We have expanded CFPB Monitor. This new blog—Consumer Finance Monitor—includes all the news in the CFPB Monitor. It also features a Federal CFS Monitor for analysis on the many other federal agencies that regulate our industry and a State CFS Monitor, which covers state agency and attorney general developments. News is segmented by topic and agency on the right. A full compilation is below. Thank you for visiting and we hope you enjoy our new blog.
The Office of Inspector General for the Fed and CFPB recently issued an audit report entitled “The CFPB Can Strengthen Contract Award Controls and Administrative Processes.” The objective of the OIG’s audit was to assess the CFPB’s compliance with applicable laws, regulations and CFPB policies and procedures related to contract solicitation, selection and award processes, as well as the effectiveness of the CFPB’s associated internal controls.
While finding the CFPB to be generally compliant, the OIG found occasions on which reviews and approvals were overlooked or not documented as required by regulation or CFPB policy. Among its other findings was that the CFPB could improve the documentation used to support price reasonableness determinations for sole-source contracts (i.e. contracts where there is other than a full and open competition).
The OIG’s work plan updated as of April 1, 2017 includes the following initiated projects in which the OIG will evaluate:
- the CFPB Enforcement Office’s processes for protecting confidential information obtained through the use of the CFPB’s enforcement powers, such as information received in response to a CID (completion expected second quarter 2017)
- the CFPB’s compliance with the requirements for issuing CIDs including those in the Dodd-Frank Act (completion expected third quarter 2017) (Last week, the D.C. Circuit affirmed the district court’s denial of the CFPB’s petition to enforce a CID because the CFPB had not complied with the Dodd-Frank requirements.)
- the effectiveness of the CFPB’s management of examiner commissioning and training (completion expected third quarter 2017)
Planned projects described in the work plan include (1) an evaluation of the effectiveness of the Division of Supervision, Enforcement, and Fair Lending in monitoring and ensuring that supervised entities take timely action to correct deficiencies identified in examinations, (2) an evaluation of the risk assessment framework used by the CFPB to prioritize examinations, and (3) a review of the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and personally identifiable information and applied appropriate information security controls and protection over the data to mitigate those risks.
The House Financial Services Committee has released the witness list for the hearing it will hold this Wednesday, April 26, 2017, to discuss the Financial CHOICE Act.
The witnesses will be:
- John Allison, Former President and Chief Executive Officer, Cato Institute
- Dr. Norbert J. Michel, Senior Research Fellow, Financial Regulations and Monetary Policy Institute for Economic Freedom and Opportunity, The Heritage Foundation
- Hester Peirce, Director of Financial Markets Working Group and Senior Research Fellow, Mercatus Center
- Alex J. Pollock, Distinguished Senior Fellow, The R Street Institute
- Peter J. Wallison, Senior Fellow and Arthur F. Burn, Fellow in Financial Policy Studies, American Enterprise Institute
The Committee also released a memorandum that includes a summary of the discussion draft of the bill previously released by the Committee.
A Texas federal district court has entered a $2 million civil penalty judgment against the former president of a debt collection company for alleged violations of the FDCPA and FTC Act. The judgment follows the court’s finding in a prior order that $2 million was a “reasonable and appropriate penalty for [the president’s] violations of the Fair Debt Collection Practices Act.” The company and former president had previously been banned by the court from “participating in debt collection activities” and “advertising, marketing, promoting, offering for sale, selling, or buying any consumer or commercial debt or any consumer information relating to a debt.”
