We have expanded CFPB Monitor. This new blog—Consumer Finance Monitor—includes all the news in the CFPB Monitor. It also features a Federal CFS Monitor for analysis on the many other federal agencies that regulate our industry and a State CFS Monitor, which covers state agency and attorney general developments. News is segmented by topic and agency on the right. A full compilation is below. Thank you for visiting and we hope you enjoy our new blog.
A group of 20 state attorneys general, the D.C. attorney general, and the Executive Director of the Office of Consumer Protection of Hawaii have sent a letter to U.S. Department of Education Secretary Betsy DeVos criticizing the ED’s withdrawal of various memoranda issued during the Obama Administration regarding federal student loan servicing reforms.
The memoranda were intended to guide the development of provisions in new contracts to be entered into by the ED with servicers it selected for a new federal student loan servicing system and included directions to contractors to designate, train, and appropriately compensate specialized servicing personnel to assist at-risk and certain other borrowers. and standards to provide consistency in the handling, processing, and application of payments by servicers and other servicing practices. Secretary DeVos had indicated that withdrawal of the memoranda was necessary to “negate any impediment, ambiguity or inconsistency” in the ED’s approach to acquiring new federal student loan servicing capabilities.
In their letter, the state AGs assert that the ED’s “stated rationale does not justify summarily denying student borrowers [the] basic protections [provided by the new servicing standards].” The state AGs highlight requirements for servicers to apply overpayments to loans with the highest interest rates unless instructed otherwise by the borrower and to inform a borrower of income-driven repayment options before placing the borrower in forbearance or deferment. They note that ‘[s]ervicers’ failure to comply with such standards may be independent violations of state law.”
The CFPB will hold a field hearing on small business lending in Los Angeles, CA on May 10, 2017. The announcement, which took the form of a posting on the events page of the CFPB’s website, contains only the usual statement that the hearing will feature “remarks from Director Cordray, as well as testimony from community groups, industry representatives, and members of the public.”
Since the CFPB typically holds field hearings in conjunction with announcing a related development, it might announce a development involving the CFPB’s rulemaking to implement Section 1071 of Dodd-Frank. Section 1071 amended the ECOA to require financial institutions to collect and maintain certain data in connection with credit applications made by women- or minority-owned businesses and small businesses such as the race, sex, and ethnicity of the principal owners of the business.
In its annual fair lending report issued earlier this month, the CFPB stated that it had “begun to explore some of the issues involved in the rulemaking, including engaging numerous stakeholders about the statutory reporting requirements.” Also, at the recent House Financial Services Committee hearing at which Director Cordray appeared, Chairman Hensarling criticized the CFPB for not proceeding more quickly to issue a regulation to implement Section 1071.
The Office of Inspector General for the Fed and CFPB recently issued an audit report entitled “The CFPB Can Strengthen Contract Award Controls and Administrative Processes.” The objective of the OIG’s audit was to assess the CFPB’s compliance with applicable laws, regulations and CFPB policies and procedures related to contract solicitation, selection and award processes, as well as the effectiveness of the CFPB’s associated internal controls.
While finding the CFPB to be generally compliant, the OIG found occasions on which reviews and approvals were overlooked or not documented as required by regulation or CFPB policy. Among its other findings was that the CFPB could improve the documentation used to support price reasonableness determinations for sole-source contracts (i.e. contracts where there is other than a full and open competition).
The OIG’s work plan updated as of April 1, 2017 includes the following initiated projects in which the OIG will evaluate:
- the CFPB Enforcement Office’s processes for protecting confidential information obtained through the use of the CFPB’s enforcement powers, such as information received in response to a CID (completion expected second quarter 2017)
- the CFPB’s compliance with the requirements for issuing CIDs including those in the Dodd-Frank Act (completion expected third quarter 2017) (Last week, the D.C. Circuit affirmed the district court’s denial of the CFPB’s petition to enforce a CID because the CFPB had not complied with the Dodd-Frank requirements.)
- the effectiveness of the CFPB’s management of examiner commissioning and training (completion expected third quarter 2017)
Planned projects described in the work plan include (1) an evaluation of the effectiveness of the Division of Supervision, Enforcement, and Fair Lending in monitoring and ensuring that supervised entities take timely action to correct deficiencies identified in examinations, (2) an evaluation of the risk assessment framework used by the CFPB to prioritize examinations, and (3) a review of the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and personally identifiable information and applied appropriate information security controls and protection over the data to mitigate those risks.
The House Financial Services Committee has released the witness list for the hearing it will hold this Wednesday, April 26, 2017, to discuss the Financial CHOICE Act.
