The CFPB has released the Summer 2023 edition of Supervisory Highlights.  The report discusses the Bureau’s examinations in the areas of auto origination and servicing, consumer reporting, debt collection, deposits, mortgage origination and servicing, and payday and small dollar lending, that were completed from July 1, 2022 to March 31, 2023. 

In its introduction to the report, the CFPB references its April 2023 policy statement on abusive acts or practices and emphasizes that the report “notes supervisory findings of abusive acts or practices that supervised institutions engaged in across multiple product lines.”  These are in addition to findings that supervised institutions engaged in unfair and deceptive acts or practices.  The CFPB also notes in the introduction that the new report is the first to include findings from the CFPB’s Supervision information technology program and that such findings include violations of federal consumer financial laws that were caused in whole or in part by insufficient information technology controls.  In addition to a section titled “Information Technology,” the new report includes a section titled “Fair Lending.”

On September 14, 2023, from 1:00 p.m. to 2:00 p.m. ET, we will hold a webinar, “Abusive Acts and Practices Under the CFPA: The CFPB’s New Policy Statement.”  To register, click here.

Also noteworthy is the report’s discussion of CFPB supervision developments involving nonbanks.  In April 2022, the CFPB announced that it planned to invoke its “dormant authority” to supervise nonbanks engaged in conduct that poses risk to consumers.  The CFPB adopted a final rule in July 2013 (12 C.F.R. Part 1091) setting forth its procedures for supervising nonbanks engaged in conduct that poses risk to consumers and amended the rule in November 2022.  In the report, the CFPB states that since finalizing the amended rule, it “has entered into discussions with several entities across markets regarding the CFPB’s supervision program and its benefits, including identifying potential compliance issues before they become significant.” 

The CFPB also states in the report that it “has issued several Notices of Reasonable Cause commencing the risk-based supervision process under the rule” and that “[a]s a result of these activities, several entities have voluntarily consented to CFPB supervisory authority.”  Director Chopra, in recent comments reported by media, confirmed that CFPB supervision of several companies using its risk-based supervision authority had already begun but did not reveal the number or type of companies that have consented to supervision.  According to media reports, at least three companies—a buy now, pay later company, an earned wage access provider, and a big tech company—have consented to CFPB supervision.

In addition, the CFPB discloses that it is or will be examining “one or more” data aggregators, noting that this group includes a data aggregator or data aggregators that it considers to be larger participants in the consumer reporting marketplace.  This may be the result of the market monitoring efforts it conducted earlier this year.

Key findings by CFPB examiners are described below.

Auto origination.  Supervised institutions were found to have engaged in deceptive marketing of auto loans by using advertisements that pictured cars that were significantly, larger, more expensive, and newer than the advertised loan offers.  Examiners found that these advertisements were likely to mislead consumers because they created a “net impression” that the advertisements applied to a subset of cars to which they actually did not apply.

Auto servicing.  Examiners found:

