In This Issue:
- Initial Thoughts About the Proposed CPRA Regulations
- CPFB States That It Did Not Scrap No-Action Letter and Compliance Assistance Sandbox Programs With Its Overhaul of Its Office of Innovation and Operation Catalyst
- This Week’s Podcast: CFPB Director Rohit Chopra - Do His Words Speak Louder Than His Actions?
- FinCen Seeks Public Comments on No-Action Letters
- FTC Provides Annual Report to CFPB on 2021 Activities Regarding Financial Acts
- Trade Groups Say “No Thanks” To Notion That FDIC Should Consult CFPB Before Approving Bank Mergers
- Did You Know?
For the latest updates on the COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
Initial Thoughts About the Proposed CPRA Regulations
In a surprising development, the California Privacy Protection Agency (CPPA) recently published proposed amendments to the CCPA regulations. The proposed amendments initially were made public in a package of materials to be considered by the CPPA at its June 8 meeting. The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA.
The proposed regulations are broken into nine substantive areas: General Provisions, Required Disclosures to Consumers, Business Practices for Handling Consumer Requests, Service Providers, Contractors and Third Parties, Verification of Requests, Special Rules Regarding Consumers under 16 years of age, Non-discrimination, Training and Record Keeping, Investigations and Enforcement. Notably absent are regulations relating to automated profiling, cybersecurity audits, and privacy risk assessments—all areas where guidance was largely expected.
In general, the draft regulations are dense and highly technical, nearly doubling in length the current CCPA regulations. And, the regulations actually may grow if subsequent drafts incorporate new sections that are not in the first draft. In any event, if implemented in their proposed form, the CPRA regulations will require a substantial expansion of privacy compliance operations for many businesses subject to the law. The details, potential compliance problems, technical requirements, and unanswered questions are far too numerous to address in a single post. Over the next few weeks, we intend to analyze the proposed regulations in more detail, focusing on specific subject matter areas.
At this stage, here our initial take-aways.
The Proposed Regulations Are Highly Pro-Consumer
Even for a privacy law as expansive as the CPRA, the proposed regulations are strikingly pro-consumer, capturing an array of concerns and proposals that privacy advocates have been articulating for several years. The proposed regulations, for example, have detailed data minimization requirements that not only require businesses to collect, use, retain, and share personal data in a manner consistent with the expectations of the average consumer, but would require businesses to obtain new consumer consent if they process personal data in a manner that isn’t consistent with these consumer expectations. This form of the consumer right is not explicitly provided by the CPRA, and it could create significant operational costs for businesses.
New Consumer Rights Will Require Big Compliance Changes
Not surprisingly, some of the most significant proposed regulations focus on the technical details surrounding the new rights the CPRA extends to consumers; specifically, the rights to opt out of the sharing of personal information, to limit the processing of sensitive personal information, and the right of correction. The regulations contains many pages of details explaining businesses’ options for enabling consumers to exercise these rights that are likely to trigger compliance headaches.
The new right of correction, for example, will require many U.S. based companies to build new intake and processing mechanisms. Whether a business must honor a correction request, the records that it may need to provide consumers to justify a decision not to honor a correction request, and the documentation to support a business decisions not to correct, may require an adjudication process not dissimilar to FCRA correction mechanisms. For companies that rely on personal data provided by third parties – as opposed to its own records – the correction process is even more complex.
In one of the few pro-business amendments, the proposed regulations do introduce a “disproportionate effort” defense for companies facing overly burdensome consumer request. But in keeping with the general pro-consumer tilt of the CPRA, the standard for using this defense to a consumer request is high and requires companies demonstrate that the cost of compliance “significantly outweighs” the benefit to the consumer of honoring a request. Business that fail to establish adequate procedures for honoring consumer requests cannot claim a disproportionate effort.
Regarding the new opt-out rights, the regulations contemplate that businesses can enable these rights via “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or via a “My Privacy Rights” link that combines these different opt-out rights or by recognizing browser opt-out signals. The details in this section of the regulations are very granular, however, and businesses will need to spend significant time considering the practical and legal costs and benefits to the differing mechanisms. Notably, the proposed regulations explicitly reject the use of cookie banners as a mechanism for enabling opt-outs for the sale or sharing of personal information on the grounds that the opt-out only addresses collection of personal data, not sale or sharing.
