InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court orders college operator to comply with CFPB CID
On September 13, the U.S. District Court for the District of Utah ordered the operator of several defunct colleges to cooperate with a CFPB civil investigative demand (CID) for potential violations of the Consumer Financial Protection Act. In 2019, the Bureau issued a CID to the operator seeking information on its private student loan financing program, as well as litigation concerning the loan program dating back to 2012, to aid its investigation into whether the program constituted unfair, deceptive, or abusive acts or practices. The operator argued that the CID was unenforceable for several reasons, including that it was “unreasonably oppressive” and that the legality of its program had already been litigated in state action. The operator also argued that because the Bureau’s leadership structure rendered it unconstitutional, it lacked authority to enforce the CID. A magistrate judge’s recommendation narrowed the scope of the CID, but the operator continued to object, stating that a severe reduction in staff created a loss of “significant institutional knowledge” about the loan program. After the U.S. Supreme Court issued its ruling in Seila Law LLC v. CFPB (holding that the director’s for-cause removal provision was unconstitutional but severable from the statute establishing the Bureau, as covered by a Buckley Special Alert ), the Bureau’s director ratified the CID. The operator then raised new objections claiming the Bureau’s funding structure violates the U.S. Constitution’s separation of powers, and therefore the agency lacks valid authority to enforce the CID.
The court rejected the operator’s argument, writing that dicta in the Supreme Court’s decision in Seila Law “suggests the Bureau’s funding structure is not an unconstitutional delegation of power from Congress to the Executive Branch.” According to the court, while the majority opinion in Seila Law made note of the CFPB’s funding structure, it treated it “merely as an aggravator” of the for-cause removal protection issues and “went as far as saying the Bureau’s constitutional infirmity would ‘disappear’ if ‘the Director were removable at will by the President.’”
With respect to burdensomeness, the court said the operator has failed to show evidence establishing an unreasonable burden in its objections, and that, moreover, it “has had more than three years’ notice to preserve any information it thought may be relevant to the Bureau’s investigation.” The court further stressed that the CID does not become overly burdensome simply because the operator shuttered its campuses thereby allegedly relinquishing “institutional knowledge” concerning its own education loan program prior to complying with the CID. The court granted the operator a 90-day extension to comply with the CID.
CFPB: Digital marketing providers/big tech liable for UDAAP violations
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
CFPB fines fintech for algorithm-induced overdraft charges
On August 10, the CFPB announced a consent order against a California-based fintech company for allegedly using an algorithm that caused consumers to be charged overdrafts on their checking accounts when using the company’s personal finance-management app. According to the Bureau, the app promotes automated savings with a proprietary algorithm, which analyzes consumers’ checking-account data to determine when and how much to save for each consumer. The app then automatically transfers funds from consumers’ checking accounts to accounts held in the company’s name. The Bureau asserted, however, that the company engaged in deceptive acts or practices in violation of the CFPA by (i) causing consumers’ checking accounts to incur overdraft charges from their banks even though it guaranteed no overdrafts and represented that its app never transferred more than a consumer could afford; (ii) representing that it would reimburse overdraft charges (the Bureau claims the company has received nearly 70,000 overdraft-reimbursement requests since 2017); and (iii) keeping interest that should have gone to consumers even though it told consumers it would not keep any interest earned on consumer funds. Under the terms of the consent order, the company is required to provide consumer redress for overdraft charges that it previously denied and must pay a $2.7 million civil penalty.
