The U.S. Senate on March 14 passed S.2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act), by a vote of 67 to 31.  Although the Act would not make the sweeping changes to the Dodd-Frank Act found in the Financial CHOICE Act of 2017 (CHOICE Act), it, nevertheless, would provide financial institutions welcome relief from a number of specific Dodd-Frank provisions.

Representative Jeb Hensarling, Chairman of the House Financial Services Committee, has indicated that further negotiations between the House and Senate must take place before the House votes on the Act.  House Speaker Paul Ryan has taken a more conciliatory tone, commenting on the need for common sense bipartisan solutions in the final bill.  As a result, while a final bill can be expected to include changes to the Act, it is unclear how substantial those changes will be.  Assuming a final bill signed by President Donald J. Trump retains many, if not most, of the Act’s provisions, the Act should positively impact both smaller and larger financial institutions.  The Act would make a number of changes to provisions of Dodd-Frank and other federal laws regarding consumer mortgages, credit reporting, and loans to veterans and students.

On May 10, 2018, from 12 p.m. to 1 p.m. ET, Ballard Spahr attorneys will hold a webinar: Economic Growth, Regulatory Relief, and Consumer Protection Act: Anatomy of the New Banking Statute.  The webinar registration form is available here.

The Act would also reduce the regulatory burdens on financial institutions—particularly financial institutions with total assets of less than $10 billion.  Bank holding companies with up to $3 billion in total assets would be permitted to comply with less restrictive debt-to-equity limitations instead of consolidated capital requirements.  This change should promote growth by smaller bank holding companies, organically or by acquisition.  Larger institutions should benefit from the higher asset thresholds that would apply to systemically important banks subject to enhanced prudential standards.  The higher thresholds may lead to increased merger activity between and among regional and super regional banks.

Although the banking industry can be expected to view the Act positively should it become law, it falls short of the CHOICE Act in several important respects. The CHOICE Act would:

  • reduce regulatory burdens on institutions based on capital levels irrespective of asset size
  • reduce the Financial Stability Oversight Council’s powers
  • repeal Dodd–Frank’s orderly liquidation authority, and
  • scale back the CFPB’s powers.

For a summary of some of the Act’s key provisions applicable to financial institutions, click here for our full alert.

In a new report on consumer credit trends, the CFPB looks at how recent changes to the public record data standards used by the “Big 3” consumer reporting agencies (CRAs) have affected consumers’ credit reports and  credit scores.  The data used in the report comes from the CFPB’s Consumer Credit Panel, which the report describes as “a longitudinal, nationally-representative sample of approximately five million de-identified credit records maintained by one of the three nationwide [CRAs].”

The new standards, which became effective on July 1, 2017, applied to public record data already existing on the CRAs’ credit reporting databases as well as new data.  They created new verification requirements for data on civil judgments, tax liens, and bankruptcies, such as requirements that there be minimum personal identifying information and that courthouse data be refreshed at least every 90 days.

The changes to the standards were adopted as part of the National Consumer Assistance Plan, an initiative aimed at enhancing the accuracy of credit reports and making it easier for consumers to correct credit report errors.  The Plan was the result of a settlement agreement between the “Big 3” CRAs and over 30 state attorneys general.  The new report’s findings might be seen as subtle criticism by the CFPB under Mick Mulvaney of the Plan and former Director Cordray’s CFPB.  In other words, the report’s findings could be seen to show that the concerns about the reporting of civil judgments and tax liens that drove the Plan were largely overblown.

