The Office of Inspector General (OIG) for the CFPB and Fed has issued a report that found the CFPB can improve its practices related to examination workpaper documentation.  This report follows another OIG report issued last month that found the CFPB could improve the effectiveness of its Examiner Commissioning and On-the-Job Training Programs.

The report provides the results of an evaluation conducted by the OIG to assess the CFPB’s guidance and practices, including training and quality reviews, to promote effective and consistent examination workpaper documentation.  The OIG reviewed documentation in each of the CFPB’s four regions for compliance with the CFPB’s Supervision and Examination Manual and other policies applicable to examinations.

The OIG’s findings included the following:

  • The CFPB’s approach was to grant examination employees in each region open access to examination workpaper documentation and supporting material.  That approach resulted in certain employees having access to materials with confidential supervisory information and personally identifiable information when they did not appear to have a business need to know such information, thereby creating an opportunity for insider abuse.
  • A lack of information disposal guidelines limited the CFPB’s ability to protect sensitive information and a lack of a consistent process for limiting access rights limited the effectiveness of self-reporting of potential information security incidents.
  • Documentation of supervisory review of workpapers by the Examiner in Charge and Field Manager did not fully comply with Examination Manual standards.  As a result, the CFPB could not be assured that all workpapers that support findings and conclusions had been reviewed and approved, which could affect the credibility of examination results.
  • The CFPB did not have formal training for examiners on workpaper practices.
  • The CFPB had not established an ongoing quality control review process for examination workpapers to evaluate whether workpapers met the requirements in the Examination Manual.

The report includes the OIG’s recommendations for addressing its findings and the CFPB’s responses to the recommendations.


The Office of Inspector General (OIG) for the CFPB and Fed has issued a report on the results of its evaluation of the effectiveness of the CFPB’s Examiner Commissioning Program (ECP) and On-the-Job Training (OJT) Program.  In conducting the evaluation, the OIG assessed the design, implementation, and execution of the two programs. The OIG found that the effectiveness of both programs could be improved.

The CFPB implemented the ECP in October 2014 and, according to the report, has described the ECP as “critical” for its supervision program and the professional development of its examiners.  Although the OIG found that the CFPB had taken some steps to enhance the ECP, it identified several shortcomings.  The OIG found the following:

  • Due to management’s workforce needs and advancement incentives, some examiners appeared to proceed through certain components of the ECP before being fully prepared. In addition, certain controls established by the CFPB to manage examiners’ progression through the ECP might be ineffective.
  • Some examiners did not appear to receive adequate training and developmental opportunities or exposure to certain CFPB internal processes before proceeding to certain components of the ECP.
  • The CFPB did not have a formal method to evaluate and update the ECP.
  • The CFPB did not consistently communicate ECP requirements to prospective employees, including the starting point for the 5-year requirement for completing the ECP.

The CFPB’s OJT program is intended to be a standardized program that ensures examiners are trained uniformly across all regions.  In the program, an OJT trainer is expected to work with an examiner on an examination, provide mentoring, discuss the  CFPB’s Supervision and Examination Manual, and oversee the examiner’s completion of assigned modules. The OIG found that CFPB regions had not consistently implemented the OJT program and examiners may not have understood the requirements, expectations, and purpose of the OJT.

The report makes a series of recommendations for addressing the OIG’s findings and enhancing the effectiveness of the ECP and OJT program.  In the CFPB’s response to the OIG’s draft report, which is included with the report, the CFPB states that it agrees with the OIG’s recommendations and outlines its plans for implementing the recommendations.


The CFPB has issued a new compliance bulletin (2017-11) to provide guidance on pay-by-phone fees.  The guidance includes examples of conduct relating to pay-by-phone practices identified by the CFPB in its supervision and enforcement activities that may violate or risk violating the Dodd-Frank UDAAP prohibition or the FDCPA.

