According to media reports, CFPB Acting Director Mick Mulvaney has sent an email to Bureau staff indicating that he plans to fold the Office of Students and Young Consumers into the Office of Financial Education.  Both Offices are part of the Bureau’s Consumer Education and Engagement Division.  The Student Loan Ombudsman, a position created by the Dodd-Frank Act, will also be part of the Office of Financial Education.  The current staff of the Office of Students and Young Consumers is expected to be reassigned to other Offices.

While the reorganization means that the Office of Students and Young Consumers will no longer be involved in investigations that could result either in supervisory actions or in enforcement actions, it does not mean that the CFPB will no longer bring such actions against student loan lenders and servicers.

As might be expected, the reorganization has quickly attracted criticism from consumer advocates and others. New York State Department of Financial Services Superintendent Maria Vullo released a statement expressing her Department’s concern “with the CFPB’s troubling decision to minimize the role of the Office of Students and Young Consumers.” She indicated that “DFS’s Student Protection Unit will continue its nation leading efforts in safeguarding students from fraud and misrepresentation in the market, monitoring student-related financial practices in New York and educating student consumers and their families regarding available financial products and services to empower them to make informed choices.  And violators of the law will be met with swift DFS response.”

In February 2018, Mr. Mulvaney announced that he planned to transfer the CFPB’s Office of Fair Lending from the Supervision, Enforcement, and Fair Lending Division to the Director’s Office, where it will become part of the Office of Equal Opportunity and Fairness.

Mr. Mulvaney is also reported to have indicated in his email to Bureau staff that he plans to hire more political appointees and create an office of cost-benefit analysis staffed by economists that report directly to him.  Another reported change is Mr. Mulvaney’s creation of an Office of Innovation, known previously as Project Catalyst, an initiative launched by the CFPB in 2012 for facilitating innovation in consumer financial products and services.

The New Jersey Attorney General recently announced that the state’s governor will nominate Paul R. Rodriguez to serve as the Director of the New Jersey Division of Consumer Affairs, the state’s lead agency charged with protecting consumers’ rights, regulating the securities industry, and overseeing 47 professional boards.

According to the AG’s press release, Mr. Rodriguez’s selection is intended “to fill the void left by the Trump Administration’s pullback of the [CFPB]” and fulfills the promise of the state’s governor “to create a ‘state-level CFPB’  in New Jersey.”  Mr. Rodriguez will begin serving as Acting Director of the Division of Consumer Affairs on June 1, pending his approval as Director by the New Jersey Senate.

The New Jersey announcement is consistent with announcements by other state AGs that they intend to fill any vacuum created by a less aggressive CFPB under the Trump Administration.

Mr. Rodriguez currently serves as Acting Counsel to New York City Mayor Bill de Blasio.  Before joining the de Blasio administration, Mr. Rodriguez was an associate with a major New York City-based law firm where he worked in a variety of areas.

Democratic Senator Dianne Feinstein announced that she and three other Democratic Senators have introduced a bill, the “Accountability for Wall Street Executives Act of 2017,” that would allow state attorneys general to issue investigative subpoenas to national banks in connection with suspected violations of state law.

The bill appears intended to overturn the U.S. Supreme Court’s 2009 decision in Cuomo v. Clearing House Association interpreting the National Bank Act (NBA) provision that bars state officials from exercising “visitorial powers” over national banks.  While the Supreme Court held in Cuomo that the filing of a civil lawsuit by a state AG against a national bank to enforce state law was not barred as the exercise of “visitorial powers,” it also held that the issuance of extra-judicial subpoenas by a state AG in connection with an investigation was barred.

The bill would amend the NBA (12 U.S.C. 484) to provide that, notwithstanding the limit on visitorial powers, “an attorney general (or other chief law enforcement officer) of a State may issue subpoenas or administer oversight and examination to national banks or officers of national banks upon reasonable cause to believe that the national bank or an officer of a national bank has failed to comply with applicable State laws.”

In attempting to further empower state AGs, the bill likely is a response to the concern of Democratic lawmakers that CFPB enforcement activity will significantly decrease under the Trump administration.  A group of Democratic state AGs recently sent a letter to President Trump in which they threatened to aggressively use their enforcement authority under federal and state law.