The CFPB’s key findings include:

  • When the new standards were implemented, all civil judgments and about half of the tax liens were removed from credit reports while the number of reported bankruptcies remained virtually unchanged.
  • In June 2017, soon before the new standards were implemented, 6 percent of consumers had a civil judgment or tax lien.  As a result of the new standards, about 83 percent of these consumers lost one or more judgments or liens in July 2017.  After the new standards were implemented, only 1.4 percent of consumers had a tax lien on their credit reports.
  • About 4 percent of consumers with civil judgments or tax liens on their credit reports in June 2017 experienced an increase in their credit scores in September 2017 due to the new standards.  After the new standards were implemented, consumers who had civil judgments or tax liens generally experienced score changes that were either around zero or 15 points.
  • To evaluate whether the score changes were significant enough to affect these consumers’ access to or cost of credit, the CFPB looked at whether the score changes changed the consumers’ credit profiles.  To do this evaluation, the CFPB put a consumer’s credit scores in June and September 2017 into one of the following bands: deep subprime, subprime, near prime, prime, and super prime.  75 percent of consumers remained in the same score band.  About 6 percent of consumers who had civil judgments or liens in June 2017 had deep subprime or subprime credit scores and rose to near prime or above scores in September 2017.
  • Overall, about 4 percent of consumers with civil judgments or tax liens on their credit reports in June 2017 moved to a higher score band in September 2017.  The CFPB seems to suggest that the small effect might have been expected because consumers who had civil judgments and tax liens also had more delinquencies and more derogatory information in their credit reports.
  • The CFPB does not have sufficient data to evaluate the extent to which the new standards have affected the predictiveness of scoring models.  However, it notes that studies have been published indicating that the new standards will have a minimal effect on predictive performance and observes that although the CFPB is unable to verify such results, “the small number of consumers who had civil judgments or tax liens and experienced a score change large enough to improve their credit profile suggests that any effects on overall model predictiveness (either positive or negative) are likely minimal.”



This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

Last week, members of the Senate Banking Committee announced that they had reached bipartisan agreement on “legislative proposals to improve our nation’s financial regulatory framework and promote economic growth.”  Following the announcement, Committee members released a draft of a bill (S. 2155), the “Economic Growth, Regulatory Relief, and Consumer Protection Act.”  A markup of the bill is scheduled for December 5, 2017.  Many observers believe that due to its bipartisan support, there is a strong likelihood that the bill will be enacted as part of a regulatory relief package.

Provisions of the bill relevant to providers of consumer financial services include the following:

Small Depository Qualified Mortgage (Section 101). For an insured depository institution or insured credit union, the bill would create a qualified mortgage loan entitled to the safe harbor under the ability to repay rule.  In general, the depository institution or credit union would need to hold the loan in portfolio, and the loan could not have an interest-only or negative amortization feature and would need to comply with limits on prepayment penalties.  While the creditor would need to consider and document the debt, income and financial resources of the consumer, it would not have to follow Appendix Q to the ability to repay rule.

Appraisal Exemption for Rural Areas (Section 103). The bill would provide an exemption from any appraisal requirement for a federally related transaction involving real property if (1) the property is located in a rural area, (2) the loan is less than $400,000, (3) the originator is subject to oversight by a federal financial institution regulator, and (4) no later than three days after the Closing Disclosure under the TRID rule is given to the consumer, the originator has contacted at least three state certified or licensed appraisers, as applicable, and has documented that no state certified or licensed appraiser, as applicable, is available within a reasonable period of time.  The applicable federal financial institution regulator would determine what constitutes a reasonable period of time.  The exemption would not apply to high-cost loans under the Truth in Lending Act (TILA), or when the applicable federal financial institution regulator requires the financial institution to obtain an appraisal to address safety and soundness concerns.

Home Mortgage Disclosure Act Triggers (Section 104). The bill would increase the loan volume trigger to be a reporting company under the revised Home Mortgage Disclosure Act (HMDA) rule from 25 closed-end mortgage loan originations in each of the preceding two calendar years to 500 such loans in each of the two preceding calendar years.  The 25 closed-end loan trigger went into effect in 2017 for depository institutions, and goes into effect on January 1, 2018 for non-depository institutions.

The bill also would make permanent under the revised HMDA rule a trigger of 500 open-end mortgage loan originations in each of the preceding two calendar years.  As reported previously, the revised HMDA rule provided for a trigger effective January 1, 2018 of 100 open-end mortgage loan originators in each of the preceding two calendar years, and in August 2017 the CFPB temporarily raised the trigger for 2018 and 2019 to 500 open-end mortgage loans in each of the preceding two calendar years.  The bill includes a requirement for the Comptroller General of the United States to conduct a study after two years to evaluate the impact of the amendments on the amount of data available under HMDA, and submit a report to Congress within three years.