The witnesses will be:
- John Allison, Former President and Chief Executive Officer, Cato Institute
- Dr. Norbert J. Michel, Senior Research Fellow, Financial Regulations and Monetary Policy Institute for Economic Freedom and Opportunity, The Heritage Foundation
- Hester Peirce, Director of Financial Markets Working Group and Senior Research Fellow, Mercatus Center
- Alex J. Pollock, Distinguished Senior Fellow, The R Street Institute
- Peter J. Wallison, Senior Fellow and Arthur F. Burn, Fellow in Financial Policy Studies, American Enterprise Institute
The Committee also released a memorandum that includes a summary of the discussion draft of the bill previously released by the Committee.
A Texas federal district court has entered a $2 million civil penalty judgment against the former president of a debt collection company for alleged violations of the FDCPA and FTC Act. The judgment follows the court’s finding in a prior order that $2 million was a “reasonable and appropriate penalty for [the president’s] violations of the Fair Debt Collection Practices Act.” The company and former president had previously been banned by the court from “participating in debt collection activities” and “advertising, marketing, promoting, offering for sale, selling, or buying any consumer or commercial debt or any consumer information relating to a debt.”
In January 2015, the DOJ, on behalf of the FTC, had filed a complaint against the company and its former president and vice president alleging that the defendants had engaged in various practices in violation of the FDCPA and FTC Act, including impersonating attorneys and attorneys’ staff and falsely threatening consumers with litigation or wage garnishment. In April 2016, the court entered summary judgment against the company and former president, stating “the summary judgment record is clear and uncontroverted that [the company] is a debt collector covered by the FDCPA and that its collectors have committed numerous violations of the FDCPA and Section 5 of the FTC Act.” With regard to the company’s president, the court found that as president and sole owner of the company, he had actual or implied knowledge of the FDCPA violations because he “not only played a role in formulating the policies and practices that resulted in the violative acts, but in fact actually set the policies of his company. As President, he had the authority to fire or otherwise discipline his employees for employing deceptive debt collection activities.” In September 2016, the court entered a stipulated order permanently banning the company’s former vice president from participating in debt collection activities and activities related to the sale or purchase of consumer or commercial debts or debt-related consumer information. The order also imposed a $496,000 civil penalty judgment that was suspended except for $10,000 based on inability to pay.)
In its order finding $2 million to be an appropriate penalty, the court noted that the FTC Act authorizes a penalty of up to $40,000 for each act that violates the FDCPA “with actual or implied knowledge of the FDCPA” and that the “maximum theoretical penalty for the estimated 109,634 violations exceeds $4 billion.” The court stated that the FTC had established the defendant’s lack of good faith through his admissions that the company had no formal FDCPA training program and that he had hired “abusive collection managers and refused to fire them if they were effective.” The court also noted his awareness of consumer complaints and that he “he had the ultimate authority over the collection managers and the collectors.”
The D. C. Circuit has affirmed the D.C. federal district court’s April 2016 denial of the CFPB’s petition to enforce a CID issued to the Accrediting Council for Independent Colleges and Schools (ACICS) in August 2015.
After denying ACICS’s petition to modify or set aside the CID in October 2015, the CFPB filed a petition in D.C. federal district court to enforce the CID. The CFPA allows the CFPB to issue a CID to “any person” that the CFPB believes may be possession of “any documentary material or tangible things, or may have any information, relevant to a violation” of laws enforced by the CFPB. The CID’s Notification of Purpose indicated that the purpose of the CFPB’s investigation was “to determine whether any entity or person has engaged or is engaging in unlawful acts and practices in connection with accrediting for-profit colleges, in violation of sections 1031 and 1036 of the [CFPA prohibiting unfair, deceptive, or abusive acts or practices], or any other Federal consumer financial protection law.” The CFPB argued that because it has authority to investigate for-profit schools in relation to their lending and financial advisory services, it had authority to investigate whether any entity has engaged in any unlawful acts relating to accrediting such schools. The district court denied the CFPB’s petition, holding that the CFPB lacked statutory authority to investigate the accreditation process.
In affirming the denial of the CFPB’s petition to enforce the CID, the D.C. Circuit declined to reach the broad question of whether the CFPB had statutory authority “to investigate the area of accreditation at all” and instead stated that it would “confine our analysis to the invalidity of this particular CID.” More specifically, the D.C. Circuit considered only whether the CID satisfied the CFPB requirement that “[e]ach [CID] shall state the nature of the conduct constituting the alleged violation which is under investigation and the provision of law applicable to such violation.”
The D.C. Circuit concluded that “as written, the Notification of Purpose [in the ACICS CID] fails to state adequately the unlawful conduct under investigation or the applicable law.” In reaching that conclusion, the D.C. Circuit relied on case law holding that to determine whether to enforce a CID, a court should consider only whether the inquiry is within the agency’s statutory authority, whether the request is not too indefinite, and whether the information sought is reasonably relevant.
