The CFPB has issued a request for information that seeks comment on its supervision program.  Comments on the RFI must be received by May 21, 2018.  (Unlike the CFPB’s three prior RFIs described below which have 60-day comment periods, the new RFI has a 90-day comment period.)

The new RFI represents the fourth in a series of RFIs announced by Mick Mulvaney, President Trump’s designee as Acting Director.  In the new RFI, the CFPB seeks comment on all aspects of its supervision program but lists the following 12 topics that represent “a preliminary attempt by the Bureau to identify elements of the Bureau processes related to its Supervision Program that may be deserving of more immediate focus.”

These topics are:

  • Timing, frequency, and scope of supervisory process
  • Timing, method or process used by the CFPB to collect information and documents from a supervised entity before it begins an examination
  • Type and volume of information and documents requested in examination information requests
  • Effectiveness and accessibility of the CFPB Supervision and Examination Manual
  • Efficiency and effectiveness of onsite examination work
  • Effectiveness of Supervision’s communications when potential violations are identified, including the usefulness and content of a potential action and request for response (PARR) letter
  • Clarity, organization, and quality of communications that report the results of supervisory activities
  • Clarity of matters requiring attention (MRA) and the reasonableness of timing requirements to satisfy MRAs
  • Process for appealing supervisory findings
  • Use of third parties by supervised entities to conduct assessments specified in MRAs or assess the sufficiency of completion of an MRA
  • Usefulness of the CFPB’s Supervisory Highlights to share findings and promote transparency
  • Manner and extent to which the CFPB can and should coordinate its supervisory activity with federal and state supervisory agencies

The CFPB’s first RFI, which has a March 27, 2018 comment deadline, seeks comment on the CFPB’s processes surrounding civil investigative demands and investigational hearings.  The second RFI, which has a comment deadline of April 6, 2018, seeks comment on how the CFPB can improve its administrative adjudication processes.  The third RFI, which has a comment deadline of April 13, 2018, seeks comment on how the CFPB can improve its enforcement processes.

In its press release announcing the fourth RFI, the CFPB stated that the next RFI in the series will be issued next week and will address the CFPB’s external engagement processes.  The press release also stated that the CFPB anticipates issuing RFIs on the following topics in the coming weeks:

  • Complaint Reporting
  • Rulemaking Processes
  • Bureau Rules Not Under §1022(d) Assessment (§1022(d) requires the CFPB to conduct an assessment of  a significant rule no later than five years after the rule’s effective date.)
  • Inherited Rules (Rules for which Dodd-Frank transferred authority from another federal agency to the CFPB)
  • Guidance and Implementation Support
  • Consumer Education
  • Consumer Inquiries

In a letter to Leandra English and Mick Mulvaney, Senator Elizabeth Warren calls the freeze imposed by Mr. Mulvaney on the CFPB’s collection of personally identifiable information (PII) “unjustified.”  (Not surprisingly, Senator Warren’s letter is addressed to Ms. English as “Acting [CFPB] Director” and to Mr. Mulvaney as “Director” of OMB.)

We previously reported that, in connection with assisting clients to prepare for CFPB exams, we had learned that the freeze was impacting the flow of information to CFPB examiners.  In fact, Senator Warren cites to our blog post in her letter.  Despite her strong support for harsher action against industry for its alleged failure to adequately protect PII, Senator Warren attacks Mr. Mulvaney for his efforts to protect PII, claiming that they have “undermined the agency’s work in both the short and long term.”

Senator Warren also claims that her staff has been told that CFPB enforcement lawyers “have been banned from reviewing electronic evidence they obtain in discovery.”   According to Senator Warren, such evidence “is reportedly not being loaded onto CFPB systems, preventing the enforcement team from completing investigations and bringing cases.”

Referencing reports that the freeze was prompted by shortcomings in the CFPB’s data security systems discussed in reports of the Office of Inspector General, Senator Warren claims that Mr. Mulvaney has “inappropriately used the reports as a prextext to halt and weaken critical agency functions.”  In her view, the IG reports “demonstrate that the agency’s cybersecurity policies are robust and any problems with them are not nearly serious enough to support the action Director Mulvaney has taken.”

Senator Warren concludes her letter with a list of questions to which she asks for responses by January 18.  She also asks for her staff to be briefed about the freeze no later than January 12.