Loan Originator Transition Authority (Section 106). Subject to various conditions, the bill would establish temporary transition authority for an individual loan originator to conduct origination activity for up to 120 days from when the individual submits an application to be licensed in a state in cases in which the individual is (1) registered and then becomes employed by a state-licensed mortgage company or (2) licensed in a state and then seeks to conduct loan origination activity in another state.

TRID Rule Provisions (Section 110). The bill includes a provision that apparently is intended to eliminate the need for a second three business day waiting period under the TILA/Real Estate Settlement Procedures Act Integrated Disclosure (TRID) rule in cases in which the annual percentage rate decreases and becomes inaccurate after the initial Closing Disclosure is provided, thus triggering the need for a revised Closing Disclosure.  Currently, the TRID rule requires both a revised Closing Disclosure and a new three business day waiting period before consummation may occur.  As drafted, however, the bill would amend the TILA timing requirements for high-cost mortgages under the Home Ownership and Equity Protection Act.  The TRID rule timing requirements are set forth in Regulation Z and not TILA.  Thus, revisions to the bill are necessary to achieve the intended goal.

The bill also includes a sense of Congress provision with regard to the TRID rule, which provides that the CFPB should endeavor to provide clearer, authoritative guidance on (1) the applicability of the rule to mortgage assumptions, (2) the applicability of the rule to construction-to-permanent home loans, and the conditions under which such loans can be properly originated, and (3) the extent to which lenders can, without liability, rely on the model disclosures published by the CFPB under the rule if recent changes to the rule are not reflected in sample TRID rule forms published by the CFPB.

Credit Report Alerts (Section 301). The bill would amend the Fair Credit Reporting Act (FCRA) to require consumer reporting agencies to keep a fraud alert requested by a consumer in the consumer’s file for at least one year and allow a consumer to have one free freeze alert placed on his or her file every year and remove that alert free of charge.  Consumer reporting agencies would also have to provide free freeze alerts requested on behalf of a minor and remove such alerts free of charge.

Credit Reports of Military Veterans (Section 302). The bill would amend the FCRA to require consumer reporting agencies to exclude from credit reports certain information relating to medical debts of veterans and would establish a dispute process for veterans seeking to dispute medical debt information with a consumer reporting agency.

Protection of Seniors (Section 303). The bill would, subject to certain conditions, provide immunity from civil or administrative liability to individuals and financial institutions for disclosing the suspected exploitation of a senior citizen to various government agencies, including state or federal financial regulators, the SEC, or a law enforcement agency.

Cyber Threats (Section 501). The bill would require the Secretary of the Treasury to submit a report to Congress on the risks of cyber threats to financial institutions and U.S. capital markets that includes an analysis of how the appropriate federal banking agencies and the SEC are addressing such risks.  The report must also include Treasury’s recommendation on whether any federal banking agency or the SEC “needs additional legal authorities or resources to adequately assess and address material risks of cyber threats.”  (We note that for several years, the FTC has been calling for such additional authority, specifically in the form of rulemaking authority.  Due to the limitations of the Banking Committee’s jurisdiction, the bill’s provision focuses exclusively on the federal banking agencies, and gives no recognition to the important role of the FTC—which is under the Senate Commerce Committee’s jurisdiction–in addressing cyber threats.

We will be publishing another blog post in the near future about other provisions of the bill that may be of interest to our blog readers.