The enforcement actions cited in the guidance involving alleged UDAAP violations arising from pay-by-phone practices date from 2015 and, while recent CFPB supervisory highlights have discussed potential FDCPA violations arising from “convenience fees” charged by debt collectors to process payments by phone, recent supervisory highlights have not discussed potential UDAAP violations arising from pay-by-phone practices.  As a result, the CFPB’s issuance of the guidance suggests that it intends to give pay-by-by phone practices closer scrutiny in examinations and in enforcement actions.  We have been reviewing and suggesting revisions to many clients regarding their pay-by-phone practices since the CFPB began focusing on this area in examinations.  It is important for creditors and debt collectors to be mindful that such practices may also create a risk of state law violations.

Examples provided of conduct that may violate the UDAAP prohibition include:

  • Failing to disclose the prices of all available pay-by-phone services when different options carry materially different fees.  According to the CFPB, while many companies disclose in periodic billing statements or elsewhere that a transaction fee may apply to various payment methods, they do not disclose the fee amounts and instead depend on phone representatives to do so.  The CFPB observes that phone representatives risk engaging in an unfair practice by only revealing higher-cost options or failing to inform consumers of material price differences between available options.
  • Misrepresenting the available payment options or that a fee is required to pay by phone.  The CFPB observes that some companies charge a fee for expedited phone payments but also offer no-fee phone payment options that post a payment after a processing delay.  According to the CFPB, some of such companies offer their fee-based expedited payment option as their default pay-by-phone option, with the result that consumers could be misled to believe that a fee is always required to pay by phone and cause consumers to be charged for expedited payment even if such consumers did not need to post a payment on the same day.
  • Failing to disclose that a pay-by-phone fee would be added to a payment.  According to the CFPB, a company may risk engaging in a deceptive act or practice by failing to disclose that a pay-by-phone fee will be charged in addition to a consumer’s otherwise applicable payment amount and indicating that only the otherwise applicable payment amount will be charged.  In the CFPB’s view, such conduct may create the misimpression that no pay-by-phone fee is charged.
  • Failing to adequately monitor employees or oversee service providers. The CFPB observes that although a company may have policies and procedures requiring phone representatives to disclose all available pay-by-phone options and fees, deviations from call scripts may cause phone representatives to misrepresent available options and fees.  According to the CFPB, companies can reduce the risk of misrepresentations through adequate monitoring and references its November 2016 compliance bulletin (2016-03) on production incentives.  The CFPB suggests that companies should consider the impact of incentives for employees and service providers may have on compliance risks relating to potential UDAAP violations.

Examples of conduct that may violate the FDCPA:

  • The CFPB notes the FDCPA prohibition on the collection of any amount by a debt collector unless such amount is expressly authorized by the agreement creating the debt or permitted by law.  The CFPB states that its examiners found that one or more mortgage servicers meeting the FDCPA “debt collector” definition violated the FDCPA by charging fees for taking mortgage payments by phone to borrowers whose mortgage instruments did not expressly authorize such fees and who resided in states where applicable law did not expressly permit collection of such fees.

The guidance indicates that the CFPB expects companies to review their practices on charging pay-by-phone fees for potential risks of UDAAP or FDCPA violations and provides suggestions for companies to consider in assessing whether their practices present a risk of constituting a UDAAP or FDCPA violation.  It also advises companies to consider whether production incentive programs create incentives to steer consumers to certain payment options or avoid disclosures.  According to the CFPB, such incentives could enhance the potential risk of UDAAPs if they reward employees or service providers based on consumers using a higher-cost pay-by-phone option or based on the number of daily calls completed.


The Office of the Comptroller of the Currency has issued a new bulletin (2017-21) containing fourteen frequently asked questions to supplement OCC Bulletin 2013-29 entitled “Third-Party Relationships: Risk Management Guidance.”   The 2013 bulletin provided updated guidance for managing operational, compliance, reputation, strategic, and credit risk presented by third-party business relationships of national banks and federal savings associations.

In the new bulletin, the OCC observes that many banks have recently developed relationships with financial technology (fintech) companies in which the fintech companies perform or deliver services on behalf of a bank or banks and therefore meet the 2013 bulletin’s definition of a third-party relationship.  The OCC states that, as a result, it would expect bank management to include such fintech companies in the bank’s third-party risk management process.  The FAQs include the following specifically addressed to fintech companies:

  • Is a fintech company arrangement considered a critical activity?
  • Can a bank engage with a start-up fintech company with limited financial information?
  • How can a bank offer products or services to underbanked or underserved segments of the population through a third-party relationship with a fintech company?