In addition to various federal consumer protection statutes that give direct enforcement authority to state AGs or regulators, Section 1042 of the Consumer Financial Protection Act authorizes state AGs and regulators to bring civil actions to enforce the provisions of the CFPA, most notably its prohibition of unfair, deceptive or abusive acts or practices.  A state AG or regulator, before filing a lawsuit using his or her Section 1042 authority, must notify the CFPB and Section 1042 allows the CFPB to intervene as a party and remove an action filed in state court to federal court.

On January 11, 2018, from 12:00 p.m. to 1:00 p.m. ET, Ballard Spahr attorneys will hold a webinar: Who Will Fill the Void Left Behind by the CFPB?  Click here to register.

This week, New York Governor Andrew Cuomo issued a press release directing the New York Department of State to issue a new regulation impacting consumer reporting agencies.  The new regulation was adopted on an emergency basis and went into immediate effect in order to protect consumers from identity theft and other potential economic harms that may arise following a data breach.

The regulation requires consumer reporting agencies to:

  • Identify dedicated points of contact for the Division of Consumer Protection to obtain information to assist New York consumers in the event of a data breach;
  • Respond within 10 days to information requests made on behalf of consumers by the Division of Consumer Protection;
  • File a form with certain information to the Division of Consumer Protection, including all fees associated with the purchase or use of products and services marketed as identity theft protection products as well as a listing and description of all business affiliations and contractual relationships with any other entities relating to the provision of any identity theft prevention or mitigation products or services; and
  • In any advertisements or other promotional materials, disclose any and all fees associated with the purchase or use of proprietary products offered to consumers for the prevention of identity theft, including, if offered on a trial basis, any and all fees charged for its purchase or use after the trial period and the requisites of cancellation of such continued use.

The protections appear targeted to address alleged abuses by the consumer reporting industry following the recent Equifax data breach.  Cuomo also announced that the Division of Consumer Protection will be issuing a demand letter to Equifax for information to assess the damage and risk of identity theft to New York State consumers resulting from the data breach.

Cuomo did not address the status of previously announced proposed regulations of the consumer credit reporting agencies by the New York Department of Financial Services.

The Democratic attorneys general of 16 states and the District of Columbia have sent a letter to President Trump in which they express their support for the CFPB’s consumer protection mission and criticize the President’s appointment of Mick Mulvaney as CFPB Acting Director.  The 16 states are New York, California, Connecticut, Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Minnesota, New Mexico, North Carolina, Oregon, Vermont, Virginia, and Washington.  In particular, the AGs contend that various statements made by Mr. Mulvaney about the CFPB “are categorically false, and should disqualify Mr. Mulvaney from leading the agency, even on an acting basis.”

Since the AGs’ presumably realize that their criticism is unlikely to cause President Trump to reconsider his appointment of Mr. Mulvaney, it would appear that the letter’s primary purpose is “saber rattling” by the AGs.  While providing examples of various enforcement matters on which state AGs have worked jointly with the CFPB, the AGs highlight their own “express statutory authority to enforce federal consumer protection laws, as well as the consumer protection laws of our respective states.”  The AGs state that they “will continue to enforce those laws vigorously regardless of changes to the CFPB’s leadership or agenda.  As attorneys general, we retain broad authority to investigate and prosecute those individuals or companies that deceive, scam, or otherwise harm consumers.”

In addition to various federal consumer protection statutes that give direct enforcement authority to state AGs or regulators, Section 1042 of the Consumer Financial Protection Act authorizes state AGs and regulators to bring civil actions to enforce the provisions of the CFPA, most notably its prohibition of unfair, deceptive or abusive acts or practices.  A state AG or regulator, before filing a lawsuit using his or her Section 1042 authority, must notify the CFPB and Section 1042 allows the CFPB to intervene as a party and remove an action filed in state court to federal court.  (AGs and regulators in several of the states joining in the letter to President Trump have already filed lawsuits using their Section 1042 authority.)

On January 11, 2018, from 12:00 p.m. to 1:00 p.m. ET, Ballard Spahr attorneys will hold a webinar: Who Will Fill the Void Left Behind by the CFPB?  Click here to register.