A former CFPB examiner has written U.S. Attorney General Jeff Sessions claiming that CFPB officials falsified examination reports in connection with a CFPB examination of ACE Cash Express that led to the CFPB extracting $10 million of restitution and penalties from ACE.  At the time the CFPB forced ACE to enter into this consent order, even in the absence of any allegations of fraud on the part of the CFPB, we sharply criticized the CFPB for its treatment of ACE.

The July 2014 order between the CFPB and ACE, one of the country’s largest payday lenders, was based on supposed ACE collection problems.  It required ACE to pay $5 million in restitution and another $5 million in civil monetary penalties.

We observed at the time that the CFPB had extracted this relief without providing any context to its actions or explaining how it determined the monetary sanctions.  We found it particularly troubling that, despite the infrequency of collection misconduct observed by ACE’s independent expert, best practices followed by ACE, and the limited criticism of ACE policies, procedures and practices within the four corners of the consent order, former CFPB Director Cordray added insult to injury by accusing ACE of engaging in “predatory” and “appalling” tactics, effectively ascribing occasional misconduct by some collectors to ACE corporate policy.

Now, former CFPB examiner Cassandra Jackson raises serious questions as to the integrity of the exam report giving rise to the consent order.  Ms. Jackson states that she participated in the CFPB examination and was instructed by her superiors “to change, remove, and otherwise falsify documents connected with the examination.”  According to Ms. Jackson, the requests to falsify documents were made by the Examiner in Charge (EIC) of the ACE exam and “others in Management positions.”

Ms. Jackson states that:

  • She was specifically told (1) to cite ACE for a violation despite her verification that ACE was in compliance with the law; (2) to state that ACE had failed to provide exonerating documents; and (3) to remove such documents from case file folders.
  • When she refused, the EIC changed information in her report and signed off on the final report, which was reviewed and accepted by a CFPB Field Manager.
  • The CFPB used the falsified report to garner the consent order with ACE.
  • Her refusal to falsify information resulted in her being told that she was not performing at an acceptable level and was subject to disciplinary action.

Ms. Jackson urges Attorney General Sessions to initiate an investigation of this matter.  Of course, we cannot assess the validity of Ms. Jackson’s claims.  However, we can say that an investigation is in order.


Since Mick Mulvaney’s appointment by President Trump as CFPB Acting Director, there have been widespread media reports about Mr. Mulvaney’s plans to impose a freeze on the CFPB’s collection of personally identifiable information (PII), such as individual loan level data, until the CFPB improves its data security systems.  Mr. Mulvaney’s concerns about the CFPB’s data security systems were reportedly prompted in part by reports issued by the Office of Inspector General for the CFPB that found deficiencies in the CFPB’s data security practices.

Since the CFPB has not yet issued any information regarding the freeze’s implementation, its full scope and impact remain unclear.  However, in connection with assisting clients to prepare for CFPB exams, we have learned that the freeze is having a significant impact on the flow of information to CFPB examiners.  Moreover, it appears that because CFPB examiners may not yet have clear direction regarding how they should implement the freeze, they are taking different approaches.

Prior to the freeze, companies had been submitting information requested by CFPB examiners by uploading documents to the CFPB’s Extranet.  We understand the CFPB has temporarily halted use of the Extranet, however, apparently in response to Mr. Mulvaney’s concerns, and it appears that CFPB Supervision management is grappling with how to sufficiently address Mr. Mulvaney’s concerns so that scheduled examinations can proceed.  For example, examination teams have preliminarily described different approaches for how to establish workarounds, including providing all responses printed onto paper, to be shredded at the conclusion of the exam, or providing company computers for examiners to view company responses which may include PII.  The freeze and such workarounds will likely increase the burden for companies undergoing examinations but may also reduce the scope of what examiners will be able to review.

It also remains unclear how the freeze will impact other supervisory submissions, such as supporting documents submitted in connection with responses to Potential Action and Request for Response (PARR) letters.  We are working closely with clients to assist them with issues raised by the new “freeze”-related procedures.

Past and present Democratic Representatives and Senators filed an amicus brief in support of the motion for a temporary restraining order filed by Leandra English to block Mick Mulvaney from exercising the authority of CFPB Acting Director.  The court granted the lawmakers’ motion for leave to file the brief before its denial of Ms. English’s TRO motion.