The FAQs also specifically address bank arrangements with marketplace lenders, in particular the question “What should a bank consider when entering into a marketplace lending arrangement with nonbank entities?”  The OCC’s guidance includes the following:

  • For compliance risk management, banks should not originate or support marketplace lenders that do not have adequate compliance management processes and should monitor the marketplace lenders to ensure that they appropriately implement applicable consumer protection laws, regulations, and guidance.
  • When banks enter into marketplace lending or servicing arrangements, because the banks’ customers may associate the marketplace lenders’ products with those of the banks, reputation risk can arise if the products underperform or harm customers.
  • Operational risk can increase quickly if the banks and the marketplace lenders do not include appropriate limits and controls in their operational processes, such as contractually agreed-to loan volume limits and proper underwriting.
  • To address the risks created by marketplace lending arrangements, a bank’s due diligence of marketplace lenders should include consulting with the bank’s appropriate business units, such as credit, compliance, finance, audit, operations, accounting, legal, and information technology.
  • Contracts or other governing documents should set forth the terms of service-level agreements and contractual obligations, and significant contractual changes should prompt reevaluation of bank policies, processes, and risk management practices.

The CFPB recently announced that it has begun to examine service providers on a regular, systematic basis, particularly those supporting the mortgage industry.  Previously, the CFPB has only examined some service providers on an ad hoc basis.  The change represents a significant expansion of the CFPB’s use of its supervisory authority and will substantially increase the number and types of entities facing CFPB examinations.  On June 13, 2017, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar, “The CFPB’s Expansion of its Supervisory Program to Service Providers – What You Need to Know.”  More information and a link to register is available here.




At the Auto Finance Risk and Compliance Summit held this week, Calvin Hagins, CFPB Deputy Assistant Director for Originations, stated that the CFPB is increasingly asking lenders about ancillary product programs during examinations, particularly about the percentage of consumers buying these products.

In June 2015, when the CFPB released its larger participant rule for nonbank auto finance companies, it also issued auto finance examination procedures in which ancillary products, like GAP insurance and extended service contracts, received heavy attention.  We commented that by giving so much attention to these products, the CFPB was signaling its intention to give lots of scrutiny to these products in the auto finance market.  Mr. Hagins’s comments confirm that the CFPB is in fact looking closely at these products in exams.

Speaking at the Summit as a member of a regulatory panel, Mr. Hagins indicated that companies should expect to get questions from CFPB examiners about ancillary products.  He indicated that the CFPB specifically looks at how the product is offered to the consumer, when in the contracting process is it offered, how disclosures are being provided to the consumer, and the acceptance rate.  As an example, he indicated that a 95% acceptance rate would cause CFPB examiners to raise questions about how the rate was achieved.

At the Summit, Colin Hector, an FTC attorney, indicated that the FTC is also interested in ancillary products, particularly whether there is a potential for consumer deception in how they are sold.  He commented that, in its enforcement work, the FTC has focused on ancillary product sales that occur at the end of the sales process when consumers may be led to believe they must purchase the products to obtain financing and the seller has increased leverage because the consumer is more invested in completing the transaction.


At the program held on April 7 entitled “The State of Consumer Protection Initiatives” at the American Bar Association Business Law Section Consumer Financial Services Committee 2017 Spring Meeting, Peggy Twohig, the CFPB’s Assistant Director for Supervision Policy, announced that the CFPB has begun to examine service providers on a regular, systematic basis, particularly those supporting the mortgage industry.  Since its inception, the CFPB has had the authority to supervise service providers.  However, in the past, the CFPB has only examined some service providers on an ad hoc basis.  The change represents a significant expansion of the CFPB’s use of its supervisory authority and will substantially increase the number and types of entities facing CFPB examinations.  We will conduct a webinar on this important subject on June 13, 2017.  Click here to register.

A “service provider” is generally defined in Section 1002(26)(A) of Dodd-Frank as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that:

(i)   Participates in designing, operating, or maintaining the consumer financial product or service; or
(ii)  Processes transactions relating to the consumer financial product or service….”