  • Servicers engaged in unfair and abusive acts or practices in connection with retail installment contracts (RIC) for which dealers had fraudulently listed options that were not actually included on the vehicle.  Specifically, servicers were found to have collected and retained interest that borrowers paid on loans that included such options in the loan amount.  After initial processing of a RIC, servicers attempted to contact consumers to verify that listed options were in fact on the vehicle.  If consumers identified discrepancies, servicers reduced the amounts paid to the dealers for the RICs by the amount of the missing options but did not reduce the amounts owed by consumers on the RICs and continued to charge interest on the loan amounts tied to the nonexistent options.  Also, after repossession, servicers compared the options actually included with the vehicle to information provided by the dealer and where the options were not actually included, obtained refunds from dealers that were applied to the deficiency balances but did not refund to consumers the interest charged on the nonexistent options.  In addition to finding that these practices were unfair, examiners concluded they were abusive because they took unreasonable advantage of a consumer’s inability to protect their interests in the selection or use of the product by charging interest on loan balances that were improperly inflated by the nonexistent options.  Servicers were aware that some percentage of their loans had inflated balances but nevertheless collected excess interest on these amounts while seeking and obtaining refunds on the missing options.  Consumers were unable to protect their own interests because at the time of loan funding, it was impractical for them to challenge the practice because they did not know that options were missing.
  • Servicers engaged in unfair acts or practices by suspending ACH payments prior to consumers’ final payments without giving consumers sufficient notice that the last payment had to be made in a different manner.  The ACH authorizations completed by consumers contained a small print disclosure that servicers would not automatically withdraw the final payment but servicers did not provide any additional notice to consumers before the final payment was required (typically after a period of years during which the consumer made ACH payments).  Servicers’ cancellation of the final ACH payment resulted in missed payments and late fees.
  • Servicers engaged in unfair and abusive acts or practices in connection with the use of cross-collateralization clauses in vehicle financing contracts.  Examiners found that after repossession, servicers accelerated the amount due on the vehicle and on any other amounts owed by the debtor to the lender.  In addition to finding it was an unfair for servicers to have a blanket practice of cross-collateralizing loans and requiring consumers to pay other debts to redeem repossessed vehicles, examiners found this practice to be abusive because it took unreasonable advantage of a lack of understanding of consumers of the material risks, costs, or conditions of their loan agreements.  

Consumer reporting.  Examiners found:

  • The procedures of consumer reporting agencies (CRAs) relating to ensuring end users of consumer reports have a permissible purpose failed to comply with the FCRA requirement that CRAs maintain reasonable procedures to limit the furnishing of consumer reports to persons with a permissible purpose.  CRAs’ procedures created an unreasonable risk of improperly disclosing consumer reports to persons without a permissible purpose by, for example, failing to maintain an adequate process for re-assessing end users’ permissible purpose where indicia of improper use of consumer reports by an end user was present.
  • Furnishers violated the Regulation V duty to periodically review their policies and procedures concerning the accuracy and integrity of furnished information and update them as necessary to ensure their continued effectiveness.  Examiners found that auto finance furnishers failed to review and update policies and procedures after implementing substantial changes to their dispute handling processes, such as changes to the software systems used in the investigation of disputes.
  • Furnishers violated the Regulation V duty to conduct a reasonable investigation of direct disputes.  Examiners found that mortgage furnishers failed to investigate direct disputes that were received at an address provided by the furnishers to CRAs and set forth on consumer reports and instead responded to the disputes by directing consumers to re-send the disputes to certain other addresses and only investigated disputes re-sent to those addresses. 
  • Furnishers violated the Regulation V duty to provide consumers with notices regarding frivolous or irrelevant disputes.  Examiners found that third-party debt collector furnishers failed to send any notice to consumers whose direct disputes they determined to be frivolous or irrelevant and therefore did not investigate.
  • Furnishers violated the Regulation V duty, after determining a direct dispute to be frivolous or irrelevant, to include in their notices to consumers the reasons for such determination and to identify and information required to investigate the disputed information.  Examiners found that notices sent by mortgage furnishers failed to accurately convey what information was required by, for example, stating that consumers must provide their entire redacted credit report for the furnisher to investigate the dispute even though an excerpt of the relevant portion would have been sufficient.
  • Furnishers were not clearly and conspicuously specifying to consumers an address for notices at which the consumer may notify the furnisher that information is inaccurate, as the FCRA requires for a furnisher not to be subject to the FCRA prohibition regarding the furnishing of information that the furnisher knows or has reasonable cause to believe is inaccurate.  Examiners found that, the only notice or dispute address provided to consumers by third-party debt collector furnishers was an address included on the debt validation notices for purposes of disputing the validity of the debt.  The notices did not specify an address for, or otherwise specify that the debt validity dispute address could also be used for, notices relating to inaccurately furnished consumer report information.