Republican Attorneys General from eight states filed a motion seeking leave to file an amicus brief in support of President Trump and Mick Mulvaney, the named defendants in Ms. English’s lawsuit.  The eight states are Texas, West Virginia, Alabama, Arkansas, Georgia, Louisiana, Oklahoma, and South Carolina.  The motion included a copy of their proposed amicus brief as an exhibit.  Following its denial of Ms. English’s TRO motion, the court entered an order denying the AGs’ motion as moot but “without prejudice to re-filing for leave to file a brief with respect to the merits or any additional motions for injunctive relief.”

In their amicus brief, the Democratic lawmakers argue that the CFPA provision that states the Deputy Director “shall serve as Acting Director in the absence or unavailability of the Director” supplants the Federal Vacancies Reform Act (FVRA) and provides the sole means for temporarily filling a vacancy in the position of CFPB Director until Senate confirmation of a new Director.  They assert that such a reading of the CFPA provision is consistent with the CFPA’s structure and legislative history.

The Republican AGs, in their proposed amicus brief, argue that the CFPA cannot override the President’s appointment authority under the FVRA without raising separation of powers concerns under Article II of the U.S. Constitution.  They assert that, to avoid such constitutional issue, the court should hold that the President has the authority under the FVRA to appoint the CFPB Acting Director.  (In his oral ruling denying Ms. English’s TRO motion, Judge Kelly suggested constitutional separation of powers concerns might arise if the President was prevented from exercising his FVRA authority.)


While an official announcement has not yet appeared on the CFPB’s website, it has been widely reported that Kristen Donoghue will be appointed the CFPB’s new Assistant Director of Enforcement, effective November 17, 2017.  She will replace Anthony Alexis.

Ms. Donoghue has served as a CFPB enforcement attorney since the CFPB’s establishment in 2011, and most recently served as the CFPB’s Principal Deputy Enforcement Director.  Her appointment is not expected to result in any significant changes to the CFPB’s enforcement approach since she is reported to have been a significant contributor to the CFPB’s current enforcement policies and priorities.

In addition, she will report to the Associate Director for Supervision, Enforcement & Lending, a position that is currently held by Christopher D’Angelo.  Mr. D’Angelo has also been at the CFPB since 2011 and served as Director Cordray’s Chief of Staff before becoming Associate Director.

Ms. Donoghue spoke last year in Chicago at the Practicing Law Institute (PLI) Annual Consumer Financial Services Institute (which I co-chaired).  She was a member of  “The CFPB Speaks” panel (which I moderated).  We expect her to speak on the same panel at the 2018 Annual Institute at one or more locations.


The Office of Inspector General (OIG) for the CFPB and Fed has issued a report that found the CFPB can improve its practices related to examination workpaper documentation.  This report follows another OIG report issued last month that found the CFPB could improve the effectiveness of its Examiner Commissioning and On-the-Job Training Programs.

The report provides the results of an evaluation conducted by the OIG to assess the CFPB’s guidance and practices, including training and quality reviews, to promote effective and consistent examination workpaper documentation.  The OIG reviewed documentation in each of the CFPB’s four regions for compliance with the CFPB’s Supervision and Examination Manual and other policies applicable to examinations.

The OIG’s findings included the following:

  • The CFPB’s approach was to grant examination employees in each region open access to examination workpaper documentation and supporting material.  That approach resulted in certain employees having access to materials with confidential supervisory information and personally identifiable information when they did not appear to have a business need to know such information, thereby creating an opportunity for insider abuse.
  • A lack of information disposal guidelines limited the CFPB’s ability to protect sensitive information and a lack of a consistent process for limiting access rights limited the effectiveness of self-reporting of potential information security incidents.
  • Documentation of supervisory review of workpapers by the Examiner in Charge and Field Manager did not fully comply with Examination Manual standards.  As a result, the CFPB could not be assured that all workpapers that support findings and conclusions had been reviewed and approved, which could affect the credibility of examination results.
  • The CFPB did not have formal training for examiners on workpaper practices.
  • The CFPB had not established an ongoing quality control review process for examination workpapers to evaluate whether workpapers met the requirements in the Examination Manual.