The CFPB’s Notification of Purpose defined the relevant conduct constituting the violation under investigation as “unlawful acts and practices in connection with accrediting for-profit colleges.” According to the D.C. Circuit, because the Notification of Purpose gave “no description whatsoever” of the “unlawful acts and practices” the CFPB sought to investigate, the court “need not and probably cannot accurately determine whether the inquiry is within the authority of the agency and whether the information sought is reasonably relevant.” The D.C. Circuit noted that the CFPB had argued that, even if it did not have statutory authority over the accreditation process, it had an interest in the possible connection between the lending practices of ACICS-accredited schools and the accreditation process. However, the court observed that “[e]ven if the CFPB is correct, that interest does not appear on the face of the Notification of Purpose,” and the agency had failed to adequately inform ACICS of the link between the relevant conduct and the alleged violation.
The CID had identified “sections 1031 and 1036 of the [CFPA prohibiting unfair, deceptive, or abusive acts or practices], or any other Federal consumer financial protection law” as the laws applicable to the alleged violation under investigation The D.C. Circuit determined that the this language was “similarly inadequate” because, coupled with the CID’s failure to adequately state the unlawful conduct under investigation, the statutory references “tell ACICS nothing about the statutory basis for the Bureau’s investigation.” The court noted that although the CFPA provides detailed definitions of “Federal consumer financial law” and “consumer financial product or service,” the CID “contains no mention of these definitions or how they relate to its investigation.” It also commented that the inclusion of the “uninformative catch-all phrase ‘any other Federal consumer financial protection law’ does nothing to cure the CID’s defect.” According to the court, “were we to hold that the unspecific language of this CID is sufficient to comply with the statute, we would effectively write out of the statute all of the notice requirements that Congress put in.”
Because the D.C. Circuit did not reach the broader question of the CFPB’s authority to investigate the accreditation process and “express[ed] no opinion on whether a revised CID that complies with [the CFPA CID requirements] should be enforced,” the CFPB will get another bite at the apple should it decide to reissue the CID. While the decision will likely result in more detailed Notifications of Purpose in future CFPB CIDs, because it does not substantively change the scope of the CFPB’s broad power to issue CIDs, the decision’s overall impact will likely be minimal. In addition, there continues to be a fairly low standard for what constitutes relevant information in discovery and litigation.
New Mexico recently became the 48th state to enact a data breach notification law. This continues the accelerated pace of state data breach legislative activity in the last two years. Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.
Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.” The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information. In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired. The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.
For more information on the new law, see our legal alert.
Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.” Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”
Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”
Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories. Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement. Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.
Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices. Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.
On April 20, the CFPB finalized a proposed rule to delay the effective date of the final rule governing Prepaid Accounts (Prepaid Account Final Rule) by six months, from October 1, 2017 to April 1, 2018 (Effective Date Final Rule). According to the CFPB, the delay was adopted “to facilitate compliance with the Prepaid Account Final Rule, and to allow an opportunity for the Bureau to assess whether any additional adjustments to the Rule are appropriate.”
The preamble to the Effective Date Final Rule previews that the CFPB will propose rules for “at least two issues that have been identified as areas where the Prepaid Accounts Final Rule may be posing particular complexities for implementation,” and at that time, a further delay may be proposed as well. The two issues relate to: (1) the linking of credit cards to digital wallets that are capable of storing funds; and (2) error resolution and limitations on liability for unregistered prepaid accounts.
Over the past few months, the Prepaid Account Final Rule has faced attacks from industry representatives, such as the American Bankers Association, and from Congress under the Congressional Review Act – Representatives Tom Graves (R-Ga) and Roger Williams (R-Tx) introduced House Joint Resolution 62 and House Joint Resolution 73, respectively, and Senator David Perdue (R-Ga) introduced Senate Joint Resolution 19. The Senate Joint Resolution was recently brought out of Committee and to the floor for consideration by way of a discharge petition filed by Senate Banking Chairman Mike Crapo. The Prepaid Account Final Rule has also been defended by attorney generals from 17 states and the District of Columbia.
We will continue to monitor the status of the Prepaid Account Final Rule in relation to the substantive changes previewed by the CFPB and the progress of the congressional joint resolutions.
On April 20, the United States Court of Appeals for the Ninth Circuit declined to hear an interlocutory appeal by CashCall of the district court’s order granting the CFPB’s partial summary judgment motion and denying CashCall’s summary judgment motion in the CFPB’s lawsuit against CashCall. The district court previously had certified its decision for interlocutory appeal.