Sections 1024(e) and 1025(d) of Dodd-Frank authorize the CFPB to supervise a service provider to a bank or non-bank already supervised by the CFPB – namely, depository institutions with more than $10 billion in assets and the following types of non-banks:

  1. Mortgage originators, brokers or servicers;
  2. Payday lenders;
  3. Private student lenders; and
  4. A “larger participant of a market for other consumer financial products or services” as defined by a CFPB rule. The CFPB so far has issued rules covering larger participants in the following industries:  auto finance, debt collection, student loan servicing, consumer reporting, and international money transfers.  (At an earlier program held at the ABA meeting, Ms. Twohig stated that CFPB’s next larger participant rule will deal with consumer installment lending and auto title loans.)

Not only is this expansion of the CFPB’s supervision program important to service providers, it is important for banks and non-banks already supervised by the CFPB because the CFPB’s position is that they can be vicariously liable for violations of law committed by their service providers.

Earlier today, at the Practicing Law Institute’s (“PLI”) 22nd Annual Consumer Financial Services Institute in New York City, Alan Kaplinsky (who is co-chairing the event) moderated a panel entitled “The CFPB Speaks,” that featured three senior CFPB lawyers: Anthony (“Tony”) Alexis (Assistant Director for Enforcement), Diane Thompson (Deputy Assistant Director, Office of Regulations), and Peggy Twohig (Assistant Director for Supervision Policy).  Ballard Spahr attorney James Kim, a former senior CFPB enforcement lawyer who now represents industry, was also a panel member.

In response to questions posed by Alan and audience members, the CFPB lawyers discussed regulatory, supervisory and enforcement developments and upcoming initiatives.  Particularly noteworthy comments were:

  • Ms. Twohig stressed the importance of an entity’s response to a PARR letter – a notice of Potential Action and Request for Response – in the supervisory process.  She commented that there have been instances where the CFPB has decided not to cite a company for a violation based on its response to a PARR letter.
  • Mr. Alexis and Ms. Twohig discussed the CFPB’s process for deciding whether the CFPB will use a supervisory or an enforcement action to address violations found in an examination.  Ms. Twohig indicated that the decision whether to refer a matter to enforcement is made by an Action Review Committee (ARC), which considers various factors such as the severity of the violation, the entity’s cooperation with the CFPB, and policy factors that include the need for the CFPB to send a public message of deterrence.  Mr. Alexis indicated that if a matter is referred to enforcement, the Enforcement Division will consider similar factors as well as input from witnesses obtained through CIDs.  Enforcement will then decide whether to proceed with an enforcement action, return the matter for supervisory resolution (which Mr. Alexis called a “reverse ARC” process), or drop the case.  Mr. Alexis acknowledged that a supervisory resolution through an MOU or similar agreement is the only vehicle available to the CFPB to enter into a non-public settlement.  Accordingly, if a company is not subject to CFPB supervision, a settlement can only be entered into through a public consent order.
  • Mr. Alexis indicated that the constitutional challenge to the CFPB’s use of an administrative judge in the PHH case has not caused the CFPB to direct more enforcement matters to lawsuits filed in federal district court rather than administrative proceedings.  He noted that the CFPB’s decision of which forum to use is frequently driven by the facts involved in a matter, with a district court lawsuit more likely to be filed when the CFPB is in need of more discovery to support its case.  He also indicated that the panel’s rejection in PHH of the CFPB’s position that it is not bound by statutes of limitation in administrative enforcement actions has not changed the CFPB’s approach to enforcement matters.
  • Mr. Alexis indicated that he saw no need to advocate for the CFPB’s adoption of a matrix for assessing civil money penalties similar to those used by the prudential regulators because the factors are laid out in Dodd-Frank.
  • Ms. Thompson declined to estimate when the CFPB is likely to issue a final arbitration rule or a final payday/small dollar loan rule, stating that it was “too speculative” for her to do so and that the CFPB was continuing to consider the unprecedented number of comments received on both rules.  She also indicated that the CFPB was in the early stages of developing a proposed rule to implement Dodd-Frank Section 1071.  (Section 1071 amended the ECOA to require financial institutions to collect and maintain certain data in connection with credit applications made by women- or minority-owned businesses and small businesses.  Such data include the race, sex, and ethnicity of the principal owners of the business.)  According to Ms. Thompson, the CFPB is attempting to address the absence of good sources of data on small business lending.
  • Ms. Twohig indicated that the CFPB’s next larger participant rule will deal with consumer installment lending and auto title loans and that the CFPB is continuing to consider creating a registration system for non-bank lenders to assist the CFPB in identifying market participants.  She also indicated that to address the widespread use of compliance technology solutions by entities it supervises, the CFPB has stood up the National Information Systems Supervision Program (NISSP).  Through the NISSP, the CFPB uses specialized managers to inform and focus supervisory reviews of entities’ compliance-related information systems, some of which are designed in-house but many of which rely upon third parties to develop and maintain.
  • Ms. Twohig defended the CFPB’s proposed rule that would amend the CFPB’s information disclosure rules to allow it to share confidential supervisory information with any federal or state agency (including state attorneys general) regardless of whether the agency has jurisdiction over the company whose CSI is shared as long as the CSI is “relevant” to the agency’s authority.
  • Mr. Alexis stated that the CFPB’s decision to assert that the non-bank, and not the tribal-affiliated lender, was the “true lender” in the pending CashCall case was fact specific and dependent on how that case unfolded.  Mr. Alexis said that the CFPB would consider using the “true lender” theory and the predominant economic interest test in other cases if it is appropriate.  Mr. Kim remarked that the CFPB’s application of the “true lender” theory requires states to cooperate by alleging that the non-banks, who service or collect on the loans, are violating state usury and licensing laws.



