In This Issue:
- URLA Preferred Language Question Requirement is Back
- CFPB Announces Plans to Supervise More Nonbanks; Ballard Spahr to Hold May 11 Webinar on Director Chopra’s First 6 Months in Office
- Financial Institutions Face Increasingly Stringent Federal Breach Reporting Requirements
- Real Estate GTO Renewed and Expanded
- Why the CFPB’s Expansion of its UDAAP Authority to Target Discrimination Requires Rulemaking
- California Department of Financial Protection and Innovation Files Cross-Complaint With OppFi
- CFPB Files Lawsuit Against TransUnion and Former Executive Alleging Violations of 2017 Consent Order
- Podcast: Understanding the Legislative and Regulatory Priorities of Consumer Advocates - A Conversation With Special Guest Lauren Saunders, Associate Director, National Consumer Law Center
- Podcast: A Look at New Privacy Litigation Targeting the Sharing of Consumer Personal Data
- CFPB Issues Annual FDCPA Report; FTC Issues Annual Letter on Debt Collection to CFPB
- Ninth Circuit Draws Line on FCRA Required Disclosures
- Credit Unions Obtain Preliminary Injunction Blocking Enforcement of NY Law Reducing Debt Judgment Interest Rate
For the latest updates on the COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
URLA Preferred Language Question Requirement is Back
The Federal Housing Finance Agency (FHFA) recently announced that for residential mortgage loans to be sold to Fannie Mae or Freddie Mac with application dates on or after March 1, 2023, the lender must present a Supplemental Consumer Information Form (SCIF) to collect information on the applicant’s language preference. Previous plans to include a language preference question in the redesigned Fannie Mae/Freddie Mac Uniform Residential Loan Application (URLA) were scuttled by the Trump Administration.
The SCIF also will allow the applicant to indicate any homeownership education or housing counseling that they have received. In announcing the SCIF requirement, FHFA stated that the “purpose of the SCIF is to collect information about the borrower’s language preference, if any, and on any homebuyer education or housing counseling the borrower received, so lenders can better understand borrower needs during the home buying process.”
CFPB Director Rohit Chopra stated that the “CFPB welcomes the FHFA’s announcement today. As those lenders and financial companies that already collect the language preference of applicants and borrowers know, this information allows lenders to serve their customers better. The collection of applicants’ language preference does not violate the Equal Credit Opportunity Act or its implementing regulations.”
FHFA advised that the SCIF will be available on the FHFA’s Mortgage Translations website later this summer. However, a version of the SCIF with a May 2022 date is currently available on Fannie Mae’s website.
CFPB Announces Plans to Supervise More Nonbanks; Ballard Spahr to Hold May 11 Webinar on Director Chopra’s First 6 Months in Office
The CFPB has announced that it plans to invoke its “dormant authority” to supervise nonbanks engaged in conduct that poses risk to consumers. In conjunction with the announcement, the CFPB issued a procedural rule concerning the confidentiality of proceedings in which the CFPB invokes such authority. These moves by the CFPB are notable for two reasons. First, they are consistent with the agency’s stated intent to increase scrutiny of fintech firms, as it could allow the CFPB to conduct in-depth examinations of fintech firms over which it presently has no clear supervisory jurisdiction. Second, they will allow the CFPB to publicize the Director’s decision to expand its supervisory jurisdiction to a nonbank engaged in conduct that “poses risks” to consumers – and thus send signals to industry about its view of certain practices.
The Consumer Financial Protection Act authorizes the CFPB to supervise any nonbank covered person, regardless of its size, that the CFPB has reasonable cause to determine “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” A risk-based determination is to be made through the CFPB’s issuance of an order after providing notice to the nonbank and a reasonable opportunity for it to respond.
Although the CFPB adopted a final rule in July 2013 (12 C.F.R. Part 1091) setting forth its procedures for supervising nonbanks engaged in conduct that poses risk to consumers, it has not yet invoked those procedures. According to Director Chopra, the CFPB will now invoke these procedures to address “the rapid growth of consumer offerings by nonbanks.” He stated that “[t]his authority gives us critical agility to move as quickly as the market, allowing us to conduct examinations of financial companies posing risks to consumers and stop harm before it spreads.” The CFPB suggests that use of its supervisory authority may be preferable to use of its enforcement authority because it can avoid the need for “adversarial litigation.”
This risk-based supervisory authority is in addition to the CFPB’s authority under the CFPA to supervise a nonbank that is any of the following:
- Regardless of its size, a provider of residential mortgage loans or certain related services, payday loans, or private education loans;
- A provider considered to be “a larger participant of a market for other consumer financial products or services;” and
- Regardless of its size, a service provider to another entity subject to CFPB supervision.
To date, the CFPB has used its larger participant authority to issue rules for consumer reporting, consumer debt collection, student loan servicing, international money transfers, and auto finance.