Republicans allege CFPB “collusion” with states
On July 28, House Financial Services Committee Ranking Member Patrick McHenry (R-NC) and two other Republican members sent a letter to CFPB Director Rohit Chopra, expressing their concerns that the Bureau has been “colluding” with states to “intimidate companies by conspiring with state agencies to pursue duplicative enforcement actions” in the financial services industry. The letter recognizes that state AGs “may enforce the CFPA in cases where the CFPB has not,” but argues that “the statute does not allow for a state attorney general to become a party to an existing CFPB enforcement action.” As previously covered by InfoBytes, the Bureau issued an interpretive rule in May addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. The representatives argue that although the CFPB has a duty to enforce the CFPA and protect consumers from predatory and discriminatory practices, the Bureau’s interpretive rule is “akin to deputizing state attorneys general to enforce the CFPA on behalf of the CFPB – something Congress did not authorize.” The letter concludes with a request for documents and information from the Bureau by August 12, including (i) the legal authority that allows the CFPB to “recruit state attorneys general to join existing CFPB actions"; (ii) any “safeguards” the CFPB has in place to avoid “redundant and duplicative state actions”; and (iii) “all documents and communications between offices of state attorneys general and the CFPB since October 12, 2021” and “all information regarding complaints filed in a judicial court received by the CFPB pursuant to 12 USC § 5552.”
CFPB, DOJ take action against mortgage lender
On July 27, the CFPB and the DOJ jointly filed a lawsuit against a Delaware-based mortgage lender for engaging in unlawful discrimination. The complaint, filed in the U.S. District Court for the Eastern District of Pennsylvania, alleges that the defendant violated the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B and the Consumer Financial Protection Act (CFPA) by, among other things, engaging in unlawful discrimination on the basis of race, color, or national origin against applicants and prospective applicants, including by redlining majority-minority neighborhoods, and by engaging in acts and practices directed at prospective applicants that would discourage prospective applicants from applying for credit. The DOJ also alleged a violation of the Fair Housing Act, including the “making unavailable or denial of dwellings to persons because of race, color, and national origin,” among other things.
The proposed consent order, if entered by the court, would be Bureau’s first nonbank mortgage redlining resolution. It would require the defendant, among other things, to: (i) deposit $18.4 million into a loan subsidy program; (ii) pay a $4 million penalty to the Bureau; and (iii) pay $2 million to fund advertising to generate applications in redlined areas. The proposed order also notes the defendant neither admits nor denies the allegations in the complaint. According to a statement released by CFPB Director Rohit Chopra, the Bureau “will continue to seek new remedies to ensure all lenders meet and fulfill their responsibilities and obligations and the CFPB continues to be on the lookout for emerging digital redlining to ensure that discrimination cannot be disguised by an algorithm.”
CFPB issues consent order against nonbank automotive finance company
On July 26, the CFPB announced a consent order against a nonbank automotive finance company to resolve allegations that it engaged in furnishing inaccurate information to consumer reporting companies. The CFPB alleged that the company violated the FCRA and Regulation V by, among other things, failing to: (i) “promptly update and correct information it furnished to Consumer Reporting Agencies (CRAs) that it determined was not complete or accurate, and continued to furnish this inaccurate and incomplete information;” (ii) “modify or delete information disputed by consumers that [the company] found to be inaccurate”; and (iii) “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of information provided to CRAs.” The CFPB also alleged that the company violated the CFPA because of the FCRA and Regulation V violations, which it alleged also constitute violations of the CFPA, and for using “ineffective manual processes and systems containing known logic errors to furnish information to CRAs.” Under the terms of the Bureau’s consent order, the company is required to provide $13.2 million in redress to harmed consumers, review all account files that it currently furnishes to credit reporting companies and correct all inaccuracies described in the order, then send updated information to the credit reporting companies, establish and implement written a compliance plan, and pay a $6 million civil penalty to the Bureau.