One thorny operation issue involves the processing of browser opt-out signals that conflict with specific privacy settings chosen by consumers, for example with loyalty programs where consumers consent to providing certain personal information. In many cases, these conflicts must be resolved in favor of maximizing opt-out rights unless the business obtains additional consumer consent. For many businesses, managing such conflicts may alter the calculus of choosing a particular manner of enabling opt-out rights. The operational complexity of enabling opt-out rights may trigger deeper consideration about what ad tech models businesses may want to utilize once the CPRA becomes effective.
First Party Obligations Are Now Third Party Obligations
One of the more notable ways in which the CPRA broadens consumer privacy rights is through the expansion of obligations on third parties. Whereas the CCPA required that businesses push certain privacy obligations onto service providers through required contractual language, the CPRA goes even further by introducing “contractors” as a new category of service provider and expanding the provisions that must be included in a contract with a service provider or contractor to avoid vicarious liability. The proposed set of regulations does allow a service provider or contractor to use personal data of consumers to improve its own applications.
The proposed regulations also modify the safe harbor afforded to businesses that meet the contractual requirements for service provider and contractor agreements by noting that businesses that don’t conduct any due diligence or auditing of their service providers or contractors may not be able to argue that they were unaware of a contractual violation.
The proposed regulations also impose new obligations on third parties in a number of different ways. Third parties that collect personal data on first party platforms are required under the proposed regulations to provide a notice at collection to these consumers, which is a wholly new obligation. Businesses must also forward opt out requests, as well as consumer deletion requests to third parties processing that consumer’s personal data. Third parties, in turn, must honor opt-out requests unless they become a service provider or contractor and honor deletion requests. Third parties that recognize browser opt-out signals on first party sites must also honor the opt-outs. In addition, the proposed regulations impose new contractual requirements for third parties subject to the CPRA.
The combined effect of these expanded obligations on service providers, contractors and third parties is to broadly share compliance obligations across the entire ecosystem in which a consumer’s data flows. Businesses thus must analyze their own obligations as first parties as well as obligations they may face as third parties receiving consumer data through sharing arrangements. Among other things, these expanded obligations will require improved data tracking and communication with third parties.
Use of Third Parties Tools May Be Unavoidable for Some Companies
There are numerous provisions in the proposed regulations that incentivize or make easier the use of third party tools. For example, the regulations remove a requirement that authorized agents be registered in the state of California, opening the door for more third party services to serve as agents to help Californians exercise their consumer rights. This change, coupled with the expansion of consumer rights under the CPRA – as well as four other state privacy laws – makes it quite likely that businesses will experience a significant surge in consumer requests once the CPRA becomes effective.
The proposed regulations, as noted, permit businesses to enable consumer opt out rights by recognizing browser opt out controls. In fact, the proposed regulations incentivize businesses to recognize these signals by allowing businesses who do so in a “frictionless” manner (a new defined term) to avoid the need to provide Do Not Sell or Share and similar links on the website. The new requirements imposed on third parties require enhanced data tracking, documentation, and communication with first parties. For many business, it may not be possible to meet these enhanced technical requirements without the use of third party privacy compliance tools.
CPRA Regulations May Complicate Plans for a Singular Approach to Privacy Compliance
Even before the release of the proposed regulations, California was arguably the most pro-consumer privacy law in the U.S. The proposed regulations, as noted, move the law in a decidedly more pro-consumer way. Other states laws, particularly Utah and Virginia, are decidedly more business friendly and will not be subject to the same kind of detailed rule-making as California. It is therefore a distinct possibility that when the CPRA regulations are finalized, they will impose significantly more onerous requirements than other states.
The complexity of the proposed CPRA regulations may cause companies to think twice about plans to adopt a singular “most restrictive law” approach to complying with the five new U.S. state privacy laws that become effective in 2023. For example, does it make sense for a business to build opt out mechanisms for California that will not be required for other states and may reduce ad-based revenue?
Much will depend on what shape the final CPRA regulations take and how closely other states hew to the CPRA model. Colorado also is going through a rule-making process for the Colorado Privacy Act (CPA) and if the state lands somewhere close to California in its rule making, the calculus may again shift toward a singular model for businesses that are subject to multiple state privacy laws. If other states pass Utah-style privacy laws in 2022 or 2023, businesses may begin to balkanize their privacy compliance programs. The potential for this schism may push Congress to pass a federal privacy law.