The CFPB has issued a new compliance bulletin (2016-03) on incentive programs.  The issuance of the bulletin reflects the CFPB’s increased focus on such programs.

To assist clients in preparing for greater regulatory scrutiny, Ballard Spahr attorneys will conduct a webinar on December 14, 2016, from 12 p.m. to 1 p.m. ET: “Controlling Employee Conduct: Designing Compensation Incentives and Monitoring Systems to Promote Compliance and Prevent Misconduct.”  More information about the webinar and a link to register is available here.

In the bulletin, the CFPB acknowledges that incentives for employees and service providers to meet sales and other business goals are common and can benefit companies and consumers.  However, drawing on “guidance the CFPB has already given in other contexts” and “examples from the CFPB’s supervisory and enforcement experience in which incentives contributed to substantial consumer harm,” the bulletin highlights the consumer risks that incentive programs can create.  The bulletin provides examples of problems that can arise from sales goals, sales benchmarks, compensation tied to the terms and conditions of transactions, paying more compensation for some types of transactions than for others that were or could have been offered to meet consumer needs, and unrealistic quotas to sign up consumers for financial services.

The CFPB discusses the enhanced risks created by incentive programs in CFPB enforcement matters, such as cases involving credit card add-on products and overdraft opt-in practices.  In the section of the bulletin entitled “The CFPB’s Expectations,” the CFPB details steps a supervised entity should take to ensure that its compliance management system is effective in preventing incentive programs from leading to legal violations.  Such steps involve board of directors and management oversight, policies and procedures, training, monitoring, corrective action, consumer complaint management, and independent compliance audits.

The Federal Financial Institutions Examination Council (FFIEC), whose members include the CFPB, has finalized guidance setting forth a revised uniform interagency consumer compliance rating system (CCRS).  The revisions reflect changes in consumer compliance supervision since the current rating system was adopted in 1980.  The other FFIEC members are the Fed, FDIC, NCUA, OCC, and State Liaison Committee.  The FFIEC members plan to implement the revised rating system for consumer compliance examinations that begin on or after March 31, 2017.

The guidance states that as a FFIEC member, the CFPB will use the CCRS “to assign a compliance rating, as appropriate, for institutions with total assets of more than $10 billion, as well as for nonbanks for which it has jurisdiction regarding enforcement of Federal consumer financial laws as defined under the Dodd-Frank Act.”  (While the guidance refers to the CFPB’s “jurisdiction regarding enforcement,” it seems a more accurate reference would have been to the CFPB’s authority to supervise such entities for compliance with Federal consumer financial laws.)