In January 2015, the DOJ, on behalf of the FTC, had filed a complaint against the company and its former president and vice president alleging that the defendants had engaged in various practices in violation of the FDCPA and FTC Act, including impersonating attorneys and attorneys’ staff and falsely threatening consumers with litigation or wage garnishment. In April 2016, the court entered summary judgment against the company and former president, stating “the summary judgment record is clear and uncontroverted that [the company] is a debt collector covered by the FDCPA and that its collectors have committed numerous violations of the FDCPA and Section 5 of the FTC Act.” With regard to the company’s president, the court found that as president and sole owner of the company, he had actual or implied knowledge of the FDCPA violations because he “not only played a role in formulating the policies and practices that resulted in the violative acts, but in fact actually set the policies of his company. As President, he had the authority to fire or otherwise discipline his employees for employing deceptive debt collection activities.” In September 2016, the court entered a stipulated order permanently banning the company’s former vice president from participating in debt collection activities and activities related to the sale or purchase of consumer or commercial debts or debt-related consumer information. The order also imposed a $496,000 civil penalty judgment that was suspended except for $10,000 based on inability to pay.)
In its order finding $2 million to be an appropriate penalty, the court noted that the FTC Act authorizes a penalty of up to $40,000 for each act that violates the FDCPA “with actual or implied knowledge of the FDCPA” and that the “maximum theoretical penalty for the estimated 109,634 violations exceeds $4 billion.” The court stated that the FTC had established the defendant’s lack of good faith through his admissions that the company had no formal FDCPA training program and that he had hired “abusive collection managers and refused to fire them if they were effective.” The court also noted his awareness of consumer complaints and that he “he had the ultimate authority over the collection managers and the collectors.”
The D. C. Circuit has affirmed the D.C. federal district court’s April 2016 denial of the CFPB’s petition to enforce a CID issued to the Accrediting Council for Independent Colleges and Schools (ACICS) in August 2015.
After denying ACICS’s petition to modify or set aside the CID in October 2015, the CFPB filed a petition in D.C. federal district court to enforce the CID. The CFPA allows the CFPB to issue a CID to “any person” that the CFPB believes may be possession of “any documentary material or tangible things, or may have any information, relevant to a violation” of laws enforced by the CFPB. The CID’s Notification of Purpose indicated that the purpose of the CFPB’s investigation was “to determine whether any entity or person has engaged or is engaging in unlawful acts and practices in connection with accrediting for-profit colleges, in violation of sections 1031 and 1036 of the [CFPA prohibiting unfair, deceptive, or abusive acts or practices], or any other Federal consumer financial protection law.” The CFPB argued that because it has authority to investigate for-profit schools in relation to their lending and financial advisory services, it had authority to investigate whether any entity has engaged in any unlawful acts relating to accrediting such schools. The district court denied the CFPB’s petition, holding that the CFPB lacked statutory authority to investigate the accreditation process.
In affirming the denial of the CFPB’s petition to enforce the CID, the D.C. Circuit declined to reach the broad question of whether the CFPB had statutory authority “to investigate the area of accreditation at all” and instead stated that it would “confine our analysis to the invalidity of this particular CID.” More specifically, the D.C. Circuit considered only whether the CID satisfied the CFPB requirement that “[e]ach [CID] shall state the nature of the conduct constituting the alleged violation which is under investigation and the provision of law applicable to such violation.”
The D.C. Circuit concluded that “as written, the Notification of Purpose [in the ACICS CID] fails to state adequately the unlawful conduct under investigation or the applicable law.” In reaching that conclusion, the D.C. Circuit relied on case law holding that to determine whether to enforce a CID, a court should consider only whether the inquiry is within the agency’s statutory authority, whether the request is not too indefinite, and whether the information sought is reasonably relevant.
The CFPB’s Notification of Purpose defined the relevant conduct constituting the violation under investigation as “unlawful acts and practices in connection with accrediting for-profit colleges.” According to the D.C. Circuit, because the Notification of Purpose gave “no description whatsoever” of the “unlawful acts and practices” the CFPB sought to investigate, the court “need not and probably cannot accurately determine whether the inquiry is within the authority of the agency and whether the information sought is reasonably relevant.” The D.C. Circuit noted that the CFPB had argued that, even if it did not have statutory authority over the accreditation process, it had an interest in the possible connection between the lending practices of ACICS-accredited schools and the accreditation process. However, the court observed that “[e]ven if the CFPB is correct, that interest does not appear on the face of the Notification of Purpose,” and the agency had failed to adequately inform ACICS of the link between the relevant conduct and the alleged violation.