Needless to say, there is more to come. As businesses fully digest the proposed CPRA regulations, we are likely to see a significant push by the business community for relaxation of the proposed regulations. We will provide more analysis about particular proposed regulations in the near future.
- Philip N. Yannella & Gregory P. Szewczyk
CPFB States That It Did Not Scrap No-Action Letter and Compliance Assistance Sandbox Programs With Its Overhaul of Its Office of Innovation and Operation Catalyst
On May 25, 2022, my colleagues, Mike Gordon, John Culhane and Ron Vaske published a blog which reported on a press release issued by the CFPB on the prior day entitled “CFPB Launches New Effort to Promote Competition and Innovation in Consumer Finance.” The blog stated:
In its press release, the CFPB states that “[a]fter a review of these programs [the No Action Letter (NAL) and Compliance Assistance Sandbox (CAS) programs], the agency concludes that the initiatives proved to be ineffective and that some firms participating in these programs made public statements indicating that the Bureau had conferred benefits upon them that the Bureau expressly did not.”
In lieu of a company filing an application for an NAL or participation in a CAS, both of which apply to an individual company’s specific product offering, the press release encouraged companies, including start-ups, to file rulemaking petitions to ask for greater clarity in particular rules. The Bureau states that any action taken in response to a rulemaking petition “will apply to all companies in the market.”
The CFPB press release also announced that it “is opening a new office, the Office of Competition and Innovation, as part of a new approach to help spur innovation in financial services by promoting competition and identifying stumbling blocks for new market entrants. The new office will replace the Office of Innovation that focused on an application-based process to confer special regulatory treatment on individual companies.”
Since the CFPB, in its press release, called the NAL and CAS programs ineffective, indicated companies were mischaracterizing the benefits conferred by such programs, and encouraged companies to file rulemaking petitions going forward, the clear implication was that these programs were being eliminated.
Not so, according to Raul E. Cisneros of the CFPB’s press office. This is what Mr. Cisneros told me by email on June 3 which he said could be attributed to the Bureau:
At this time, the CFPB has not rescinded the not[sic]-action letter or sandbox programs, and is still taking new applications and processing previously submitted applications. However, this is not the primary focus of the Office of Competition and Innovation.
Hmm. Calling programs ineffective that an agency plans to continue strikes us as an odd way of doing business. While the CFPB may continue to process new applications, we expect its disparagement of the programs will lead most companies to reassess whether filing an application is worth the investment of time, effort, and cost required to do so.
This Week’s Podcast: CFPB Director Rohit Chopra - Do His Words Speak Louder Than His Actions?
We first share our perspective on Director Rohit Chopra’s approach to his leadership role and use of the CFPB’s authority, his priorities, and political dynamics impacting the CFPB. We then discuss the CFPB’s activity during Director Chopra’s initial months in office, including its request for information on “junk fees” and criticism of overdraft and credit card late fee practices, requests to large tech firms regarding payment services, fintech focus (and use of risk-based supervision), use of UDAAP to address market competition, orders seeking information from buy-now-pay-later companies, changes to UDAAP exam procedures to target non-credit discrimination, encouragement of state AGs, exams of institutional student lending, and injunctive relief focus.
Alan Kaplinsky, Ballard Spahr Senior Counsel, hosts the conversation, joined by Michael Gordon and Tom Burke, partners in the firm’s Consumer Financial Services Group, and Michelle Hogan, an associate in the firm’s Litigation Group.
Click here to listen to the episode,
- Alan S. Kaplinsky, Mike Gordon, Thomas Burke
FinCen Seeks Public Comments on No-Action Letters
On June 3, 2022, the Financial Crimes Enforcement Network (FinCEN) issued an Advance Notice of Proposed Rulemaking (ANPRM) that seeks public comment on the implementation of a “no-action letter” process at FinCEN. The “no-action letter” is “a form of an exercise of enforcement discretion wherein an agency issues a letter indicating its intention not to take enforcement action against the submitting party for the specific conduct presented to the agency.” These no-action letters “address only prospective activity not yet undertaken by the submitting party.”