CFPB, OCC issue consent orders against national bank
On July 14, the CFPB announced a consent order against a national bank to resolve allegations that the bank engaged in unfair and abusive acts or practices with respect to unemployment insurance benefit recipients who filed notices of error concerning alleged unauthorized electronic fund transfers (EFTs). The CFPB alleged that the bank violated the CFPA by, among other things: (i) determining that “no error had occurred and [by] freezing cardholder accounts based solely on the results of [the bank’s] automated Fraud Filter”; (ii) “retroactively applying its automated Fraud Filter to reverse permanent credits for unemployment insurance benefit prepaid debit cardholders whose notices of error [the bank] had previously investigated and paid”; and (iii) “impeding unemployment insurance benefit prepaid debit cardholders’ efforts to file notices of error and seek liability protection from unauthorized EFTs.” The CFPB also claimed that the bank violated the EFTA and Regulation E by “fail[ing] to conduct reasonable investigations” of cardholders’ notices of error. Under the terms of the Bureau’s consent order, the bank is required to provide redress to harmed consumers, review and reform its unemployment insurance benefit prepaid debit card program, and pay a $100 million civil penalty to the Bureau.
The same day, the OCC announced a consent order and a $125 million civil money penalty against the bank for alleged unsafe or unsound practices related to the same prepaid card program. According to the OCC, the bank, among other things: (i) “fail[ed] to establish effective risk management” over its unemployment card program”; and (ii) “beginning in 2020, denied or delayed many consumers’ access to unemployment benefits when consumers filed or attempted to file [unemployment insurance benefits] unauthorized transaction claims.” The OCC’s civil money penalty and remediation requirement is in addition to the CFPB’s civil money penalty.
CFPB sues payday lender over debt collection practices
On July 12, the CFPB filed a complaint against a Texas-based payday lender (defendant) for allegedly engaging in illegal debt-collection practices and allegedly generating $240 million in reborrowing fees from borrowers who were eligible for free repayment plans in violation of the CFPA. As previously covered by InfoBytes, in 2014, the Bureau ordered the defendant to, among other things, pay $10 million for allegedly using false claims and threats to coerce delinquent payday loan borrowers into taking out an additional payday loan to cover their debt. The Bureau stated that after the CFPB’s 2014 enforcement action, the defendant “used different tactics to make consumers re-borrow.” The complaint alleges that the defendant “engaged in unfair, deceptive, and abusive acts or practices by concealing the option of a free repayment plan to consumers who indicated that they could not repay their short term, high-cost loans originated by the defendant.” The Bureau also alleges that the defendant attempted to collect payments by unfairly making unauthorized electronic withdrawals from over 3,000 consumers’ bank accounts. The Bureau seeks permanent injunctive relief, restitution, disgorgement, damages, civil money penalties, and other relief.
District Court issues judgment against student debt relief operation
On June 10, the U.S. District Court for the Central District of California entered a stipulated final judgment and order against an individual defendant who participated in a deceptive debt-relief operation. As previously covered by InfoBytes, in 2019, the Bureau, along with the Minnesota and North Carolina attorneys general, and the Los Angeles City Attorney (together, the “states”), announced an action against the student loan debt relief operation for allegedly deceiving thousands of student-loan borrowers and charging more than $71 million in unlawful advance fees. In the third amended complaint, the Bureau and the states alleged that since at least 2015, the debt relief operation violated the CFPA, TSR, FDCPA, and various state laws by charging and collecting improper advance fees from student loan borrowers prior to providing assistance and receiving payments on the adjusted loans. In addition, the Bureau and the states claimed that the debt relief operation engaged in deceptive practices by, among other things, misrepresenting: (i) the purpose and application of fees they charged; (ii) their ability to obtain loan forgiveness for borrowers; and (iii) their ability to actually lower borrowers’ monthly payments. Moreover, the debt relief operation allegedly failed to inform borrowers that it was their practice to request that the loans be placed in forbearance and also submitted false information to student loan servicers to qualify borrowers for lower payments.
Under the terms of the final judgment, in addition to various forms of injunctive relief, the individual defendant must pay a $1 civil money penalty to the Bureau and $5,000 each to Minnesota, North Carolina, and California. The individual defendant is also “liable, jointly and severally, in the amount of $95,057,757, for the purpose of providing redress to Affected Consumers,” although his obligation to pay this amount is “suspended based on [his] inability to pay.”