The CFPB’s procedural rule for invoking its risk-based supervisory authority requires the CFPB to send the nonbank target a “Notice of Reasonable Cause” describing the basis for the CFPB’s assertion that it may have reasonable cause to determine the nonbank is a covered person that is engaging in, or has engaged in, conduct that poses risks to consumers. The Notice must include “a summary of the documents, records, or other items relied on by the initiating official to issue a Notice.” A “Notice of Reasonable Cause” must be based on consumer complaints the CFPB receives through its complaint system or “information from other sources.”
The procedures allow a nonbank to consent to CFPB supervision at any time. Unless the nonbank consents to supervision, the Associate Director of the Division of Supervision, Enforcement and Fair Lending is to make a recommended determination after the conclusion of the proceedings as to whether there is reasonable cause for the CFPB to determine that the nonbank is a covered person that is engaging, or has engaged, in conduct that poses risks to consumers. The Director will thereafter issue a decision as to whether the nonbank should become subject to the CFPB’s supervisory authority.
As originally adopted, the procedural rule made all aspects of a proceeding confidential, including all materials submitted by a nonbank, all documents prepared by, or on behalf of, or for the CFPB’s use, and any communications between the CFPB and a nonbank. The new procedural rule amends the existing rule to add a new provision that provides an exception from confidentiality for final decisions and orders of the Director, such as a decision in which the Director determines that a nonbank should be subject to the CFPB’s supervisory authority. The nonbank will have seven days after service of the decision or order to make a submission and the Director will then decide whether the decision or order will be released on the CFPB’s website, in whole or part.
The procedural rule appears to contemplate a separate proceeding for each entity that the CFPB seeks to supervise. However, by making decisions and orders in such proceedings public, the amendment will allow the CFPB to send a strong signal to all market participants about certain practices or products it believes present a risk to consumers and could be the subject of further supervisory or enforcement activity.
On May 11, 2022, Ballard Spahr will hold a webinar, “CFPB Director Rohit Chopra: Do His Words Speak Louder Than His Actions?” The webinar will address the CFPB’s announcement regarding supervision of nonbanks as well as other actions taken under the leadership of Director Chopra. For more information and to register, click here.
The CFPB’s plan to supervise more nonbanks could also have implications for state scrutiny of nonbanks. In the past several years, we have seen a number of states enact mini-CFPBs to fill the “regulatory void” many feared during the Trump Administration, including California, New York, New Jersey, Maryland, Pennsylvania, and Virginia. When these laws were enacted, these states expressed concern over deregulation of providers of consumer loans, including those engaged as nonbank partners in bank partnerships and nonbank providers of alternative credit products. With the CFPB’s increased supervision of nonbanks, one would expect to see a heightened scrutiny of nonbanks by state mini-CFPBs, at the least. In addition to inquiries from regulators such as Maine’s inquiry earlier this year sent to nonbanks in bank partnerships, nonbanks engaged in these business activities may see increased attention from state attorneys general, additional and more substantive state examinations, and new licensing and regulations for a previously “unregulated” business line.
- Michael Gordon & Lisa Lanham
Financial Institutions Face Increasingly Stringent Federal Breach Reporting Requirements
The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. These tightened reporting obligations raise new challenges for financial institutions who must not only ensure that their own programs are aligned with the new requirements, but also be certain to pass along reporting obligations to service providers.
The abrupt shift in reporting obligations comes after an extended period of time when most financial institutions faced consistent reporting obligations. In 2005, the federal prudential regulators—including the Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Rather than specifying the number of hours or days within which a financial institution must report, the guidance allowed covered financial institutions to notify their primary federal regulator and affected customers “as soon as possible” after the discovery of incidents involving unauthorized access to or use of sensitive customer information.
Contrast this with the final rule issued by the Federal Reserve, FDIC, and OCC last November, which requires covered banking organizations to report within 36 hours after determining the occurrence of certain significant computer-security incidents. The final rule also requires bank service providers to notify their banking organization customers as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is likely to materially disrupt or degrade covered services for four or more hours.
Additionally, on March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, previously covered here, which requires entities in a critical infrastructure sector (which can include financial institutions) to report to the Cybersecurity and Infrastructure Security Agency (CISA) certain cyber incidents within 72 hours and ransomware payments within 24 hours of the payment. The Securities and Exchange Commission (SEC) recently published several proposed rules that would require various regulated entities to disclose certain cybersecurity-related incidents. The Federal Trade Commission (FTC) also tossed its hat into the ring and issued a proposal last December to require covered financial institutions to notify the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers.
Our chart here has a summary of the new reporting obligations proposed or soon to be effective for financial institutions.
Managing and meeting these new deadlines—and keeping track of the different content and submission requirements associated with each disclosure—can be challenging. Additionally, these requirements may trickle down even to companies not directly regulated by the above agencies, as many financial institutions may consider new default rules, such as requiring 24-36 hour reporting across the board for their service providers. As the cybersecurity regulatory landscape continues to evolve, companies should review their third-party service provider arrangements and incident response plans and stay on top of legislative and regulatory developments to ensure they are in a good position to meet increased expectations and accelerated reporting timelines.