This proposal has been slowly winding its way through the agency rulemaking process. The Anti-Money Laundering Act of 2020 (AMLA) directed FinCEN to assess the feasibility of no-action letters. In July 2021, FinCEN issued an assessment (the Assessment) of a no-action letter process (which we covered here), finding in part that FinCEN should conduct a rulemaking to create such a process. Now nearly a year later, FinCEN is seeking public comment on myriad questions involving the specific of no-action letters. The public comment period closes August 5, 2022.
As we discuss, the ANPRM grapples with how to make the no-action letter process efficient, by avoiding the potential delays of consulting with its regulator counterparts, and effective, by establishing an advisory process that does not yield inconsistent results between regulators.
FinCEN’s Regulatory Toolkit
Currently, FinCEN has two tools to provide regulatory guidance: it may either issue administrative rulings that apply FinCEN’s interpretation of the Bank Secrecy Act (BSA) to specific facts before it, or it may provide exceptive/exemptive relief by granting exceptions or exemptions from the BSA’s requirements in specific circumstances. The no-action letter would be a third tool in FinCEN’s toolkit. In general, it would permit a submitting party to seek prospective guidance from FinCEN indicating whether FinCEN would pursue or recommend enforcement action for the specific conduct identified by the submitting party.
FinCEN identified several primary benefits of no-action letters, which include “promoting robust and productive dialogue with the public, spurring innovation among financial institutions, and enhancing the culture of compliance and transparency in the application and enforcement of the BSA.” Industry may benefit, too. No-action letters could provide a mechanism by which financial institutions avoid unnecessary and costly measures, such as de-risking correspondent banking relationships, upon receiving guidance through a no-action letter. Emphasis on the word “could”—as summarized below, the ANPRM raises numerous questions on how to fashion an effective and efficient no-action letter system.
The Questions for Comment
The ANPRM lists 48 questions for public comment. In addition to general questions regarding the findings contained in the Assessment, the ANPRM seeks comments on several categories of questions, including: the contours and format of the no-action letter process; FinCEN’s jurisdiction; changed circumstances, revocation, denial, and withdrawal of no-action letters; confidentiality; and consultation. We highlight nine of those questions below:
- While FinCEN has no legal authority to prevent another agency, including a Federal functional regulator or the Department of Justice, from taking an enforcement action under the laws or regulations that it administers, are there additional points FinCEN should consider in assessing the viability of a cross-regulator no-action letter process? What is the value of establishing a FinCEN no-action letter process if other regulators with jurisdiction over the same entity do not issue a similar no-action letter?
- Should FinCEN establish via regulation any limitations on which factual circumstances would be appropriate for a no-action letter? If yes, what should those limitations be?
- How should the no-action letter process apply to agents, third parties, domestic affiliates, and foreign affiliates that may be conducting [AML] or BSA functions on behalf of a financial institution either inside or outside the United States?
- Should a change in the overall business organization, such as when two entities merge or one entity acquires another, cause a no-action letter to lose its effect? If so, under what circumstances? If not, how would such a no-action letter continue to apply
- Should FinCEN publicize standards governing the revocation of no-action letters, or should revocation be determined on a case-by-case basis?
- Should FinCEN maintain the confidentiality of no-action letters for a period of time, or indefinitely, after granting them? Under what circumstances should FinCEN maintain confidentiality?
- Should no-action letters be used as published precedents? If so, under what circumstances and conditions should they be precedential? Should no-action letters be applicable beyond the requesting institutions, and under what circumstances and conditions?
- How can FinCEN best balance the need to consult other regulators or law enforcement with the desires of submitting parties for confidentiality and expediency?
- What topics, issues, transaction types, customer types, geographies, products, services, or other matters would be expected to be the subject of no-action letter requests to FinCEN?
While the ANPRM identifies concrete, specific questions about facets of the no-action letter process, it does not set forth with detail what FinCEN itself expects the process to look like. Will it resemble the no-action letter process already in place at the Securities and Exchange Commission? Has FinCEN developed its own preliminary expectations of the roles other agencies will play in its no-action letter process? We do not know, as the ANPRM does not provide any regulatory language to analyze.