The report includes the OIG’s recommendations for addressing its findings and the CFPB’s responses to the recommendations.


The Office of Inspector General (OIG) for the CFPB and Fed has issued a report on the results of its evaluation of the effectiveness of the CFPB’s Examiner Commissioning Program (ECP) and On-the-Job Training (OJT) Program.  In conducting the evaluation, the OIG assessed the design, implementation, and execution of the two programs. The OIG found that the effectiveness of both programs could be improved.

The CFPB implemented the ECP in October 2014 and, according to the report, has described the ECP as “critical” for its supervision program and the professional development of its examiners.  Although the OIG found that the CFPB had taken some steps to enhance the ECP, it identified several shortcomings.  The OIG found the following:

  • Due to management’s workforce needs and advancement incentives, some examiners appeared to proceed through certain components of the ECP before being fully prepared. In addition, certain controls established by the CFPB to manage examiners’ progression through the ECP might be ineffective.
  • Some examiners did not appear to receive adequate training and developmental opportunities or exposure to certain CFPB internal processes before proceeding to certain components of the ECP.
  • The CFPB did not have a formal method to evaluate and update the ECP.
  • The CFPB did not consistently communicate ECP requirements to prospective employees, including the starting point for the 5-year requirement for completing the ECP.

The CFPB’s OJT program is intended to be a standardized program that ensures examiners are trained uniformly across all regions.  In the program, an OJT trainer is expected to work with an examiner on an examination, provide mentoring, discuss the  CFPB’s Supervision and Examination Manual, and oversee the examiner’s completion of assigned modules. The OIG found that CFPB regions had not consistently implemented the OJT program and examiners may not have understood the requirements, expectations, and purpose of the OJT.

The report makes a series of recommendations for addressing the OIG’s findings and enhancing the effectiveness of the ECP and OJT program.  In the CFPB’s response to the OIG’s draft report, which is included with the report, the CFPB states that it agrees with the OIG’s recommendations and outlines its plans for implementing the recommendations.


The CFPB has issued a new compliance bulletin (2017-11) to provide guidance on pay-by-phone fees.  The guidance includes examples of conduct relating to pay-by-phone practices identified by the CFPB in its supervision and enforcement activities that may violate or risk violating the Dodd-Frank UDAAP prohibition or the FDCPA.

The enforcement actions cited in the guidance involving alleged UDAAP violations arising from pay-by-phone practices date from 2015 and, while recent CFPB supervisory highlights have discussed potential FDCPA violations arising from “convenience fees” charged by debt collectors to process payments by phone, recent supervisory highlights have not discussed potential UDAAP violations arising from pay-by-phone practices.  As a result, the CFPB’s issuance of the guidance suggests that it intends to give pay-by-by phone practices closer scrutiny in examinations and in enforcement actions.  We have been reviewing and suggesting revisions to many clients regarding their pay-by-phone practices since the CFPB began focusing on this area in examinations.  It is important for creditors and debt collectors to be mindful that such practices may also create a risk of state law violations.

Examples provided of conduct that may violate the UDAAP prohibition include:

  • Failing to disclose the prices of all available pay-by-phone services when different options carry materially different fees.  According to the CFPB, while many companies disclose in periodic billing statements or elsewhere that a transaction fee may apply to various payment methods, they do not disclose the fee amounts and instead depend on phone representatives to do so.  The CFPB observes that phone representatives risk engaging in an unfair practice by only revealing higher-cost options or failing to inform consumers of material price differences between available options.
  • Misrepresenting the available payment options or that a fee is required to pay by phone.  The CFPB observes that some companies charge a fee for expedited phone payments but also offer no-fee phone payment options that post a payment after a processing delay.  According to the CFPB, some of such companies offer their fee-based expedited payment option as their default pay-by-phone option, with the result that consumers could be misled to believe that a fee is always required to pay by phone and cause consumers to be charged for expedited payment even if such consumers did not need to post a payment on the same day.
  • Failing to disclose that a pay-by-phone fee would be added to a payment.  According to the CFPB, a company may risk engaging in a deceptive act or practice by failing to disclose that a pay-by-phone fee will be charged in addition to a consumer’s otherwise applicable payment amount and indicating that only the otherwise applicable payment amount will be charged.  In the CFPB’s view, such conduct may create the misimpression that no pay-by-phone fee is charged.
  • Failing to adequately monitor employees or oversee service providers. The CFPB observes that although a company may have policies and procedures requiring phone representatives to disclose all available pay-by-phone options and fees, deviations from call scripts may cause phone representatives to misrepresent available options and fees.  According to the CFPB, companies can reduce the risk of misrepresentations through adequate monitoring and references its November 2016 compliance bulletin (2016-03) on production incentives.  The CFPB suggests that companies should consider the impact of incentives for employees and service providers may have on compliance risks relating to potential UDAAP violations.