- Philip N. Yannella & Doris Yuen
Real Estate GTO Renewed and Expanded
FinCEN announced that, once again, it is extending the Geographic Targeting Order, or GTO, which requires U.S. title insurance companies to identify the natural persons behind so-called “shell companies” used in purchases of residential real estate not involving a mortgage. FinCEN also has expanded slightly the reach of the GTOs.
The new GTO is here. FAQs issued by FinCEN on the GTOs are here. This is a topic on which we previously have blogged extensively.
FinCEN’s press release summarizes the new GTO and its expansion. The sections pertaining to the new expansions are in bold.
The terms of the GTOs are effective beginning April 30, 2022, and ending on October 26, 2022. The GTOs continue to provide valuable data on the purchase of residential real estate by persons possibly involved in various illicit enterprises. Renewing the GTOs will further assist in tracking illicit funds and other criminal or illicit activity, as well as inform FinCEN’s future regulatory efforts in this sector.
FinCEN renewed the GTOs that cover certain counties within the following major U.S. metropolitan areas: Boston; Chicago; Dallas-Fort Worth; Honolulu; Las Vegas; Los Angeles; Miami; New York City; San Antonio; San Diego; San Francisco; and Seattle. FinCEN, working in conjunction with our law enforcement partners, identified additional regions that present greater risks for illicit finance activity through all-cash purchases of residential real estate. Accordingly, today, FinCEN expanded the geographic coverage of the GTOs to parts of the District of Columbia, Northern Virginia, and Maryland (DMV) metropolitan area, the Hawaiian islands of Maui, Hawaii, and Kauai, and Fairfield County, Connecticut. The purchase amount threshold remains $300,000 for each covered metropolitan area, with the exception of the City and County of Baltimore, where the purchase threshold is $50,000.
This is the first renewal (and expansion) of the GTO since FinCEN issued on December 6, 2021 an Advanced Notice of Proposed Rulemaking (“ANPRM”) to solicit public comment on potential requirements under the Bank Secrecy Act for certain persons involved in real estate transactions to collect, report, and retain information. As we have blogged, the ANPRM envisions imposing nationwide recordkeeping and reporting requirements on specified participants in transactions involving non-financed real estate purchases, with no minimum dollar threshold. The new and expanded GTO represents another step towards such regulations — although the breadth of their application, when finalized, currently remains a very open question. Indeed, in his prepared remarks before the Committee on Financial Services U.S. House of Representatives on April 28, 2022, Acting FinCEN Director Himamauli Das stated:
FinCEN is carefully studying the 150 comments we received in response to the real estate ANPRM. These comments will help us move toward the next step, a proposed rule to address the illicit finance threats to the real estate market. While it is still too early to identify the scope of any NPRM or final rule, we are working to ensure that the requirements would be carefully crafted to result in valuable information for law enforcement, regulators, and the intelligence community, as well as to help the real estate sector protect itself from abuse by corrupt and other bad actors.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also check out our detailed chapter on these issues, The Intersection of Money Laundering and Real Estate,
Why the CFPB’s Expansion of its UDAAP Authority to Target Discrimination Requires Rulemaking
In a blog post published on the Consumer Law & Policy Blog, Professor Jeff Sovern advocates very strongly in support of interpreting the “unfairness” prong of UDAAP to encompass discrimination in connection with credit and non-credit consumer financial products and services offered by banks and other persons covered by the Consumer Financial Protection Act (CFPA). He supports his position by relying on the plain language of “unfair” (which is not inextricably tied to credit products) and the common sense notion that companies should not be able to discriminate in any fashion in connection with offering of consumer financial products or services.
Professor Sovern’s argument misses the point. The consumer financial services industry is not seeking a “pass” when it comes to any form of discrimination. Instead, the industry simply wants to know what are the “rules of the road.” The Equal Credit Opportunity Act is a very specific anti-discrimination statute that proscribes certain types of credit discrimination. It has been implemented through a detailed regulation (Reg B) that has been on the books for many decades. It only prohibits discrimination on certain bases: race, color, religion, national origin, sex, marital status, or age (provided that the applicant has the capacity to enter into a binding contract); the fact that all or part of the applicant’s income derives from any public assistance program; or the fact that the applicant has in good faith exercised any right under the CFPA or any state law upon which an exemption has been granted by the CFPB.
As an initial matter, I find considerable merit in the argument that if Congress considered discrimination to be “unfair,” it would have been unnecessary for Congress to enact laws such as the Equal Credit Opportunity Act to specifically prohibit discrimination. According to Professor Sovern, this argument is flawed because the ECOA does more than just prohibit discrimination in credit transactions, such as providing injured consumers with a private right of action, and therefore would have been needed even if Congress considered discrimination something the CFPB could address through its UDAAP authority. It would have been needed, says Professor Sovern, because the CFPA does not provide consumers with a private right of action for UDAAP claims and “Congress wanted injured consumers to have a private claim” which is provided in the ECOA.
The difficulty I have with Professor Sovern’s reasoning is that if UDAAP covers discrimination more broadly than the ECOA, why wouldn’t Congress have wanted injured consumers to also have a private right of action to use UDAAP to challenge any discrimination they could not challenge under the ECOA? In other words, it seems to me that the absence of a private right of action in the CFPA for UDAAP claims provides strong support for the position that UDAAP does not cover discrimination.