Debt collection.  Examiners found:

  • Debt collectors violated various FDCPA prohibitions by continuing collection attempts for work-related medical debt after receiving sufficient information to render the debt uncollectible under state worker’s compensation law absent written evidence to the contrary, which the collector did not obtain from its client.  Collectors made multiple calls during which they implied the consumer owed the debt and asserted that the ambulance ride that gave rise to the debt originated from the consumer’s home despite evidence in their files that it originated form the consumer’s workplace.
  • Debt collectors engaged in a deceptive act or practice by advising consumers that if they paid the balance in full by a certain date, any interest assessed would be reversed.  The collectors then failed to credit the consumers’ accounts with the accrued interest, resulting in consumers paying more than the agreed amount.

Deposits.  Examiners found that financial institutions engaged in a unfair act or practice by assessing both an NSF fee and a line of credit transfer fee on the same denied transaction.  This occurred where the consumer’s checking account did not have sufficient funds to pay a transaction and the consumer’s overdraft line of credit also did not have sufficient funds to cover the transaction.  The institutions would assess an NSF fee on the denied checking account transaction.  If there were insufficient funds in the consumer’s checking account to pay the NSF fee and the NSF fee overdrew the checking account, the institutions would automatically transfer funds from the line of credit to the checking account and assess a line of credit transfer fee.  This practice meant that consumers enrolled in the line of credit program were charged two fees instead of the single fee that would be charged to consumers who were not enrolled, even though the transaction was returned unpaid in both cases.  A consumer could not reasonably avoid this injury as the consumer had no notice of the potential for double fees or the ability to avoid the double fees and would not reasonably expect that enrolling in a program meant to prevent overdrafts and decrease fees on denied transactions would instead increase them. 

Fair Lending.  With regard to pricing discrimination, examiners found:

  • When granting pricing exceptions, mortgage lenders violated ECOA and Regulation B by discriminating on the basis of a range of ECOA-protected characteristics, including race, national origin, sex, or age.  Examiners observed that certain lenders maintained policies and procedures that permitted pricing exceptions, including for competitive offers.  Examiners identified lenders with statistically significant disparities for the incidence of pricing exceptions at differential rates on a prohibited basis compared to similarly situated borrowers.  Examiners did not identify evidence of legitimate, nondiscriminatory reasons that explained the disparities observed in the statistical analysis.
  • Lenders’ policies and procedures were not designed to effectively mitigate ECOA and Regulation B violations or manage associated risks of harm to consumers.  Some policies permitted mortgage loan officers to request a pricing exception by submitting a request into the loan origination system without requiring that the request be substantiated by documentation.  While those requests were subject to managerial review, there were no guidelines for the bases for approval or denial of the exception request or the amount of the exception.  Other policies had limited documentation requirements—and sometimes no documentation requirements for pricing exceptions below a certain threshold. This meant that the lenders could not effectively monitor whether the pricing exception request was initiated by the consumer and/or supported by a competitive offer to the consumer.  Other policies granted some loan officers pricing exception authority up to certain thresholds without the need for competitive offer documentation or management approval.  As a result, the lenders did not flag those discretionary discounts as pricing exceptions and did not monitor them.  While some institutions had policies with more robust documentation and approval requirements, those institutions did not effectively monitor interactions between loan officers and consumers to ensure that the policies were followed and that the loan officer was not coaching certain consumers and not others regarding competitive offer exceptions.  In other instances, examiners determined that loan officers were not properly documenting the initiation source of the exception request nor were they retaining and documenting competitors’ pricing information in borrowers’ files as required by the lender’s policy.
  • Weaknesses in training programs included the failure to (1) explicitly address fair lending risks associated with pricing exceptions, including the risks of providing different levels of assistance to customers on prohibited bases in connection with a customer’s request for a price exception, or (2) cover pricing exception risk for employees who have discretionary pricing authority.  Examiners concluded that (1) management and board oversight at lenders was not sufficient to identify and address risk of harm to consumers from the lender’s pricing exception practices, (2) some lenders failed to take corrective action based on their statistical observations of disparities in pricing exceptions, and (3) some lenders failed to document whether additional investigation into observed disparities was warranted, review the causes of such disparities, or consider actions that might reduce such disparities.