The CID had identified “sections 1031 and 1036 of the [CFPA prohibiting unfair, deceptive, or abusive acts or practices], or any other Federal consumer financial protection law” as the laws applicable to the alleged violation under investigation The D.C. Circuit determined that the this language was “similarly inadequate” because, coupled with the CID’s failure to adequately state the unlawful conduct under investigation, the statutory references “tell ACICS nothing about the statutory basis for the Bureau’s investigation.” The court noted that although the CFPA provides detailed definitions of “Federal consumer financial law” and “consumer financial product or service,” the CID “contains no mention of these definitions or how they relate to its investigation.” It also commented that the inclusion of the “uninformative catch-all phrase ‘any other Federal consumer financial protection law’ does nothing to cure the CID’s defect.” According to the court, “were we to hold that the unspecific language of this CID is sufficient to comply with the statute, we would effectively write out of the statute all of the notice requirements that Congress put in.”
Because the D.C. Circuit did not reach the broader question of the CFPB’s authority to investigate the accreditation process and “express[ed] no opinion on whether a revised CID that complies with [the CFPA CID requirements] should be enforced,” the CFPB will get another bite at the apple should it decide to reissue the CID. While the decision will likely result in more detailed Notifications of Purpose in future CFPB CIDs, because it does not substantively change the scope of the CFPB’s broad power to issue CIDs, the decision’s overall impact will likely be minimal. In addition, there continues to be a fairly low standard for what constitutes relevant information in discovery and litigation.
New Mexico recently became the 48th state to enact a data breach notification law. This continues the accelerated pace of state data breach legislative activity in the last two years. Since 2015, at least 41 states have considered legislation relating to data security incidents, and at least 16 states have enacted or amended such laws.
Among the most significant aspects of New Mexico’s brand new “Data Breach Notification Act” is its definition of “Personal Identifying Information.” The Act follows a growing state trend by including “biometric data” in its definition of “personal identifying information. In addition, “security breach” is defined as the acquisition of—but not mere access to—unencrypted computerized data or encrypted data if the encryption key is also acquired. The Act contains an exemption from the requirement to provide notice within 45 calendar days after discovery of the breach for persons subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.
For more information on the new law, see our legal alert.
Last week, the Federal Trade Commission (FTC) Bureau of Consumer Protection’s Acting Director, Thomas Pahl, posted on the FTC’s Business Blog about the FTC’s role as the federal agency with the “broadest jurisdiction” to pursue privacy and data security issues. Pahl noted that for over twenty years the FTC has used its authority, “thoughtfully and forcefully to protect consumers even as new products and services emerge and evolve.” Pahl emphasized that the FTC is “the enforcement leader in the privacy and security arena” and that the FTC will continue to “focus the national conversation on keeping consumer privacy and data security front and center as new technologies emerge.”
Pahl’s blog posting supports recent statements by FTC Acting Chairman Maureen Ohlhausen, who recently testified before Congress that, “the FTC is committed to protecting consumer privacy and promoting data security in the private sector.”
Companies should not expect the FTC to reduce its enforcement activities relating to privacy and data security issues, but companies can expect the FTC to shift away from bringing cases based on novel legal theories. Ohlhausen is committed to re-focusing the FTC’s efforts on “bread-and-butter” enforcement. Ohlhausen has spoken openly in opposition to recent enforcement actions brought under the Obama Administration that were based on speculative injury or subjective types of harm rather than concrete consumer injury.
Furthermore, companies should expect further guidance from the FTC relating to privacy and data security expectations to help reduce unnecessary regulatory burdens and provide additional transparency to businesses on how they can remain compliant and avoid engaging in unfair or deceptive acts of practices. Under Ohlhausen’s leadership, companies should be watching closely for FTC guidance laying out what they should do to protect consumer privacy and ensure proper data security, rather than just waiting to find out what they should not do from FTC enforcement actions.