But even assuming arguendo that the interpretation of UDAAP advocated by the CFPB and Professor Sovern is correct, what would that mean? It is unclear whether the ECOA covers discrimination based on marketing or whether it applies only once someone has applied for credit. Would UDAAP now fill that void? And what about the further question of whether the disparate impact theory applies to ECOA and, if not, whether it nevertheless would apply to UDAAP. Those are just a few of the questions the CFPB’s and Professor Sovern’s interpretation raises for consumer credit.
The CFPB’s and Professor Sovern’s interpretation raises even more questions in the context of discrimination involving non-credit products such as deposits, prepaid cards, and remittances. For example, many banks have a policy of not opening deposit accounts for someone who does not reside within the bank’s market area. Would that be considered a UDAAP violation? While there is a well-established body of law pertaining to the application of ECOA, there is absolutely no body of law pertaining to how the unfairness prong of UDAAP applies to non-credit products. Although the CFPA became law in 2011, I’m not aware of a single instance in which the CFPB has used its UDAAP authority to proceed against a person based on non-credit discrimination. Furthermore, I’m not aware of the FTC using its UDAP authority under Section 5 of the FTC Act (which was enacted more than 100 years ago) to ferret out discrimination dealing with either credit or non-credit products.
Given the complexity of the questions the CFPB’s expansion of UDAAP raises, it seems obvious that this type of a drastic change should be done through a rulemaking and not through an amendment to an examination manual.
California Department of Financial Protection and Innovation Files Cross-Complaint With OppFi
In response to the complaint filed by Opportunity Financial, LLC (OppFi) seeking to block the California Department of Financial Protection and Innovation (DFPI) from applying California usury law to loans made through OppFi’s partnership with FinWise Bank (Bank), the DFPI has filed a cross-complaint seeking to enjoin OppFi from collecting on the loans and to have the loans declared void.
In 2019, California enacted AB 539 which, effective January 1, 2020, limited the interest rate that can be charged on loans less than $10,000 but more than $2,500 by lenders licensed under the California Financing Law (CFL) to 36% plus the federal funds rate. OppFi’s complaint recites that prior to 2019, the Bank entered into a contractual arrangement with OppFi (Program) pursuant to which the Bank uses OppFi’s technology platform to make small-dollar loans to consumers throughout the United States (Program Loans). It alleges that in February 2022, the DFPI informed OppFi “that its Program-related activities were subject to the CFL and violated AB 539 because, according to the Commissioner [of the DFPI], OppFi is the ‘true lender’ on Program Loans, and the interest rate on those loans exceeds the interest rate cap in AB 539.” OppFi was also informed that the interest rate on Program Loans in amounts less than $2500 violated the CFL rate limit on such loans.
OppFi’s complaint alleges that because the Bank and not OppFi is making the Program Loans and the Bank is a state-chartered FDIC-insured bank located in Utah, the Bank is authorized by Section 27(a) of the Federal Deposit Insurance Act to charge interest on its loans, including loans to California residents, at a rate allowed by Utah law regardless of any California law imposing a lower interest rate limit. The complaint seeks a declaration that the CFL interest rate caps do not apply to Program Loans and an injunction prohibiting the DFPI from enforcing the CFL rate caps against OppFi based on its participation in the Program.
In its cross-complaint, the DFPI alleges that “OppFi is the true lender of [the Program Loans]” based on the “substance of the transaction” and the “totality of the circumstance’s,” with the primary factor being “which entity—bank or non-bank—has the predominant economic interest in the transaction.” The DFPI alleges that OppFi holds the predominant economic interest in the Program Loans because:
- OppFi purchases between 95 to 98 percent of the receivable for each loan;
- On average, OppFi purchases the receivables from the Bank within three days after the Bank funds the loan and before any initial loan payments are made to the Bank;
- OppFi insulates the Bank from “essentially” any credit risk “by creating a guaranteed secondary market” for the Program Loans which OppFi accomplishes by purchasing the loans using its fully-owned subsidiaries created solely to purchase receivables from bank partners such as the Bank;
- OppFi’s Loan Receivables Sale Agreement with the Bank provides that the Bank is only obligated to fund loans if OppFi’s purchasing subsidiary maintains a minimum amount of security, consisting of a cash collateral account, an alternative collateral account, and letters of credit for the Bank’s benefit;
- OppFi pays the Bank a guaranteed monthly “Bank Program Fee” based on a percentage of the principal amount of loans originated by the Bank, “not only further mitigating any actual credit risk for [the Bank] but literally providing the bank partner loan-volume based rent for its charter;” and
- OppFi paid the Bank for startup costs of the partnership and is responsible for paying the Bank’s expenses related to the partnership.
The DFPI’s cross-complaint also alleges that in addition to holding the predominant economic interest, OppFi “performs all of the functions of a traditional lender,” is responsible for all marketing in association with the Program Loan, determines the underwriting criteria for the Program Loans with minimal input from the Bank, and undertakes the servicing obligations of the Program Loans.