With regard to discriminatory lending restrictions, examiners found:

  • For several areas of credit, including mortgage origination, auto lending, credit cards, and small business lending, lenders had risky underwriting policies and procedures relating to the treatment of applicants’ criminal records and income derived from public assistance.  A common thread found by examiners was that the discovery of criminal records prompted enhanced or second-level underwriting review.  However, policies and procedures at several institutions did not provide detail regarding how that review should be conducted, creating fair lending risk around how the reviewing official exercised discretion.  The policies and procedures varied as to how the lender identified criminal records and which violations or charges triggered further review or denial.  The CFPB cautions that without clear guidelines and well-defined standards designed to meet legitimate business needs, lenders risked violating ECOA and Regulation B by applying these underwriting restrictions in a manner that could discriminate on a prohibited basis.
  • Lenders’ underwriting policies and procedures improperly excluded public assistance income or imposed stricter standards on income derived from public assistance.  These included lenders with mortgage lending programs that provided consumers with a benefit in the form of a mortgage credit certificate but did not treat those benefits as income under their underwriting standards and lenders who maintained a policy with a six-year continuity-of-income requirement for applicants relying primarily on public assistance income that was stricter than the three-year requirements applicable to other applicants’ income.

Technology.  Examiners found that institutions engaged in unfair acts or practices by failing to implement adequate information technology security controls that could have prevented or mitigated cyberattacks.  Specifically, the institutions’ password management policies for certain online accounts were weak, the entities failed to establish adequate controls in connection with log-in attempts, and the same entities also did not adequately implement multi-factor authentication or a reasonable equivalent for consumer accounts.  The entities’ lack of adequate information technology security controls caused substantial harm to consumers when fraudsters accessed almost 8,000 consumer bank accounts and made withdrawals of at least $800,000.  Consumers were also injured because they had to devote significant time and resources to dealing with the impacts of the incident.  Although the CFPB has not issued rules outlining what it considers to be “adequate” data security practices or controls, it has repeatedly indicated its interest in enforcing data security standards, including most recently in an enforcement matter earlier this year. 

Mortgage origination.  Examiners found:

  • Institutions violated the Regulation Z prohibition on compensating mortgage loan originators in an amount that is based on the terms of a transaction.  The report states:

    “As part of their business model, institutions brokered-out certain mortgage products not offered in-house.  For example, the institutions used outside lenders for reverse mortgage originations, but had their own in-house cash-out refinance mortgage product.  Examiners determined that the institutions used a compensation plan that allowed a loan originator who originated both brokered-out and in-house loans to receive a different level of compensation for the brokered-out loans versus in-house loans.  By compensating differently for loan product types that were not offered in-house, the entities violated Regulation Z by basing compensation on the terms of a transaction.”

    It is common for a mortgage lender that typically originates loans to broker one or more loan products that it does not originate to other lenders.  An issue under the Regulation Z loan originator compensation rule is whether it is permissible to pay a loan originator one amount of compensation for an originated loan and a different level of compensation for a brokered loan.  Typically, brokered loans generate less revenue than originated loans, so paying a lower level of compensation for brokered loan makes sense from an economic perspective.  However, such a practice would appear to present an issue under the loan originator compensation rule as there is the potential that the practice could be viewed as paying different compensation based on different loan products, rather than paying different compensation based on whether a loan is originated or brokered.  That potential has now been realized in the report’s findings quoted above.

    The CFPB position could actually produce unfavorable consequences for consumers.  Before the implementation of the loan originator compensation rule, it was common for lenders to pay loan originators based on the profitability and pricing of a loan product.  This created an incentive for a loan originator to place a consumer in a loan product that had higher rates and/or fees, or to set the rates and fees for loans above the levels required by the lender.  A goal of the loan originator compensation rule was to reduce the incentive for such steering and pricing by prohibiting the compensation of a loan originator to be based on the loan product or pricing.  Typically, when a lender both originates and brokers loans, a consumer is placed in a brokered loan product when that product makes sense for the consumer.  In many cases, the consumer may qualify only for the brokered loan product.  If lenders must pay the same compensation for originated loans and brokered loans, that makes brokering loans more challenging from an economic perspective and, as a result, creates an incentive to steer consumers to originated products or to cease offering brokered products.  Thus, the CFPB position could result in consumers being placed in less than optimal loan products, or even being denied because they do not qualify for an originated product. 
  • Institutions violated the Regulation Z requirement that disclosures must reflect the terms of the legal obligation.  Examiners found that the institution’s standard adjustable-rate promissory note stated that the result of the margin plus the current index should be rounded up or down to the nearest one-eighth of one percentage point but the institutions’ loan origination system was not programmed to round.  As a result,  the fully indexed rate that the institutions calculated and disclosed was not consistent with the legal obligation as set forth in the promissory note.