The AGs warn that “if incoming CFPB leadership prevents the agency’s professional staff from aggressively pursuing consumer abuse and financial misconduct, we will redouble our efforts at the state level to root out such misconduct and hold those responsible to account.”  They further state that “regardless of the future direction or leadership of the CFPB, we as state attorneys general will vigorously enforce state and federal laws to ensure fairness and deter fraud.”  It is also important to note that CFPB staff, who may feel handcuffed by Mr. Mulvaney, can share information with sympathetic state AGs.

 

Last Friday, as expected, the FTC announced the launch of a coordinated federal-state law enforcement initiative targeting deceptive student loan debt relief companies.  According to the FTC, 11 states and the District of Columbia are participating in the initiative, which is being called “Operation Game of Loans.”  The participating states are Colorado, Florida, Illinois, Kansas, Maryland, North Carolina, North Dakota, Oregon, Pennsylvania, Texas, and Washington,

The initiative includes seven FTC actions, including an action filed by the FTC earlier this month in Florida federal court, and 29 actions by state AGs.

A recent flurry of FTC enforcement activity targeting companies offering student loan debt relief services suggests such companies could be the subject of the announcement scheduled for tomorrow “of a major coordinated consumer fraud enforcement initiative” between the FTC and state attorneys general.

The announcement was originally scheduled to be made on October 11 at a press conference in Chicago, Illinois featuring Thomas Pahl, Acting Director of the FTC’s Bureau of Consumer Protection, and Illinois Attorney General Lisa Madigan.  However, after postponing the press conference and rescheduling it for October 13, the FTC issued an update stating that the FTC “and attorneys general in 11 states and the District of Columbia will issue an announcement” on October 13 that “will be posted on FTC.gov.”  The FTC also indicated that “[s]enior officials from the FTC and the offices of the state attorneys general will be available for telephone interviews upon request.”

Earlier this month, the FTC filed a complaint in a Florida federal court for a permanent injunction and other equitable relief against Student Debt Doctor LLC and its individual principal alleging that the defendants conducted a deceptive student loan debt relief operation.  At the FTC’s request, the court entered an ex parte order temporarily freezing the company’s assets and appointing a receiver.  The FTC filed at least two other actions in federal courts in September 2017 against companies and individuals also alleged to have conducted deceptive student loan debt relief operations.

The cities of Chicago and San Francisco and the Massachusetts Attorney General have filed the first enforcement actions against Equifax following the announcement of a data breach affecting an estimated 143 million consumers.  Equifax announced the data breach on September 7, 2017, after hackers allegedly exploited a vulnerability in open-source software used by Equifax to create its online consumer dispute portal.

The first suits were filed on September 26th by the Massachusetts Attorney General and San Francisco.  Massachusetts’s complaint was filed in Superior Court in Suffolk County and alleges that Equifax knew or should have known about the vulnerability and that hackers were attempting to exploit it, but that Equifax failed to take known and available measures to prevent the breach.  Massachusetts asserts claims for violations of the Massachusetts data privacy statute and the Massachusetts Consumer Protection Act prohibiting unfair and deceptive practices based on Equifax’s alleged failure to give timely notice of the breach, failure to safeguard personal information, and failure to take other actions that Equifax was uniquely positioned to provide that would have mitigated damages to Massachusetts consumers.  The Massachusetts Attorney General is seeking unspecified civil penalties, disgorgement of profits, restitution, costs and attorney’s fees.

San Francisco’s complaint, filed in the Superior Court of San Francisco, asserts claims under the California Business and Professions Code for unlawful, unfair or fraudulent business practices, alleging that Equifax failed to maintain reasonable security practices and procedures, failed to provide timely notice of the security breach, and failed to provide complete, plain and clear information when notice was provided.  The lawsuit seeks restitution for all California consumers, civil penalties up to $2,500 per violation of law, restitution, costs, and a court order requiring Equifax to implement and maintain appropriate security procedures in the future.