The DFPI claims that the Program Loans are subject to the CFL and that OppFi is violating the CFL by making loans in excess of the CFL rate cap. As remedies for the alleged CFL violations, the DFPI seeks (1) an injunction permanently barring OppFi from collecting on Program Loans, (2) a declaration that the Program Loans are void, (3) an order requiring OppFi to make restitution to all borrowers on Program Loans, (4) an order requiring the removal of any negative credit reporting relating to Program Loans, and (5) OppFi’s payment of “penalties of $2,500 for each and every violation of the CFL, in an amount of at least $100 million.”
Although OppFi holds a CFL license, the cross-complaint also alleges that OppFi’s conduct is nevertheless subject to the California Consumer Financial Protection Law (CCFPL). The CCFPL provides that it does not apply to a CFL licensee “to the extent that person or employee is acting under the authority” of a CFL license. According to the DFPI, “OppFi has affirmatively disclaimed that it is conducting any of its activities under its CFL license [and] [t]therefore, to the extent OppFi is not offering [the Program Loans] under the authority of its CFL license, OppFi’s conduct is subject to the CCFPL.”
The cross-complaint alleges that OppFi has violated the CCFPL by conduct that includes offering and collecting on Program Loans at rates that exceed the rate permitted under the CFL. The relief that the DFPI seeks for OppFi’s alleged CCFPL violations includes (1) disgorgement of payments and interest and other charges received by OppFi from California borrowers on Program Loans, and (2) an injunction permanently barring OppFi from (a) “making use of automated payments and remotely created checks that rely on consumer banking data, payment systems and networks and online banking systems to receive payments on unlawful [Program Loans], and (b) “promoting and recommending unlawful [Program Loans] as a way to ‘build credit history’ and purporting to provide services to assist a consumer with debt management or debt settlement by recommending its [Program Loans] as a means of consolidating debt.”
At the end of last year, we completed a months-long project in updating and expanding a 2017 White Paper addressing bank-model lending—programs involving partnerships between banks (or savings associations) and fintech or other nonbank companies in the interstate delivery of loans. The new White Paper, which runs 49 pages single-spaced, is designed to serve as a comprehensive survey of laws, cases and regulatory attitudes addressing bank-model lending. For more information, please contact Mindy Harris at firstname.lastname@example.org.
- Michael R. Guerrero & Mindy Harris
CFPB Files Lawsuit Against TransUnion and Former Executive Alleging Violations of 2017 Consent Order
The CFPB has filed a new lawsuit against TransUnion, two of its subsidiaries (TransUnion Interactive, Inc. (TUI) and TransUnion, LLC (TULLC)), and a former TUI executive alleging that the defendants violated the CFPB’s 2017 consent order with the corporate defendants.
The consent order settled the CFPB’s claims that TransUnion had engaged in deceptive marketing of credit-related products. The inclusion of a former TUI executive as a defendant, which has been rare in the CFPB’s lawsuits to date involving large corporate actors, appears intended to demonstrate that Director Chopra’s recent statement regarding the his intent to impose liability on officers and directors of repeat offenders was not an idle threat. In the CFPB’s press release about the lawsuit, Director Chopra stated: “TransUnion is an out-of-control repeat offender that believes it is above the law. I am concerned that TransUnion’s leadership is either unwilling or incapable of operating its businesses lawfully.”
TransUnion’s subsidiary, TUI, generates, markets, and sells consumer-facing credit-related products that include credit scores, credit reports, and credit monitoring. One such product cited in the CFPB’s complaint is “TU Credit Monitoring,” a bundled monthly subscription that includes access to a credit score, credit report, credit monitoring, and the ability for a consumer to lock and unlock their TransUnion and Equifax credit reports. A consumer who enrolls in TU Credit Monitoring is charged a monthly enrollment fee until the consumer affirmatively cancels the subscription. TULLC is the arm of TransUnion that generates, markets, and sells consumer reports to commercial users. The individual defendant served as TUI’s President from 2004 to 2021 and as TUI’s Executive Vice President thereafter.
According to the CFPB’s complaint, in October 2018, in connection with an examination of TransUnion, CFPB examiners requested information about the corporate defendants’ compliance with the 2017 consent order. In addition to requiring payment of $13.9 million in restitution and $3 million in civil penalties, the consent order required the corporate defendants to take various actions including obtaining consumers’ “express informed consent” before enrolling them in credit-related products with a negative option feature (i.e., a transaction in which the seller markets an offer for a trial period and then enrolls the customer in a longer subscription in the absence of affirmative action rejecting or cancelling the agreement); simplifying the cancellation process; and providing certain disclosures in connection with selling credit scores.
In May 2019, CFPB examiners informed the corporate defendants that they were violating several requirements of the consent order. In June 2020, and again in June 2021, the CFPB’s Office of Enforcement informed the corporate defendants that they continued to violate the consent order’s requirements as identified in the 2018 examination and were violating additional requirements and federal consumer financial laws. In June 2021, the Office of Enforcement also informed the individual defendant that he was violating the consent order.