Mortgage servicing.  Examiners found:

  • Servicers violated the Regulation X requirement that if a complete loss mitigation application is received more than 37 days before a scheduled foreclosure sale, the servicer must evaluate the complete application within 30 days of receipt and provide written notice to the borrower stating which loss mitigation options, if any, are available.  Examiners found that some servicers failed to evaluate complete applications within 30 days of receipt or evaluated the application within 30 days but failed to provide the required notice to borrowers within 30 days as required.
  • Servicers engaged in an unfair act or practice when they delayed processing borrower requests to enroll in loss mitigation options, including COVID-19 pandemic-related forbearance extensions, based on incomplete applications.  These delays varied in length, including delays up to six months.
  • Servicers engaged in deceptive acts or practices when they informed consumers, orally and in written notices, that they would evaluate their complete loss mitigation applications within 30 days, but then moved toward foreclosure without completing the evaluations.  Because they received the complete loss mitigation applications 37 days or less before foreclosure, the servicers were not required by Regulation X to evaluate the application within 30 days.  However, the servicers informed consumers in written and oral communications that they would evaluate their complete loss mitigation applications within 30 days, and such representations created the overall net impression that foreclosure would not occur until the servicers made decisions on the applications.
  • Servicers violated the Regulation X requirement to maintain adequate continuity of contact procedures for delinquent consumers.  Servicers did not maintain policies and procedures that were reasonably designed to ensure that personnel were made available to borrowers via telephone to provide timely live responses if borrowers were unable to reach continuity of contact personnel.  The servicers routinely failed to return phone calls from borrowers, and consumers who did speak with personnel were not given accurate information about available loss mitigation options.  Also, servicers’ systems did not allow personnel to retrieve, in a timely manner, written information that the consumer had already provided in connection with their loss mitigation applications, causing personnel to ask for information already in the servicers’ possession.
  • Servicers violated the Regulation X requirement to provide borrowers with a written acknowledgment notice within 5 days of receipt of a loss mitigation application that contains a prescribed statement regarding contacting servicers of other mortgages secured by the same property.  Servicers failed to include this prescribed statement on Spanish language acknowledgment notices but did include it on English language acknowledgment notices sent to English speaking consumers.
  • Examiners found that servicers violated Regulation X and Regulation Z by failing to provide accurate or complete loss mitigation information in various circumstances.  Specifically, servicers did not provide (1) specific reasons for denial in loss mitigation evaluation letters and instead provided vague denial reasons, such as that consumers did not meet the eligibility requirements for the program; (2) correct payment and duration information for forbearance in forbearance offer notices; and (3) information in periodic statements about loss mitigation programs, such as forbearance, to which consumers had agreed.
  • Servicers violated the Regulation X requirement that during the 60-day period beginning on the effective date of a transfer of servicing, servicers not treat payments sent to the transferor servicer as late if the transferor servicer receives them on or before the due date.  Servicers treated payments received by the transferor servicer during the 60-day period, but not transmitted by the transferor to the transferee until after the 60-day period, as late.
  • Servicers violated the Regulation X requirement to maintain policies and procedures reasonably designed to achieve the objective of facilitating transfer of information during servicing transfers.  For example, transferee servicers’ policies and procedures were not reasonably designed because they failed to obtain copies of the security instruments, or any documents reestablishing the security instrument, to establish the lien securing the mortgage loans after servicing transfers.