The guidance also states that the prudential regulators will take into consideration any material supervisory information provided by the CFPB as it relates to covered supervisory activities or covered exams and that the CFPB will similarly take into consideration any material supervisory information provided by prudential regulators in appropriate supervisory situations.  It notes further that an institution with total assets of more than $10 billion can receive a consumer compliance rating from both its primary prudential regulator and the CFPB which is based on each agency’s review of the institution’s CMS and compliance with federal consumer protection laws falling under each agency’s jurisdiction.

In the Supplementary Information accompanying the final guidance, the FFIEC observes that when the current system was adopted, examinations focused more on transaction testing for regulatory compliance than on an institution’s compliance management system (CMS) to ensure compliance with regulatory requirements and prevent consumer harm.  The FFIEC states that the revised system is “designed to better reflect current consumer compliance supervisory approaches and to more fully align the [CCRS] with the Agencies’ current risk-based, tailored examination approaches” and  were “not developed with the intention of setting new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden.”

The CCRS includes three categories of assessment factors: board and management oversight, compliance program, and violations of law and consumer harm.  The assessment factors in the three categories consist of the following:

  • To assess an institution’s board and management oversight, examiners will consider: oversight and commitment to the institution’s CMS; effectiveness of the institution’s change management process; comprehension, identification and management of risks arising from the institution’s products, services, and activities; and any corrective action undertaken as consumer compliance issues are identified.
  • To assess an institution’s compliance program, examiners will consider: whether the institution’s policies and procedures are appropriate to the risk in the institution’s products, services, and activities; the degree to which compliance training is current and tailored to risk and staff responsibilities; the sufficiency of monitoring, and if applicable, auditing, to encompass compliance risks; and the responsiveness and effectiveness of the consumer complaint resolution process.
  • To assess an institution’s violations of law and consumer harm, examiners will consider: the root causes of any violations identified during examinations; the severity of any consumer harm resulting from the violations; the duration of time over which the violations occurred; and the pervasiveness of the violations.  The CCRS includes incentives for self-identification and prompt correction of violations.

The revised rating system uses a scale of 1 through 5, with 1 representing the highest rating and lowest degree of supervisory concern and 5 representing the lowest rating and most critically deficient level of performance and thus the highest degree of supervisory concern.  An institution’s overall rating under the CCRS is intended to reflect a comprehensive evaluation of the institution’s performance under the rating system by considering the categories and assessment factors in the context of the institution’s size, complexity, and risk profile.

The CCRS does not assign specific numeric ratings to any of the above assessment factors and an institution’s rating is not be based on a numeric average or any other quantitative calculation.  As a result, an institution does not have to receive a satisfactory rating in all categories to receive an overall satisfactory rating.  Conversely, even if some assessments are rated as satisfactory, an institution can still receive an overall less than satisfactory rating.

In its Fall 2016 Supervisory Highlights, which covers supervision work generally completed between May and August 2016, the CFPB highlights violations found by its examiners involving origination and servicing of auto financing, debt collection, mortgage origination and servicing, student loan servicing, and fair lending.

On December 2, 2016, from 12 p.m. to 1 p.m ET, Ballard Spahr attorneys will hold a webinar, “The CFPB’s Fall 2016 Supervisory Highlights: Looking Beyond the Headlines.”  A link to register is available here.

The report states that recent non-public supervisory actions have resulted in restitution of approximately $11.3 million to more than 225,000 consumers.  The report also indicates that the CFPB’s supervisory activities “have either led to or supported” two recent public enforcement action described in the report that resulted in over $28 million in consumer remediation and $8 million in civil money penalties.