In its complaint, the CFPB alleges that the corporate defendants violated the consent order in various ways, including by (1) giving consumers the misleading impression that their payment information was requested for purposes other than payment, (2) offering negative option enrollments without using a checkbox to affirmatively enroll in such products as required by the consent order, and (3) failing to provide an appropriate method for consumers to cancel their enrollment. Following its pattern of using heated rhetoric in its media statements and more neutral language in its complaints, the CFPB alleged in its press release that TransUnion “used an array of dark patterns to trick people” and “cheated customers.”
With regard to the individual defendant, the CFPB alleges that he knew of the consent order, knew of or recklessly disregarded TUI’s violations of the order, and failed to ensure the corporate defendants’ compliance with the order despite his personal legal obligations under the consent order. The CFPB also alleges that, along with others, he “determined that complying with the Order would reduce TUI’s revenue and created a plan to delay or avoid implementation of the requirements … of the Order [regarding use of a checkbox],” and violated the order through his omissions or failure to act.
In Counts I and II of the complaint, the CFPB asserts claims against all defendants under the CFPA based on their alleged violations of the consent order, which, as “an order prescribed by the Bureau, ”is included in the CFPA’s definition of “Federal consumer financial law” subject to enforcement under the CFPA. The complaint also includes claims that (1) the corporate defendants engaged in deceptive acts and practices in violation of the CFPA separately from the alleged consent order violations, (2) TransUnion violated the CFPA by substantially assisting TULLC’s and TUI’s CFPA violations, and (3) TULLC violated the CFPA by substantially assisting TUI’s CFPA violations. Further, the complaint includes claims that the corporate defendants violated (1) the EFTA and Regulation E by failing to comply with the requirements for preauthorized electronic fund transfers, (2) Regulation V (which implements the Fair Credit Reporting Act) by using advertisements that interfered with or undermined consumers’ rights to obtain a free credit report annually, and (3) the CFPA by way of the alleged EFTA/Reg E/Reg V violations.
Although Director Chopra has spoken about the need for agencies to consider imposing non-monetary “bright-line structural remedies” on large firms that are repeat offenders, the CFPB’s demand for relief in the complaint does not expressly seek such remedies. The complaint does, however, seek unspecified injunctive relief.
In response to the lawsuit, TransUnion issued a statement in which it called the CFPB’s claims against TransUnion and the former TUI executive “meritless.” TransUnion stated that shortly after entering into the 2017 consent order with the CFPB, it submitted to the CFPB for approval a plan detailing how it would comply with the order. According to TransUnion, “[t]he CFPB ignored the compliance plan, despite being obligated to respond and trigger deadlines for implementation. In the absence of any sort of guidance from the CFPB, TransUnion took affirmative actions to implement the consent order.” TransUnion stated further:
We have been in compliance with our obligations and we remain in compliance with the consent order today. Rather than providing any supervisory guidance on this matter and advising TransUnion of its concerns – like a responsible regulator would – the CFPB stayed silent and saved their claims for inclusion in a lawsuit, including naming a former executive in the complaint. Despite TransUnion’s months-long, good faith efforts to resolve this matter, CFPB’s current leadership refused to meet with us and were determined to litigate and seek headlines through press releases and tweets. The CFPB’s unrealistic and unworkable demands have left us with no alternative but to defend ourselves fully.
Podcast: Understanding the Legislative and Regulatory Priorities of Consumer Advocates - A Conversation With Special Guest Lauren Saunders, Associate Director, National Consumer Law Center
We first look at NCLC’s legislative priorities, which include a 36% national interest rate cap and credit reporting reform, and the prospects for Congressional action. Ms. Saunders then provides NCLC’s perspective on areas of potential CFPB regulatory action including overdraft and other fees labeled “junk fees” by the CFPB, earned wage access programs, buy-now-pay later products, income share agreements, the use of artificial intelligence in underwriting and collections, fraud in peer-to-peer payment services, the use of unfairness to challenge non-credit discrimination, and mandatory arbitration.
Alan Kaplinsky, Ballard Spahr Senior Counsel, hosts the conversation.
Click here to listen to the podcast.
Podcast: A Look at New Privacy Litigation Targeting the Sharing of Consumer Personal Data
We discuss the growing trends in privacy litigation, particularly litigation targeting company practices regarding the sharing and sale of consumer personal data, plaintiffs’ liability theories, including the right of publicity, and best practices for companies to consider in order to reduce the risk of privacy claims.
Aliza Karetnick, a Ballard Spahr partner and Leader of the firm’s cross-practice Consumer Products and Retail Team, leads the conversation, joined by Phil Yannella, a Ballard partner and Practice Leader of the firm’s Privacy and Data Security Group, and Greg Szewczyk, a Ballard partner and member of the firm’s Privacy and Data Security Group.
Click here to listen to the podcast.
- Alan S. Kaplinsky, Aliza Karetnick, Phil Yannella & Greg Szewczyk
CFPB Issues Annual FDCPA Report; FTC Issues Annual Letter on Debt Collection to CFPB
The CFPB has issued its annual Fair Debt Collection Practices Act report covering the CFPB’s debt collection activities in 2021. The report incorporates information from the FTC’s most recent annual letter to the CFPB describing its 2021 activities in the debt collection market, including information about the FTC’s enforcement actions involving collection practices directed at small businesses.