At least two major themes emerge from the array of questions posed by FinCEN. First, FinCEN may be seeking to create a process that values efficiency. For example, questions of “who” no-action letters should apply to – not just the requesting party, but also its agents, third parties, partners, and the parent/subsidiary corporations – suggest a process by which a party could receive a single letter that could be relied upon by all relevant parties. Questions about other regulators’ involvement also appear efficiency-related. Because FinCEN is only one point in a cat’s cradle of federal and state regulators, a no-action letter from FinCEN does not preclude an enforcement action taken by another agency. The ANPRM continues to grapple with how to make the no-action letter process efficient, by avoiding the potential delays of consulting with its regulator counterparts, and effective, by establishing an advisory process that does not yield inconsistent results between regulators.
Second, the ANPRM’s questions identify unique confidentiality issues arising from BSA compliance. One can assume that many submissions will contain some combination of sensitive personal or proprietary information, details regarding Suspicious Activity Reports (SARs), or other information that cannot be disclosed to the public. Should FinCEN decide to publish its no-action letters or make the underlying requests public, it will need to develop a way to withhold sensitive information while still providing meaningful guidance (and precedent) in the no-action letter itself.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.
FTC Provides Annual Report to CFPB on 2021 Activities Regarding Financial Acts
The Federal Trade Commission provided its annual report to the Consumer Financial Protection Bureau on its enforcement and related activities in 2021 regarding the Truth in Lending Act (TILA), Consumer Leasing Act (CLA), and Electronic Fund Transfer Act (EFTA) (collectively, the Financial Acts).
Under Dodd-Frank, the FTC retained its authority to enforce these regulations with respect to entities subject to its jurisdiction. The letter notes that, consistent with the Dodd-Frank Act, the FTC continues to coordinate certain enforcement, rulemaking and other activities with the CFPB pursuant to a memorandum of understanding with the Bureau.
With regard to enforcement actions related to the Financial Acts and their implementing regulations, the report highlights the following:
- Automobile Purchasing and Financing: The FTC continues its efforts to combat deceptive automobile dealer practices in two enforcement actions. First, in July 2021, the FTC announced a settlement with Richard Berry, the owner and manager of four auto dealers, in the FTC’s action against Tate’s Auto for misrepresenting and falsifying terms in advertisements. The settlement provides a $450,000 payment to the FTC for consumer redress, and prohibits Berry from misrepresenting the costs and other material facts related to vehicle financing and from violating the TILA and CLA. Second, in October 2021, the FTC issued an administrative opinion and order against Traffic Jam Events for sending consumers deceptive mailers about COVID-19 benefits and potential prize winnings, and for violating the TILA by quoting monthly payments for consumers to purchase vehicles that failed to provide or hid in fine print key financing terms required by law. The order specifically bans the defendants from the auto industry, prohibits misrepresentations regarding financial assistance from the government, and requires compliance with TILA.
- Payday Lending: The report highlights a 2021 settlement against the owners of a payday lending enterprise (Harvest Moon) for overcharging consumers millions of dollars, deceiving them about the terms of their loans and failing to make required loan disclosures. The owners and operators are banned from making loans and extending credit, nearly all debt held by the company will be deemed paid in full, and the companies involved are being liquidated, with the proceeds to be used to provide redress to consumers harmed by the company.
- Restitution and Disgorgement: The report notes the decision in AMG Capital Management, LLC v. FTC in which the U.S. Supreme Court ruled that Section 13(b) does not provide authority for the FTC to seek equitable monetary relief. In view of its loss of an important consumer protection tool with this decision, the FTC has asked Congress to amend the FTC Act to enable the FTC to obtain monetary relief. Moreover, Malini Mithal, Associate Director of the Federal Trade Commission’s Division of Financial Practices, recently stated on our podcast, that the FTC is using several workaround enforcement strategies to avoid the holding in the AMG matter.
- Credit Repair and Debt Relief (Credit): The report discusses the FTC’s settlement with the operators of a student loan debt relief scheme (Student Advocates Team), charged with falsely promising the consumer that the company could lower or eliminate student loan balances, illegally imposing upfront fees for credit repair services, and signing consumers up for high-interest loans to pay the fees without making required loan disclosures in violation of TILA. The order bans the defendants from providing debt relief services and from collecting any further payments from consumers who purchased the services, and requires the defendants to return money to be used to refund consumers.