The CFPB’s “supervisory observations” include the following:

  • Servicing of auto financing.  CFPB examiners concluded that it was an unfair practice to detain or refuse to return personal property found in a repossessed vehicle until the consumer paid a fee or where the consumer requested return of the property, regardless of what the consumer agreed to in the contract.  Even when the consumer agreements and state law provided support for lawfully charging the fee, examiners concluded there were no circumstances in which it was lawful to refuse to return property until after the fee was paid, instead of simply adding the fee to the borrower’s balance as companies do with other repossession fees.  Examiners also found that in some instances, one or more companies were engaging in the unfair practice of charging a borrower for storing personal property found in a repossessed vehicle when the consumer agreement disclosed that the property would be stored, but not that the borrower would need to pay for the storage.  The report indicates that in upcoming exams, CFPB examiners “will be looking closely at how companies engage in repossession activities, including whether property is being improperly withheld from consumers, what fees are charged, how they are charged, and the context of how consumers are being treated to determine whether the practices were lawful.”
  •  Debt collection.
    • Fees. CFPB examiners determined that a “convenience fee” charged by one or more debt collectors to process payments by phone and online violated the FDCPA where the consumer’s contract did not expressly permit convenience fees and applicable state law was silent on whether such fees are permissible.  CFPB examiners also found that debt collectors had made false representations in violation of the FDCPA by demanding unlawful fees, stated that the fees were “nonnegotiable,” or withholding  information from consumers about other methods to make payments that would not incur the fee after the consumer requested such information.  CFPB examiners also found that one or more debt collectors violated the FDCPA by charging collection fees in states where collection fees were prohibited or in states that capped collection fees at a threshold lower than the fees that were charged.  The report notes that examiners “also observed a [compliance management system (CMS)] weakness at one or more collectors that had not maintained any records showing the relationship between the amount of the collection fee and the cost of collection.”
    • Collection calls; third party communications. CFPB examiners determined that collection calls made by one or more debt collectors involved false representations or deception in violation of the FDCPA where collectors (1)  purported to assess consumers’ creditworthiness, credit scores, or credit reports when collectors could not assess overall borrower creditworthiness, represented that an immediate payment was necessary to prevent a negative impact on a consumer’s credit, (3) impersonated consumers while using a creditor’s consumer-facing automated telephone system to obtain information about a consumer’s debt, or (4) told consumers that the ability to settle an account was revoked or would expire.  At one or more debt collectors, examiners also identified several instances where collectors violated the FDCPA by disclosing the consumer’s debt to a third party (which the CFPB stated was often the result of inadequate identity verification during telephone calls) or by an employee’s disclosure of the debt collection company’s name to a third party without first being asked for that information by the third party.
    • FCRA. CFPB examiners determined that “one or more entities” failed to provide adequate guidance and training to staff regarding differentiating FCRA disputes from general customer inquiries, complaints, or FDCPA debt validation requests.  One or more of such entities were directed to develop and implement “reasonable policies and procedures to ensure that direct and indirect disputes are appropriately logged, categorized, and resolved” and/or “a training program appropriately tailored to employees responsible for logging, categorizing, and handling FCRA direct and indirect disputes.”  Examiners also determined that one or more debt collectors violated the FCRA by not investigating indirect disputes that lacked detail or not accompanied by attachments with relevant information from the consumer or, for disputes categorized as frivolous, sending notices that did not indicate what the consumer needed to provide in order for the collector to complete the investigation.
    • Regulation E. Examiners found that one or more debt collectors violated Regulation E by failing to provide consumers with a copy of the terms of an authorization for preauthorized electronic fund transfers.  Some of these debt collectors had instead sent consumers a payment confirmation notice before each electronic fund transfer.  The CFPB stated that such notices did not satisfy the Regulation E requirement to provide a copy of the terms of the authorization because the notices did not describe the recurring nature of the preauthorized transfers from the consumer’s account, such as by describing the timing and amount of the recurring transfers.
  • Mortgage origination. CFPB examiners found that one or more entities offering mortgage loan programs that accepted alternative income documentation for salaried consumers as part of their underwriting requirements had violated Regulation Z ability to repay (ATR) requirements. Such entities indicated that they relied primarily on the consumer’s assets when making an ATR determination, but also established a maximum monthly debt to income (DTI) ratio in their underwriting policies and procedures.  CFPB examiners “found that the income disclosed on the application to calculate the consumer’s monthly DTI ratio was not verified, but instead was tested for reasonableness using an internet-based tool that aggregates employer data and estimates income based upon each consumer’s residence zip code address, job title, and years in their current occupation.”  CFPB examiners also found that one or more federally-regulated depository institutions were using employees of a staffing agency to originate loans who were improperly registered in the National Multistate Licensing System and Registry as employees of the depository institutions.