It is noteworthy that in his blog post about the CFPB report, Director Chopra highlights the FTC’s “multiple actions to combat unlawful collections practices that target small businesses.” He comments that “[i]t is critical that policymakers pay close attention to wrongdoers targeting small businesses and determine whether there should be additional debt collections rights and protections for small businesses and entrepreneurs to protect them.” The CFPB also highlights debt collection involving small businesses in a section of the report titled “Small Business Debt Collection.” In that section, the CFPB comments that the data it reviewed suggests “a level of resources and expertise for most small businesses on par with consumer borrowers rather than what may be the general perception of commercial enterprises with readily available financial resources and expertise.” According to the CFPB, “[t]he result is the potential for exploitation comparative to what is encountered by consumers, without any of the protections granted to consumers by the FDCPA.” The CFPB indicates that it “monitors legal actions of the [FTC] and state agencies regarding abusive practice of some financial institutions towards small businesses.”
CFPB report. In addition to a description of the FDCPA-related findings from the Bureau’s Summer 2021 and Fall 2021 Supervisory Highlights, the report includes the following information:
- According to the report’s section on complaints, the CFPB received approximately 121,700 debt collection complaints in 2021 (which was 39,000 more than in 2020). As in all prior years since the Bureau began accepting debt collection complaints in 2013, the most common complaint in 2021 was about attempts to collect a debt that the consumer claimed was not owed. The second and third most common complaint issues were, respectively, written notifications about the debt, and taking or threatening a negative or legal action.
- In 2021, the CFPB announced one new FDCPA enforcement action. It resolved two pending lawsuits with FDCPA claims and filed an action to recover a fraudulent transfer to enforce a prior judgment based on FDCPA violations. These actions resulted in judgments for $2,260,000 in consumer redress, which were suspended due to defendants’ demonstrated inability to pay, $882,200 in civil monetary penalties, and permanent bans from the collections industry. As of the end of 2021, the CFPB had three FDCPA enforcement actions pending in federal district court. It is also conducting a number of non-public investigations of companies to determine whether they engaged in collection practices that violate the FDCPA or the CFPA.
- In a section of the report that discusses CFPB research projects, the CFPB indicates that in 2021, CFPB economists published an independent research paper that analyzes the effect of changes in state debt collection laws. Based on recent laws and regulations in four states that instituted debt collection conduct restrictions, they are reported to have found that “such restrictions reduce access to credit card accounts and raise interest rates, but that this effect is very small.”
- The CFPB concludes the report with the statement that in 2022, it “will continue its work to uphold the [FDCPA] through all the tools at its disposal. These include supervision and enforcement, regulatory and legal action, research and market monitoring activities, and consumer education.”
FTC annual update. The enforcement activities highlighted by the FTC in its annual letter (and described in the CFPB report) include the following:
- The FTC settled three lawsuits initiated as part of its “Operation Corrupt Collector” nationwide initiative addressing “phantom debt collection” and abusive and threatening debt collection practices. Phantom debt collection (also known as fake debt collection) covers a range of practices, including attempts to collect on obligations that consumers never took out or received, as well as efforts to recover loans without authorization from the creditor. In all of the settlements, the defendants were permanently banned from the debt collection industry.
- The FTC filed an amended complaint in a lawsuit filed against two companies engaged in small business financing along with several of their officers and owners. The FTC’s amended complaint alleges that the defendants deceived small businesses by misrepresenting the terms of merchant cash advances, made unauthorized withdrawals from small businesses’ bank accounts, violated the Gramm-Leach-Bliley Act by making false statements to induce consumers to provide bank account information, and used unfair collection practices, including confessions of judgment that the defendants used unfairly to seize personal and business assets in circumstances not expected by customers and not permitted by the financing contracts.
- The FTC, joined by the Commonwealth of Pennsylvania, filed an amended complaint in a lawsuit filed against the operators of a telemarketing scheme and a debt collection operation. The FTC’s amended complaint alleges that the telemarketers billed small businesses for books and newsletter subscriptions they never ordered and sent unpaid bills to the debt collection firm that illegally threatened the businesses if they failed to pay for the unordered items.
Both the CFPB report and FTC letter discuss the FTC’s efforts to advance legislation that would amend Section 13(b) of the FTC Act to expressly give the FTC authority to seek, and a court to award, equitable monetary relief such as restitution or disgorgement. In 2021, in AMG Capital Management, the U.S. Supreme Court ruled that Section 13(b) does not provide such authority to the FTC.
- John L. Culhane, Jr. & Michael Gordon
In Theresa Tailford, et al. v. Experian Information Solutions, the U.S. Court of Appeals for the Ninth Circuit recently affirmed a district court decision which held that Experian Information Solutions, Inc. did not violate the Fair Credit Reporting Act because none of the information the plaintiffs alleged Experian should have disclosed was subject to disclosure by a consumer reporting agency (CRA) under the FCRA.