- Credit: The report highlights refund checks mailed by the FTC to people who lost money in a financing scheme that targeted customers shopping for computers and related electronic devices. The FTC brought successful litigation against BlueHippo Funding, LLC for violations of the TILA and engaging in deceptive practices in violation of the FTC Act, by promising to finance new computers, collecting money from consumers and failing to provide computers. The FTC is using the funds recovered to provide refunds to the consumers involved.
The FTC reported that its TILA and CLA research and policy efforts included the FTC’s Military Task Force, comprised of a cross-section of FTC representatives, and the Military Task Force’s continued focus on various initiatives to assist military consumers. The report further outlines the FTC’s consumer and business education efforts on truth in lending and electronic fund transfer issues, including updates about vehicle purchases and financing and add-on products and services that can cost consumers thousands of extra dollars, as well as information about how debit and prepaid cards differ from other cards, including important considerations about each type.
Regulation E (the EFTA): The report notes that in 2021, the FTC had two ongoing enforcement cases, with one involving violations of the EFTA and Regulation E in the context of “negative option” plans, whereby the FTC continued litigation against defendants engaged in illegal robocalls to deceptively market dissolvable oral film strips as effective smoking cessation, weight-loss, and sexual-performance aids, and enrolled consumers in auto-ship continuity plans without their consent. The other matter, described above, dealt with the settlement with a payday lending company (Harvest Moon).
With respect to EFTA research and policy work, the FTC issued an enforcement policy statement on negative options, warning companies against deploying illegal practices that trick or trap consumers into subscriptions. The FTC also continues to work with the Department of Defense interagency group and the American Bar Association’s Standing Committee on Legal Assistance for Military Personnel (ABA Lamp) on issues related to preauthorized electronic fund transfers in the military lending group, and provided input and trainings for judge advocates general and others in conjunction with the ABA LAMP trainings, on EFTs, FTC cases in this area, and the EFTA requirements.
Trade Groups Say “No Thanks” To Notion That FDIC Should Consult CFPB Before Approving Bank Mergers
The results are in after the closing of a public comment period related to the Federal Deposit Insurance Corp.’s review of its bank merger policies. The request for information (RFI) included questions related to the agency’s current bank merger review process, and how the process could be improved. One issue raised in the RFI is “to what extent should the CFPB be consulted by the FDIC when considering the convenience and needs factor and should that consultation be formalized?”
Critics of big banks wrote in support of the concept that the FDIC consult with the CFPB on merger applications, one group even going so far as to say the CFPB should have the authority to prevent a merger.
Industry trade groups, on the other hand, including the American Bankers Association (ABA), the Independent Community Bankers of America (ICBA), and a conglomerate including the Bank Policy Institute, the Consumer Bankers Association and the Mid-Size Bank Coalition of America (collectively referred to as BPI), wrote in opposition of the idea; all three letters noted that consultation with the CFPB is outside of the Bureau’s established role and authority.
Specifically, the ABA stated that, “the Bank Merger Act already specifies how mergers are to be evaluated, and the specific agency responsibilities are well defined, with appropriate consideration of CRA performance among them. A separate role of the CFPB would therefore be superfluous to existing considerations.” The ABA acknowledged that CRA compliance issues are appropriate considerations in bank merger applications, but that the prudential regulatory agencies are already assigned authority under the Bank Merger Act to evaluate such issues.
The ICBA similarly noted in its letter that the FDIC is capable of evaluating the convenience and needs factor without consulting with the CFPB, and additionally raised the likelihood of delay and complication to smaller bank merger applications.
Similar to the other industry trade groups, the BPI letter noted that the CFPB was not granted by Congress a right to review or comment on bank mergers. The BPI letter contrasted this fact with the explicit grant by Congress to both the DOJ and the acquired bank’s chartering authority of the ability to be consulted or comment on bank merger applications.
Moreover, the BPI Letter raised that the CFPB does not have access to the information to determine whether a transaction serves the convenience and needs factor, and that granting the CFPB any such consultation power could cause the unintended consequence of disallowing a transaction that otherwise could meet the convenience and needs of the community in which the constituent banks operate. For example, the CFPB, upon consultation, could determine that an applicant was compliant with the consumer protection laws that the CFPB was established to enforce, but the proposed transaction may still not meet the convenience and needs of the community, or, alternatively, a transaction could meet the convenience and needs of the community, but the applicant may not be compliant with those laws, and the application may thus be denied.