Examples of conduct that may violate the FDCPA:

  • The CFPB notes the FDCPA prohibition on the collection of any amount by a debt collector unless such amount is expressly authorized by the agreement creating the debt or permitted by law.  The CFPB states that its examiners found that one or more mortgage servicers meeting the FDCPA “debt collector” definition violated the FDCPA by charging fees for taking mortgage payments by phone to borrowers whose mortgage instruments did not expressly authorize such fees and who resided in states where applicable law did not expressly permit collection of such fees.

The guidance indicates that the CFPB expects companies to review their practices on charging pay-by-phone fees for potential risks of UDAAP or FDCPA violations and provides suggestions for companies to consider in assessing whether their practices present a risk of constituting a UDAAP or FDCPA violation.  It also advises companies to consider whether production incentive programs create incentives to steer consumers to certain payment options or avoid disclosures.  According to the CFPB, such incentives could enhance the potential risk of UDAAPs if they reward employees or service providers based on consumers using a higher-cost pay-by-phone option or based on the number of daily calls completed.


The Office of the Comptroller of the Currency has issued a new bulletin (2017-21) containing fourteen frequently asked questions to supplement OCC Bulletin 2013-29 entitled “Third-Party Relationships: Risk Management Guidance.”   The 2013 bulletin provided updated guidance for managing operational, compliance, reputation, strategic, and credit risk presented by third-party business relationships of national banks and federal savings associations.

In the new bulletin, the OCC observes that many banks have recently developed relationships with financial technology (fintech) companies in which the fintech companies perform or deliver services on behalf of a bank or banks and therefore meet the 2013 bulletin’s definition of a third-party relationship.  The OCC states that, as a result, it would expect bank management to include such fintech companies in the bank’s third-party risk management process.  The FAQs include the following specifically addressed to fintech companies:

  • Is a fintech company arrangement considered a critical activity?
  • Can a bank engage with a start-up fintech company with limited financial information?
  • How can a bank offer products or services to underbanked or underserved segments of the population through a third-party relationship with a fintech company?

The FAQs also specifically address bank arrangements with marketplace lenders, in particular the question “What should a bank consider when entering into a marketplace lending arrangement with nonbank entities?”  The OCC’s guidance includes the following:

  • For compliance risk management, banks should not originate or support marketplace lenders that do not have adequate compliance management processes and should monitor the marketplace lenders to ensure that they appropriately implement applicable consumer protection laws, regulations, and guidance.
  • When banks enter into marketplace lending or servicing arrangements, because the banks’ customers may associate the marketplace lenders’ products with those of the banks, reputation risk can arise if the products underperform or harm customers.
  • Operational risk can increase quickly if the banks and the marketplace lenders do not include appropriate limits and controls in their operational processes, such as contractually agreed-to loan volume limits and proper underwriting.
  • To address the risks created by marketplace lending arrangements, a bank’s due diligence of marketplace lenders should include consulting with the bank’s appropriate business units, such as credit, compliance, finance, audit, operations, accounting, legal, and information technology.
  • Contracts or other governing documents should set forth the terms of service-level agreements and contractual obligations, and significant contractual changes should prompt reevaluation of bank policies, processes, and risk management practices.

The CFPB recently announced that it has begun to examine service providers on a regular, systematic basis, particularly those supporting the mortgage industry.  Previously, the CFPB has only examined some service providers on an ad hoc basis.  The change represents a significant expansion of the CFPB’s use of its supervisory authority and will substantially increase the number and types of entities facing CFPB examinations.  On June 13, 2017, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar, “The CFPB’s Expansion of its Supervisory Program to Service Providers – What You Need to Know.”  More information and a link to register is available here.