associations also suggest that if late charges fail to keep up with costs, then issuers would look to make up for losses elsewhere, which “could include reducing credit lines, tightening standards for new accounts, and raising annual percentage rates (APRs) and fees for all cardholders, including those who pay on time.”

Troutman Pepper will continue to monitor important developments involving the CFPB, credit card late fees, and the Fed’s safe harbor provision and will provide further updates as they become available.

On August 4, Consumer Financial Protection Bureau (CFPB or Bureau) Director Rohit Chopra spoke at the Philadelphia Federal Reserve Bank’s Sixth Annual Fintech Conference, arguing that enforcement actions rather than financial literacy efforts were necessary to prevent consumer abuse.

Chopra said that while there is value in educating consumers to spot risks and find trustworthy advice, financial products are inherently challenging to understand. “Disclosures are not going to be what’s fixing it,” Chopra said. “What is often going to fix it is to eradicate unlawful actors who really prey on people.”

Chopra was even more pointed in his July 14 prepared remarks for the Financial Literacy and Education Commission where he claimed that “financial education can be harmful.”

Chopra’s statements reflects a marked change from Chopra’s predecessor’s, former Director Kathleen Kraninger, approach to consumer protection. Kraninger listed education as the “first tool” in the CFPB’s toolbox in preventing consumer harm. In a 2019 speech at the Bipartisan Policy Center, Kraninger stated that the Bureau could not and should not try to “be everywhere, with everyone, at every transaction” and so would look to empower consumers to help themselves and make good financial choices.

Chopra, meanwhile, cast doubt on the effectiveness of that approach on August 4. “The experiment has not had much success,” Chopra said. “One, I think in some cases financial education has made people worse off because they become overconfident.”

The CFPB’s increased emphasis on enforcement led to an uptick in fair lending enforcement in 2021, and that trend has continued with increased enforcement in areas, such as loan servicing, credit reporting, student loans and small business lending.

Troutman Pepper will continue to monitor important developments involving the CFPB and enforcement actions and will provide further updates as they become available.

Please join Consumer Financial Services Partner Dave Gettings and his fellow Partner Ethan Ostroff as they discuss the Consumer Financial Protection Bureau’s increasingly active interest in credit reporting, including a recent CFPB blog post on credit card companies and their perceived practice of suppressing payment information, as well as what it signals to companies in the industry.

Ethan’s practice includes advising companies on compliance issues and interactions with regulators concerning the Fair Credit Reporting Act, as well as defending furnishers, users, and specialty consumer reporting agencies in individual and class-action lawsuits under the FCRA.

Continue Reading CFPB’s Increasingly Active Interest in Credit Reporting