On April 20, the CFPB finalized a proposed rule to delay the effective date of the final rule governing Prepaid Accounts (Prepaid Account Final Rule) by six months, from October 1, 2017 to April 1, 2018 (Effective Date Final Rule). According to the CFPB, the delay was adopted “to facilitate compliance with the Prepaid Account Final Rule, and to allow an opportunity for the Bureau to assess whether any additional adjustments to the Rule are appropriate.”
The preamble to the Effective Date Final Rule previews that the CFPB will propose rules for “at least two issues that have been identified as areas where the Prepaid Accounts Final Rule may be posing particular complexities for implementation,” and at that time, a further delay may be proposed as well. The two issues relate to: (1) the linking of credit cards to digital wallets that are capable of storing funds; and (2) error resolution and limitations on liability for unregistered prepaid accounts.
Over the past few months, the Prepaid Account Final Rule has faced attacks from industry representatives, such as the American Bankers Association, and from Congress under the Congressional Review Act – Representatives Tom Graves (R-Ga) and Roger Williams (R-Tx) introduced House Joint Resolution 62 and House Joint Resolution 73, respectively, and Senator David Perdue (R-Ga) introduced Senate Joint Resolution 19. The Senate Joint Resolution was recently brought out of Committee and to the floor for consideration by way of a discharge petition filed by Senate Banking Chairman Mike Crapo. The Prepaid Account Final Rule has also been defended by attorney generals from 17 states and the District of Columbia.
We will continue to monitor the status of the Prepaid Account Final Rule in relation to the substantive changes previewed by the CFPB and the progress of the congressional joint resolutions.
On April 20, the United States Court of Appeals for the Ninth Circuit declined to hear an interlocutory appeal by CashCall of the district court’s order granting the CFPB’s partial summary judgment motion and denying CashCall’s summary judgment motion in the CFPB’s lawsuit against CashCall. The district court previously had certified its decision for interlocutory appeal.
We previously reported that the Connecticut Attorney General, on behalf of the Attorneys General of Indiana, Kansas and Vermont, (the “state AGs”) had filed a joint motion to intervene in a CFPB enforcement action to request a Consent Order modification permitting unused settlement funds to be paid to the National Association of Attorneys General (“NAAG”). Under the proposed modification, the undistributed settlement funds would be used by NAAG for the purpose of developing the National Attorneys General Training and Research Institute Center for Consumer Protection (“NAGTRI”).
The state AGs’ motion and supporting memorandum was filed in CFPB v. Sprint Corporation, a litigation in which the Bureau alleged that Sprint had violated the Consumer Financial Protection Act by allowing unauthorized third-party charges on its customers’ telephone bills. The associated Stipulated Final Judgment and Order (“Consent Order”) authorized the implementation of a consumer redress plan pursuant to which Sprint would pay up to $50 million in refunds. The redress plan provided for the payment of refund claims on a “claims made” basis subject to a filing deadline. Any balance remaining nine months after the claim filing deadline was to be paid to the CFPB.
The Bureau, in consultation with the AGs of all fifty states and the District of Columbia, which were parties to concurrent settlement agreements with Sprint relating to similar billing practice claims, and the FCC, was then to determine whether additional consumer redress was “wholly or partially impracticable or otherwise inappropriate.” If so, the Bureau, again in consultation with the states and the FCC, was authorized to apply the remaining funds “for such other equitable relief, including consumer information remedies, as determined to be reasonably related to the allegations set forth in the Complaint.” Any funds not used for such equitable relief were to be deposited in the U.S. Treasury as disgorgement.