In their underlying putative class action, plaintiffs argued that under 15 U.S.C. § 1681g(a)(1), (3), and (5), Experian was required to disclose, in addition to its traditional credit information (credit accounts, creditors, debts, and credit inquiries), other types of information stored by Experian for various purposes, including (i) behavioral data from its “ConsumerView” marketing database; (ii) “soft” credit inquiries from third parties and affiliates; (iii) the identity of all parties who procured consumer reports from Experian; and (iv) the date on which employment data was reported to Experian.
Section 1681g(1) provides that, upon a consumer’s request, a CRA must provide “[a]ll information in the consumer’s file at the time of the request [subject to exceptions not relevant to the appeal].” The plaintiffs argued that under § 1681g(1), “[a]ll information in the consumer’s file” should be interpreted to mean that CRAs must furnish even information for internal and marketing use. Experian filed a motion to dismiss for failure to state a claim, and the district court held that Experian had no obligation to include the information alleged to be missing by plaintiffs in its § 1681g disclosures. The district court dismissed the plaintiffs’ lawsuit with prejudice.
On appeal, the Ninth Circuit agreed with Experian and the district court, holding that none of the information alleged to be missing from Experian’s disclosures was required to be disclosed under § 1681g. The panel, first looking to § 1681g(a)(1), focused on what constitutes “all information in the consumer’s file,” and determined that such information did not constitute all information that “might be furnished” as argued by the plaintiffs. While agreeing with the plaintiffs that a consumer’s “file” was not limited to information that was previously contained in a consumer report, the Ninth Circuit determined that it only included “information similar to that shown to have been included by the CRA in a consumer report in the past or planned to be included in the future.” The Ninth Circuit found that none of the information that the plaintiffs alleged Experian should have disclosed was of this type.
Additionally, the Ninth Circuit rejected the plaintiffs’ argument that Experian should have disclosed certain of the “soft inquiries” under § 1681g(a)(3), which requires disclosure of each person who has procured a consumer report. The Ninth Circuit indicated that actual procurement of a consumer report by an identified party is necessary to trigger disclosure under § 1681g(a)(3) and the plaintiffs had failed to allege that the parties making “soft inquiries” were actually sent anything by Experian or that what was sent was a consumer report.
The Ninth Circuit also rejected the plaintiffs’ argument that because two of the “soft inquiries” were promotional inquiries, they should have disclosed under § 1681g (a)(5). § 1681g(a)(5) requires the disclosure of inquiries received by a CRA during the 1-year period preceding the consumer’s request “that identified the consumer in connection with a credit or insurance transaction that was not initiated by the consumer. The Ninth Circuit indicated that the provision’s reference to a “transaction” meant that it only applies to inquiries leading to a firm offer of credit and the plaintiffs had failed to allege that the two inquiries led to an offer.
Accordingly, the Ninth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims with prejudice. While the Ninth Circuit was unwilling to accept the plaintiffs’ broad reading of what must be disclosed under § 1681g, the decision should serve as a reminder to CRAs to review their policies and procedures for responding to consumer requests under § 1681g to confirm they are disclosing all required information.
A federal district court judge in the Southern District of New York ruled that three credit unions had successfully established a likelihood of success on their claims that the retroactive application of New York’s recently-passed rate reduction law constitutes a regulatory taking in violation of the U.S. Constitution and preliminarily enjoined state sheriffs’ offices from enforcing the law.
The credit unions had filed a federal class action lawsuit seeking to enjoin the enforcement or implementation of the rate reduction law which lowered the statutory annual interest rate on consumer debt judgments in New York from 9% to 2%, and was set to take effect April 30, 2022. Three of the New York county sheriffs’ offices –the named defendants in the lawsuit – initially opposed the preliminary injunction but reversed their position during a hearing on the motion, noting that they too would benefit (from potential indemnification) should the court issue an injunction and clearly define their obligations under the new law. In response to concerns of the three sheriffs’ offices about uneven application, the court also ordered a copy of the issued preliminary injunction to be served on the sheriffs’ offices of the remaining fifty-nine counties in New York not named directly in the lawsuit.
The only other named defendant – the chief administrative judge for New York state courts whose office is ostensibly tasked with creating the policies and procedures necessary to implement the rate reduction law – will not be enjoined under the court’s order. According to the court, the credit unions had failed to show the chief administrative judge had either the authority or “willingness to exercise [his] duty” to enforce the rate reduction law, and therefore failed to demonstrate a likelihood of success as to that state official.
In determining that the preliminary injunction should be granted as to the sheriffs, the court relied on the credit unions’ arguments that retroactive application of the law would violate their property interests by eradicating millions of dollars currently owed by judgment debtors; a regulatory taking the court deemed “so onerous that its effect is tantamount to a direct appropriation . . . .” The credit unions also raised concerns about due process violations arising from the law’s silence on how to perform mandated rate recalculations, particularly where some payments have been made. According to the credit unions, the law’s silence on this issue creates significant compliance uncertainty.
The injunction will remain in place while the litigation proceeds unless the court (or an appellate court) decides it is no longer necessary.
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2023 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.