Payday and small dollar lending.  Examiners found:

  • Lenders engaged in abusive and deceptive acts or practices in connection with short-term, small-dollar loans, by including language in loan agreements purporting to prohibit consumers from revoking their consent for the lender to call, text, or e-mail the consumers.  This language implied that consumers could not take action to limit unreasonable collections communications (which communications could be a UDAAP).  This implication made the practice of including such language abusive because it took unreasonable advantage of consumers’ inability to protect their interests in selecting or using a consumer financial product or service by limiting such collection communications.  The practice was also deceptive because it misled or was likely to mislead consumers as to whether or not they could protect themselves by limiting unreasonable communications by phone, text, or email, and whether the lenders had an obligation to honor such requests.  In addition, contrary to the language of the loan agreements, the lenders’ procedures did in fact require the lenders’ representatives to allow consumers to revoke consent to communications.
  • Lenders engaged in deceptive acts or practices by making false collection threats related to litigation, garnishment, and late fees.  The lenders sent letters to delinquent payday loan borrowers in certain states stating that they “may pursue any legal remedies available to us” unless the consumer contacted the lender to discuss the delinquency.  The representations misled or were likely to mislead borrowers into reasonably believing that the lenders might take legal action to collect the debt if the consumer did not make timely payment when the lenders, in fact, never pursued  legal action to collect on payday loans in those states.
  • Lenders engaged in deceptive acts or practices by making false threats related to garnishment in collections communications.  Lenders used the term “garnishment” in communications when referring to voluntary wage deduction process.  These representations misled or were likely to mislead consumers by giving the false impression they would be subject to an involuntary legal garnishment process if they did not make payment when, in fact, consumers could revoke consent to the voluntary wage deduction process at will under the terms of the loan agreement and prevent deductions from occurring.
  • Lenders engaged in deceptive acts or practices by including in periodic statements the statement “if we do not receive your minimum payment by the date listed above, you may have to pay a $25 late fee.”   In fact, the lenders did not assess late fees in connection with the product.
  • Lenders engaged in unfair acts or practices with respect to consumers who signed voluntary wage deduction agreements by sending demand notices to consumers’ employers that incorrectly conveyed that the employer was required to remit the full amount of the consumer’s loan balance to the lenders from the consumer’s wages.  In fact, the consumer had agreed to permit the lenders to seek a wage deduction only in the amount of the scheduled payment due.  The lenders collected wages from the consumers’ employers in amounts exceeding the payment authorized by the consumer.
  • Lenders engaged in deceptive acts or practices by misrepresenting to borrowers the impact that payment or nonpayment of debts in collection might have on the sale of their debt to a debt buyer and the subsequent impact on the borrower’s credit report.  The lenders’ agents asserted or implied that making a payment would prevent referral to a third-party debt buyer and a negative credit impact.  However, the agents had no basis to predict the consumer’s credit situation or a potential debt buyer’s furnishing practices, the lender’s contracts with debt buyers prohibited furnishing to a CRA, and the debt was not in fact sold.
  • Lenders created a risk of harm to borrowers protected by the Military Lending Act (MLA) by, before engaging in loan transactions and contrary to their policies, failing to confirm that borrowers were not covered borrowers under the MLA.
  • Lenders violated the Regulation Z  requirement to retain for two years evidence that they delivered closed-end loan disclosures in writing before consummation of the transaction in a form that consumers may keep.  Specifically, loan files did not include evidence of when or how lenders provided disclosures to borrowers and lenders could not produce evidence that, for electronically signed contracts, disclosures were provided to consumers before loan consummation in a form they could keep.

Remittances.  Examiners found that some remittance transfer providers had not complied with the Remittance Rule requirement to develop and maintain written policies and procedures designed to ensure compliance with the error resolution requirements applicable to remittance transfers.  For example, some institutions used their anti-money laundering compliance policy in lieu of a specific policy tailored to the Remittance Rule requirements.  Other institutions had policies and manuals to cover Remittance Rule compliance but did not develop procedures that would put these policies into effect.  Specifically, the manuals recited Remittance Rule requirements but did not provide adequate guidance to employees to resolve error notices in a consistent and compliant manner.