In a recent Memorandum and Order recounting the history of the litigation, the district court stated that “the siren song of $15.14 million in unexpended funds [had] lured some new sailors into the shoals of this litigation” because “[d]espite full restitution to Sprint customers and subsequent consultations with the Attorneys General and the FCC, the CFPB could not identify any equitable relief to which $15.14 million in unexpended settlement funds could be applied.” The court observed that, “[a]pparently, the prospect of simply complying with the Consent Order by paying the funds into the U.S. Treasury lacked sufficient imagination.”
Although the defendant initially filed a memorandum in opposition to the intervention motion, it subsequently filed a joint submission with the state AGs that adopted their proposal to redirect $14 million of the unused settlement funds from the U.S. Treasury to NAGTRI and proposed redirecting the remaining $1.14 million to a community organization that provides internet access to underprivileged high school students. (The court acknowledged that these were perhaps noble causes worthy of consideration.) The joint submission stated that the CFPB had been consulted about the proposed modification but “[took] no position” on it. The court characterized its failure to do so as remarkable, given that the Bureau was “the plaintiff in this lawsuit responsible for securing the $50 million settlement.”
The district court thus observed that it had been left “in a quandary” because:
- The proposal would “alter the Consent Order in a fundamental way by redirecting elsewhere $15.14 million earmarked for the U.S. Treasury”;
- The proposal may raise an issue under the Miscellaneous Receipts Act, which requires that government officials receiving money for the government “from any source” must deposit such money with the Treasury;
- The proposed modification “does not appear, at least at first blush, to be ‘reasonably related to the allegations set forth in the Complaint’”; and
- The defendant had concurrently entered into settlements with the Attorneys General of all 50 states and the District of Columbia and already paid them $12 million to resolve a multi-state consumer protection investigation.
The court characterized as “particularly galling” the argument that Fed. R. Civ. P. 60(a) permits the proposed modification to correct a clerical mistake. It noted that the parties had “unmistakably understood that the Consent Order related to federal claims and that any undistributed settlement funds would be paid to the U.S. Treasury.”
In view of the foregoing, the court concluded that it needed “to hear from the Government” because of “the peculiar posture of the intervention application.” Specifically, the court noted that the CFPB, as the plaintiff in the action, needed to take a position on the proposed intervenors’ motion and application to modify the Consent Order. And because the proposed modification would redirect funds earmarked for the U.S. Treasury, the court noted that the United States has a direct interest that should be considered.
Accordingly, the court directed the CFPB and the Department of Justice to respond separately to the proposed intervenors’ motion and application to modify the Consent Order. Their separate memoranda must be filed by May 10, 2017; the state AGs and the defendant may file responsive memoranda by May 24, 2017. The court stated that the responsive submission of the Bureau “should advise this Court where the unexpended funds have been deposited during the pendency of the intervenors’ application.” We will continue to monitor developments in this case.
The Conference of State Bank Supervisors issued a press release this week in which it announced the April 1 release of a new tool within the Nationwide Multistate Licensing System (NMLS) to streamline reporting by money services businesses. The new tool is called the “Money Services Businesses (MSB) Call Report.”
The press release quotes a Vermont regulator who stated that the call report information “will provide complete and meaningful information on MSBs, including fintech companies licensed to do business as money transmitters, and assist state regulators to better analyze risk, monitor compliance, and make more informed and timely decisions when it comes to MSB supervision.” The press release also indicated that the new reports “will also provide a unique, detailed snapshot of fintech companies as they mature and evolve.”
Licensees are required to file the new report within 45 days of the end of the first quarter (May 15). According to the press release, 18 states (covering 25 money transmitter, money service, check casher/seller and currency exchange licenses) have adopted the report for the first quarter of 2017 and seven more states are expected to adopt it in the near future.
The reports include national and state specific MSB activity that is submitted on a quarterly and annual basis. The MSB Call Report is the first comprehensive report to consolidate state MSB reporting requirements and provide a database of nationwide MSB transaction activity. More detailed information regarding the MSB Call Report is available on the MSBCR webpage.