InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB issues fall supervisory highlights
On November 15, the CFPB released its fall 2022 Supervisory Highlights, which summarizes its supervisory and enforcement actions between January and June 2022 in the areas of auto servicing, consumer reporting, credit card account management, debt collection, deposits, mortgage origination, mortgage servicing, and payday lending. Highlights of the findings include:
- Auto Servicing. Bureau examiners identified instances of servicers engaging in unfair, deceptive, or abusive acts or practices connected to add-on product charges, loan modifications, double billing, use of devices that interfered with driving, collection tactics, and payment allocation. For instance, examiners identified occurrences where consumers paid off their loans early, but servicers failed to ensure consumers received refunds for unearned fees related to add-on products.
- Consumer Reporting. The Bureau found deficiencies in credit reporting companies’ (CRCs) compliance with FCRA dispute investigation requirements and furnishers’ compliance with FCRA and Regulation V accuracy and dispute investigation requirements. Examples include: (i) NCRCs that failed to report the outcome of complaint reviews to the Bureau; (ii) furnishers that failed to send updated information to CRCs following a determination that the information reported was not complete or accurate; and (iii) furnishers’ policies and procedures that contained deficiencies related to the accuracy and integrity of furnished information.
- Credit Card Account Management. Bureau examiners identified violations of Regulation Z related to billing error resolution, including instances where creditors failed to (i) resolve disputes within two complete billing cycles after receiving a billing error notice; (ii) conduct reasonable investigations into billing error notices due to human errors and system weaknesses; and (iii) provide explanations to consumers after determining that no billing error occurred or that a different billing error occurred from that asserted. Examiners also identified Regulation Z violations where credit card issuers improperly mixed original factors and acquisition factors when reevaluating accounts subject to a rate increase, and identified deceptive acts or practices related to credit card issuers’ advertising practices.
- Debt Collection. The Bureau found instances of FDCPA violations where debt collectors engaged in conduct that harassed, oppressed, or abused the person with whom they were communicating. The report findings also discussed instances where debt collectors communicated with a person other than the consumer about the consumer’s debt when the person had a name similar or identical to the consumer, in violation of the FDCPA.
- Deposits. The Bureau discussed how it conducted prioritized assessments to evaluate how financial institutions handled pandemic relief benefits deposited into consumer accounts. Examiners identified unfairness risks at multiple institutions due to policies and procedures that may have resulted in, among other things, (i) garnishing protected economic impact payments funds in violation of the Consolidated Appropriations Act of 2021; or (ii) failing to apply the appropriate state exemptions to certain consumers’ deposit accounts after receiving garnishment notice.
- Mortgage Origination. Bureau examiners identified Regulation Z violations and deceptive acts or practices prohibited by the CFPA. An example of this is when the settlement service had been performed and the loan originator knew the actual costs of those service, but entered a cost that was completely unrelated to the actual charges that the loan originator knew had been incurred, resulting in information being entered that was not consistent with the best information reasonably available. The Bureau also found that the waiver language in some loan security agreements was misleading, and that a reasonable consumer could understand the provision to waive their right to bring a class action on any claim in federal court.
- Mortgage Servicing. Bureau examiners identified instances where servicers engaged in abusive acts or practices by charging sizable fees for phone payments when consumers were unaware of those fees. Examiners also identified unfair acts or practices and Regulation X policy and procedure violations regarding failure to provide consumers with CARES Act forbearances.
- Payday Lending. Examiners found lenders failed to maintain records of call recordings necessary to demonstrate full compliance with conduct provisions in consent orders generally prohibiting certain misrepresentations.
CFPB updates education loan servicing examination procedures
On September 28, the CFPB updated the education loan examination procedures in its Supervision and Examination Manual. According to the Bureau, the update to the education loan servicing examination procedures clarifies that when determining its authority to supervise a private student lender, the Bureau “look[s] only to the definition of private education loan in the Truth in Lending Act and not also to Regulation Z.” The Bureau noted that depending on the scope of an examination, “and in conjunction with the compliance management system and consumer complaint response review procedures,” an examination will cover at least one of the following modules: (i) advertising, marketing, and lead generation; (ii) customer application, qualification, loan origination, and disbursement; (iii) student loan servicing; (vi) borrower inquiries and complaints; (v) collections, accounts in default, and credit reporting; (vi) information sharing and privacy; and (vii) examination conclusion and wrap-up.
Trade groups object to CFPB’s revised UDAAP exam manual
On September 28, seven banking industry groups sued the CFPB and Director Rohit Chopra claiming the agency exceeded its statutory authority when it released significant revisions to the UDAAP exam manual in March, which included making clear its view that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice. (Covered by a Buckley Special Alert.) At the time of issuance, the Bureau emphasized that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service.
Plaintiff trade groups argued in their complaint filed in the U.S. District Court for the Eastern District of Texas that the Bureau violated its authority outlined in the Dodd-Frank Act by claiming it can examine entities for alleged discriminatory conduct under its UDAAP authority. They contended that “the CFPB cannot regulate discrimination under its UDAAP authority at all because Congress declined to give the CFPB authority to enforce anti-discrimination principles except in specific circumstances,” and that, moreover, the Bureau’s “statutory authorities consistently treat ‘unfairness’ and ‘discrimination’ as distinct concepts.” While the trade groups said they “fully support the fair enforcement of nondiscrimination laws,” they emphasized that they “cannot stand by while a federal agency exceeds its statutory authority, creates regulatory uncertainty, and imposes costly burdens on the business community.”