  • Student loan servicing. In addition to finding that one or more servicers were engaging in an unfair practice in violation of the Dodd-Frank Act UDAAP prohibition by denying, or failing to approve, applications for income-driven repayment (IDR) plans that should have been approved on a regular basis, CFPB examiners cited servicers for the unfair practice of failing to provide an effective choice on how payments should be allocated among multiple loans.  Such servicers had failed to provide an effective choice through such practices as not giving borrowers the ability to allocate payments to individual loans in certain circumstances, not effectively disclosing that borrowers had the ability to provide payment instructions, or not effectively disclosing important information (like the allocation methodology used when instructions are not provided).  The CFPB also cited a student loan servicer for engaging in a deceptive practice in violation of the Dodd-Frank Act UDAAP prohibition in connection with loans considered to be “paid ahead.” CFPB examiners concluded that one or more servicers’ billing statements could have misled reasonable borrowers to believe additional payments during or after a paid-ahead period would be applied largely to principal. According to the CFPB, the statements, which noted that nothing was due in months that the borrower was paid ahead, misled consumers as to how much interest would accrue or had accrued, and how that would affect the application of consumers’ payments when the borrower began making payments.  The CFPB directed one or more servicers to hire independent consultants to conduct user testing of the servicer’s communications to improve how the communications describe the basic principles of the servicer’s payment allocation methodologies, the consumer’s ability to provide payment instructions, and the accrual of interest during a paid-ahead period.  The CFPB refers servicers to the policy direction on student loan servicing issued in July 2016 by the Department of Education for guidance on IDR application processing, billing statements, and  allocation methodologies.  (Issues related to IDR plan applications were highlighted in the midyear report of the CFPB’s Student Loan Ombudsman released in August 2016.)
  • Fair lending.
    • LEP consumers. CFPB examiners “observed situations” in which financial institutions’ treatment of limited English proficiency (LEP) and non-English-speaking consumers posed fair lending risk, such as marketing only some credit card products to Spanish-speaking consumers, while marketing additional credit card products to English-speaking consumers.  The CFPB noted that one or more such institutions lacked documentation describing how they decided to exclude those products from Spanish language marketing, thereby “raising questions about the adequacy of their compliance management systems related to fair lending.”  According to the CFPB, to mitigate any compliance risks related to these practices, one or more financial institutions revised their marketing materials to notify consumers in Spanish of the availability of other credit card products and included clear and timely disclosures to prospective consumers describing the extent and limits of any language services provided throughout the product lifecycle.  The CFPB observed that such institutions “were not required to provide Spanish language services to address this risk beyond the Spanish language services they were already providing.”  The report includes a list of “common features of a well-developed” CMS that considers treatment of LEP and non-English-speaking consumers.
    • Redlining. The report lists factors considered by the CFPB in assessing redlining risk in examinations and describes how the CFPB conducts its analysis of redlining risk, such as its use of HMDA and census data to assess an institution’s  lending patterns and its comparison of an institution to peer institutions.  The report indicates that in their initial analysis, CFPB examiners will compare an institution’s lending patterns to other lenders in the same MSA to determine whether the institution received significantly fewer applications from minority areas relative to other lenders in the MSA.  Examiners may also compare an institution to a more refined group of peers which can be defined in various ways, such as lenders that received a similar number of applications, originated a similar number of loans in the MSA, or offered a similar product mix.  Examiners have also considered an institution’s own identification of its peers in particular markets.
  • Examination procedures and guidance. The CFPB references recent updates to its reverse mortgage, student loan, and Military Loan Act examination procedures, as well as its recent amendment of its service provider bulletin.  According to the CFPB, some small service providers reported that entities have imposed the same due diligence requirements on them as for their largest service providers. The CFPB stated that this may have resulted from some entities having interpreted its 2012 bulletin to mean they had to use the same due diligence requirements for all service providers no matter the risk for consumer harm.  The amendment was intended to clarify that a risk management program can be tailored to the size, market, and level of risk for consumer harm presented by the service provider.