The CFPB has published the following notices in today’s Federal Register:

  • Request for Information. Through the RFI, the CFPB seeks to learn more about consumers’ experience with access to free credit scores and the experience of companies and nonprofit credit and financial counseling providers offering their customers and the general public such access.  According to the CFPB, it will use the information gathered through the RFI to identify educational content that is providing the most value to consumers, to identify additional content the CFPB and others could develop to increase consumer understanding of credit reports and scores, and to gain a broader understanding of industry practices that best support educating consumers.  In addition to consumers and consumer advocacy groups, the interested members of the public from whom the CFPB encourages comments include credit card companies and other lenders.  Comments must be received on or before February 12, 2018 to be assured consideration.
  • Update to Free Credit Score Access List. In March 2017, the CFPB published a list of companies that had told the CFPB they offered existing credit card customers access to a free credit score.  In the notice, the CFPB states that it plans to update this list and provides criteria credit card issuers must meet to be included in the list. Companies that were included in the March 2017 list must submit a new entry to be included on the updated list.  The CFPB also states that it is considering whether to expand its list of companies offering free credit reports to include companies in other markets.  Companies that offer consumers access to free credit scores and meet the same criteria it uses for card issuers are invited to contact the CFPB if they would like to be included in a possible list.  Comments must be received on or before January 12, 2018 to be assured of consideration.


An Assistant Illinois Attorney General, in a letter sent to Experian’s CEO on behalf of the Illinois AG and the AGs of 35 other states and the District of Columbia, has asked Experian not to charge any credit freeze-related fees.

In the letter, which references the recent Equifax data breach, the Assistant Illinois AG notes that seven states currently prohibit consumer reporting agencies from charging fees to place a credit freeze and at least two others have introduced legislation that would require CRAs to offer free credit freezes.

In addition to Illinois, the other states joining the letter were: Arkansas, Colorado, Delaware, Florida, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Utah, Vermont, Virginia, Washington, Wisconsin, and Wyoming.


The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.


Last week, New York Governor Andrew Cuomo issued a press release directing the New York Department of Financial Services (“NYDFS”) to impose new rules on consumer reporting agencies (“CRAs”).  The proposed regulation would subject CRAs that issue consumer reports (as defined in a manner similar to the federal Fair Credit Reporting Act) about consumers located in New York to new requirements, including:

  • Annual registration with NYDFS – such registration must identify officers and/or directors that are responsible for the CRAs’ compliance with the new regulation;
  • Annual, and in some cases quarterly, information reporting requirements to NYDFS;
  • NYDFS examinations to be conducted as often as NYDFS considers “necessary”;
  • Prohibitions against various activities, such as including inaccurate information in a consumer report or engaging in any unfair, deceptive, abusive, and/or predatory acts or practices;
  • Communicating with consumers’ authorized representatives; and
  • Compliance with the newly issued NYDFS cybersecurity regulation (see Ballard alert).

Except for requiring CRAs to comply with the NYDFS cybersecurity regulation, it is unclear how the other requirements would address the risks posed by the recent Equifax breach, which was the purported reason for Governor Cuomo’s announcement.

Importantly, by requiring CRAs to register on an annual basis, the proposed regulation would empower NYDFS to suspend or revoke such registration based not only on the bad acts of a CRA itself, but also based on the bad acts of individual members, principals, officers, directors, or controlling persons at the CRA.  Without a valid registration, a CRA would be prohibited from providing any consumer reports about consumers located in New York, any companies licensed by NYDFS would be prohibiting from purchasing consumer reports from the CRA, and any companies licensed by NYDFS would be prohibited from furnishing information about consumers located in New York to the CRA.

Although a version of the proposed regulation was released with Governor Cuomo’s announcement, NYDFS is expected to release an official version for public comment in the coming weeks.  CRAs and companies that rely on CRAs to provide information about consumers located in New York should strongly consider participating in this rulemaking process.

An informative new American Banker podcast discusses recent and possible future changes to traditional credit scores, what they mean for industry, and possible industry responses.

The podcast begins with a discussion of changes that will take effect on July 1, 2017 to the public record data standards used by the “Big 3” consumer reporting agencies (CRAs) for the collection and updating of civil judgments and tax liens.  The new standards, which will apply to new and existing public record data on the CRAs’ credit reporting databases, create new verification requirements for data about civil judgments and tax liens, such as certain minimum consumer personal identifying information and a minimum frequency of courthouse visits to obtain new and updated data of at least every 90 days.