The Bank Merger Act already calls for a competitive analysis and provides that the applicable regulatory agency should not approve:
(A) any proposed merger transaction which would result in a monopoly, or which would be in furtherance of any combination or conspiracy to monopolize or to attempt to monopolize the business of banking in any part of the United States, or
(B) any other proposed merger transaction whose effect in any section of the country may be substantially to lessen competition, or to tend to create a monopoly, or which in any other manner would be in restraint of trade, unless it finds that the anticompetitive effects of the proposed transaction are clearly outweighed in the public interest by the probable effect of the transaction in meeting the convenience and needs of the community to be served.
In addition to a competitive review, the FDIC Statement of Policy on Bank Merger Transactions calls for a review of prudential factors (including satisfaction of applicable capital standards, the strength of the applicant’s management and earnings) together with an evaluation of the convenience and needs of the community to be served (through higher lending limits, new or increased services, lower prices, and convenience in utilizing the services and facilities of the resulting institutions). Given that the CFPB does not have supervisory authority over institutions with less than $10 billion in assets, we are skeptical of the value in granting the CFPB any consultation rights during the bank merger application review process with respect to institutions that are not subject to CFPB supervision. Either the OCC, the FDIC or the Federal Reserve Board already examine banks having less than $10 billion in assets for compliance with applicable federal consumer financial protection laws and the CRA (over which the CFPB has no supervisory jurisdiction) and, therefore, the CFPB’s input in determining whether the merging banks are meeting the convenience and needs of the community is of limited or no value. For the large banks (over $10 billion in assets) over which the CFPB has supervisory authority, the CFPB can share its examination reports with all of the prudential agencies, including the FDIC, that have supervisory authority over the merging banks.
Whether the FDIC finds these arguments persuasive is yet to be seen. It should be noted, however, that Rohit Chopra, the director of the CFPB, sits as one of the five members of the FDIC Board.
Massachusetts Division of Banks Revises Regulations Applicable To Licensing of Mortgage Lenders and Mortgage Brokers
The Massachusetts Division of Banks published revisions to its regulations applicable to the licensing of mortgage lenders and mortgage brokers effective May 27, 2022.
The revisions largely conform to existing statutory provisions, with two notable exceptions.
- The regulations expand the definition of mortgage broker with respect to certain lead generation activities. Specifically, the regulatory definition of “Mortgage Broker” now includes: “A person who collects and transmits information regarding a prospective mortgage loan borrower to a third party and conducts any one or more of the following activities. . . : (a) collects a prospective mortgage loan borrower’s Social Security number; (b) views a prospective mortgage loan borrower’s credit report; (c) obtains a prospective mortgage loan borrower’s authorization to access or view the prospective mortgage loan borrower’s credit report or credit score; (d) accepts an application, as defined under 12 CFR § 1026.2(a); or (e) issues a prequalification letter.” 29 CMR § 42.02.
- New § 42.02A: Licensing Exemptions, tracks Massachusetts General Law chapter 255E, Section 2, but now provides and exemption for:
(11) Persons whose activities are exclusively limited to collecting and transmitting one or more of the following types of information regarding a prospective mortgage loan borrower to a third party:
(a) Contact information;
(b) Property street address;
(c) Type of property;
(d) Property use;
(e) Property zip code;
(f) Estimated credit score;
(g) Foreclosure and/or bankruptcy history;
(h) Veteran or military status;
(i) Estimated existing home value;
(j) Existing home mortgage loan payoff amount;
(k) Estimated cash out from refinance; or
(l) Status as current FHA loan borrower.
Notwithstanding the foregoing, a person who collects and transmits any information regarding a prospective mortgage loan borrower to a third party and who receives compensation or gain, or expects to receive compensation or gain, that is contingent upon whether the prospective mortgage loan borrower in fact obtains a mortgage loan from the third party or any subsequent transferee of such information, is required to be licensed as a mortgage broker.
- 29MR § 42.02A.
The amended regulations are available here.
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2023 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.