Finally, the City of Chicago filed suit on September 28th in Cook County Circuit Court and asserts claims arising under both state law and city ordinance.  Specifically, Chicago alleges Equifax violated a local ordinance prohibiting fraudulent, unfair, and deceptive business practices, as well as the Illinois Consumer Fraud and Deceptive Business Practices Act.  Chicago’s claims are based on allegations that Equifax failed to give prompt notice of the breach, failed to safeguard personal information, and deceived consumers by requiring them to waive their legal rights in exchange for credit monitoring services and by misrepresenting that the offered credit monitoring was free.  Chicago seeks civil monetary penalties in the amount of $10,000 for each day a violation has existed that involves a Chicago resident, restitution, and injunctive relief requiring Equifax to maintain adequate security measures to prevent data breaches.

These are likely just the first of many lawsuits to be filed against Equifax by state and local officials.  Further action at both the federal and state level seems all but certain.  For example, the Federal Trade Commission and Department of Justice have confirmed they are investigating the breach, and the New York Department of Financial Services confirmed that it recently issued a subpoena to Equifax for more information about the breach.  This vigorous and immediate government enforcement effort further supports our position that private class action lawsuits are an unnecessary and inappropriate tool for vindicating any harm caused by the data breach.  We will continue to follow these significant cases and update you as events unfold.

 

Last week, New York Governor Andrew Cuomo issued a press release directing the New York Department of Financial Services (“NYDFS”) to impose new rules on consumer reporting agencies (“CRAs”).  The proposed regulation would subject CRAs that issue consumer reports (as defined in a manner similar to the federal Fair Credit Reporting Act) about consumers located in New York to new requirements, including:

  • Annual registration with NYDFS – such registration must identify officers and/or directors that are responsible for the CRAs’ compliance with the new regulation;
  • Annual, and in some cases quarterly, information reporting requirements to NYDFS;
  • NYDFS examinations to be conducted as often as NYDFS considers “necessary”;
  • Prohibitions against various activities, such as including inaccurate information in a consumer report or engaging in any unfair, deceptive, abusive, and/or predatory acts or practices;
  • Communicating with consumers’ authorized representatives; and
  • Compliance with the newly issued NYDFS cybersecurity regulation (see Ballard alert).

Except for requiring CRAs to comply with the NYDFS cybersecurity regulation, it is unclear how the other requirements would address the risks posed by the recent Equifax breach, which was the purported reason for Governor Cuomo’s announcement.

Importantly, by requiring CRAs to register on an annual basis, the proposed regulation would empower NYDFS to suspend or revoke such registration based not only on the bad acts of a CRA itself, but also based on the bad acts of individual members, principals, officers, directors, or controlling persons at the CRA.  Without a valid registration, a CRA would be prohibited from providing any consumer reports about consumers located in New York, any companies licensed by NYDFS would be prohibiting from purchasing consumer reports from the CRA, and any companies licensed by NYDFS would be prohibited from furnishing information about consumers located in New York to the CRA.

Although a version of the proposed regulation was released with Governor Cuomo’s announcement, NYDFS is expected to release an official version for public comment in the coming weeks.  CRAs and companies that rely on CRAs to provide information about consumers located in New York should strongly consider participating in this rulemaking process.

In an unusual procedural move last week in the RD Legal Funding case about which we have previously blogged, SDNY Judge Loretta Preska (the judge presiding over the CFPB’s lawsuit against RD Legal Funding) has referred to EDPA Judge Anita Brody the question of whether the NFL Concussion Litigation settlement agreement forbids assignments of settlement benefits. Judge Brody has been presiding over the multidistrict litigation for over five years and is currently overseeing the implementation of the settlement. Within the Order, Judge Preska noted “[t]his case presents an unusual situation in which the Defendants’ underlying conduct is intertwined with an MDL class action settlement in another court,” and stated the referral “ensures uniformity of adjudication with a single ruling that will apply not only to the Defendants in this action but also to other potential lenders to class members who might assert the same defense[.]” The referral had been requested by the NFL Concussion Litigation Co-Lead Class Counsel, Christopher Seeger.

In related news, earlier this week Judge Brody granted a request from Seeger to compel several entities to produce (1) a list of all retired NFL players with whom the entities communicated, (2) a list of all retired NFL players with whom the entities entered into agreements related to the NFL Concussion Settlement, and (3) a copy of any agreement related to the settlement. However, Judge Brody denied Seeger’s request to compel production of similar information from RD Legal Funding.