The experts participating in the podcast suggested that under current credit score models, the change could result in small credit score increases for impacted consumers averaging about 10 to 11 points.  However, they indicated that credit scores generated by newer credit score models under development that consider other data are unlikely to be impacted.

Among the topics discussed was the potential benefits and challenges in using alternative data in credit score models.  This past February, the CFPB issued a request for information seeking information about the use of alternative data and modeling techniques in the credit process.




The CFPB has issued a new report, “Data Point: Becoming Credit Visible,” that discusses how consumers transitioned out of “credit invisibility” and how such transitions differed across consumers of different ages and across neighborhood income levels.  For purposes of the report, the CFPB uses a definition of “credit invisibility” that includes only consumers without a credit record at one of the nationwide credit reporting companies.

The CFPB used a similar definition in its May 2015 report, “Data Point: Credit Invisibles,” in which the CFPB documented the results of its research into the demographic characteristics of consumers without traditional credit reports or credit scores.  That report concluded that the current credit reporting system is precluding certain populations from accessing credit and taking advantage of other economic opportunities.  While it did not use the term “disparate impact,” the report had fair lending implications for both providers and users of credit reports and credit scores.

The 2015 report was followed by a blog post in December 2016 in which the CFPB announced that it had released a brief, “Who are the credit invisibles?,” that described the 2015 report’s most significant findings and contained a checklist of action items for consumers who were new to credit or seeking to rebuild their credit history.  Among the 2015 report’s findings highlighted in the brief were that consumers in low-income neighborhoods are more likely to have no credit history with one of the nationwide consumer reporting agencies or an unscorable credit file and that Black and Hispanic consumers are more likely to have no credit history with one of the nationwide consumer reporting agencies and have unscored credit records than White or Asian consumers.

The CFPB’s key findings in the new report based on the sample data used by the CFPB include:

  • Almost 80 percent of consumers who transitioned out of credit invisibility did so before age 25, with consumers in low- and moderate-income neighborhoods who made this transition doing so at older ages than consumers in middle- or upper-income neighborhoods.
  • Across all age groups and income levels, credit cards triggered the creation of consumer credit records more frequently than any other product with student loans the next most frequent trigger.
  • Consumers in lower-income neighborhoods were more likely than consumers in higher-income neighborhoods to acquire a credit record from non-loan items, such as third-party collection accounts or public records, with almost 90 percent of these non-loan items conveying negative information about the consumer’s creditworthiness.
  • About 15 percent of consumers opened their earliest reported credit account with a co-borrower and the credit records of an additional 9.6 percent of consumers were created when the consumer became an authorized user on someone else’s credit account, thus implying that about 1-in-4 consumers first acquire their credit history from an account for which others were also responsible. The use of co-borrowers and authorized user account status was notably less common in lower-income neighborhoods.
  • The frequency with which credit cards trigger the creation of a credit record has been growing rapidly in recent years, except among consumers younger than 25 as to whom the share of credit records created as the result of a credit card has been declining.  This decline cannot be fully explained by the growth in student loans or the restrictions in the Credit Card Accountability Responsibility and Disclosure Act on issuing credit cards to consumers under the age of 21 and marketing credit cards to college students.

In February 2017, the CFPB issued a request for information (RFI) seeking information about the use of alternative data and modeling techniques in the credit process.  The CFPB indicated that the RFI stemmed from its desire “to encourage responsible innovations that could be implemented in a consumer-friendly way to help serve populations currently underserved by the mainstream credit system.”  In the new report, the CFPB suggests that “the differences in the incidences of credit invisibility between higher- and lower-income neighborhoods may reflect the greater tendency of consumers in the latter to be unbanked” and “would imply that the problems posed by credit invisibility might be mitigated by promoting access to banking services in lower-income communities.”

The CFPB also indicated that the issues it hopes to examine in future research include the challenges facing consumers with unscored credit records and the characteristics of credit records (negative versus positive information) that result in transitioning out of credit invisibility.