The trade groups' suit also claimed that the Bureau violated the Administrative Procedure Act by failing to go through the proper notice-and-comment process when amending the Supervision and Examination Manual. Calling the manual updates “arbitrary” and “capricious,” the trade groups claimed the changes failed to consider the Bureau’s prior position on UDAAP authority and “did not grapple with Congress’s decision to narrowly define the FTC’s unfairness authority to screen out the same kind of power that the CFPB is now claiming for itself.” The complaint also called into question the Bureau’s funding structure, arguing that because the structure violates the Appropriations Clause it should be declared unconstitutional and the exam manual updates set aside.
A statement released by the U.S. Chamber of Commerce, one of the trade group plaintiffs bringing the law suit, says the Bureau “is operating beyond its statutory authority and in the process creating legal uncertainty that will result in fewer financial products available to consumers.” U.S. Chamber Executive Vice President and Chief Policy Officer Neil Bradley added that the “CFPB is pursuing an ideological agenda that goes well beyond what is authorized by law and the Chamber will not hesitate to hold them accountable.”
CFPB’s Supervisory Highlights targets student loan servicers
On September 29, the CFPB released a special edition of its Supervisory Highlights focusing on recent examination findings related to practices by student loan servicers and schools that directly lend to students. Highlights of the supervisory findings include:
- Transcript withholding. The Bureau found several instances where in-house lenders (i.e., where the schools themselves are the lender) are withholding transcripts as a debt collection practice. According to the Bureau, many post-secondary institutions choose to withhold official transcripts from borrowers as an attempt to collect education-related debts. The Supervisory Highlights states the position that the blanket withholding of transcripts to coerce borrowers into making payments is an “abusive” practice under the Consumer Financial Protection Act.
- Supervision of federal student loan transfers. The Bureau identified certain consumer risks linked to the transfer of nine million borrower account records to different servicers after two student loan servicers ended their contracts with the Department of Education (DOE). The review, which was handled in partnership with the DOE and other state regulators, identified several concerns, such as (i) the information received during the transfer was insufficient to accurately service the loan; (ii) transferee and transferor servicers reported different numbers of total payments that count toward income-driven repayment forgiveness for some borrowers; (iii) information inaccurately stated the borrower’s next due date; (iv) certain accounts were placed into transfer-related forbearances following the transfer, instead of in more advantageous CARES Act forbearances; and (v) multiple servicers experienced significant operational challenges.
- Payment relief programs. The Bureau found occurrences where federal student loan servicers allegedly engaged in unfair acts or practices when they improperly denied a borrower’s application for loan cancellation through Teacher Loan Forgiveness or Public Service Loan Forgiveness. The Bureau claimed that many servicers “illegally misrepresented borrowers’ eligibility dates and the number of payments the borrower needed to make to qualify for relief,” and “provided misinformation about borrowers’ entitlement to progress toward loan forgiveness during the pandemic payment suspension.” The Bureau said it will continue to monitor servicers’ practices to ensure borrowers receive the relief for which they are entitled, and directed servicers to address consumer harm caused by these actions.
The Bureau issued a reminder that it will continue to supervise student loan servicers and lenders within its supervisory jurisdiction regardless of institution type. Student loan servicers, originators, and loan holders are advised to review the supervisory findings and take any necessary measures to ensure their operations address these risks.
Republicans take issue with CFPB agenda
On September 12, several Republican senators sent a letter to CFPB Director Rohit Chopra expressing concerns that the Bureau is again pursuing “a radical and highly-politicized agenda unbounded by statutory limits.” In particular, the letter took issue with recent Bureau reports on the use of overdraft fees (covered by InfoBytes here and here), calling the agency’s actions a “relentless smear campaign” against banks. “Charging fees that customers chose to pay should not be disturbing or illegal, and yet, the CFPB appears to have developed a particular disdain for banks charging their customers for services, pejoratively calling overdraft protection ‘junk fees,’” the letter stated. Additionally, the letter claimed that the Bureau is changing its rules in order to publish previously confidential information about financial institutions to make it easier to threaten them with reputational harm (covered by InfoBytes here), without affording the financial institution the similar ability to, for example, disclose the existence of a CFPB examination. Among other things, the new procedural rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process that will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. According to the senators, the rule requires nonbanks to keep confidential information relating to a decision issued by the Bureau, including facts that could question the decision or raise procedural concerns. “The one-sided nature of the CFPB’s rule change gives the agency the ability to publicly tarnish an institution’s name without affording the firm the power to defend itself,” the letter said. The letter also decries a recent change to the agency’s rules of adjudication to make it more difficult for companies to defend themselves against novel enforcement theories by bypassing an administrative law judge and permitting the director to rule directly on the validity of the legal basis for the enforcement action.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
Special Alert: NYDFS fines trading platform for BSA/AML, transaction monitoring, and cybersecurity lapses
The New York Department of Financial Services and a trading platform on Aug. 1 entered into a consent order to resolve deficiencies identified during a 2019 examination and a subsequent investigation by the department’s enforcement section. The consent order focused on deficiencies related to Bank Secrecy Act and anti-money-laundering compliance, transaction monitoring, cybersecurity, and related New York certifications of compliance. The company will pay a $30 million civil monetary penalty and retain an independent consultant that will assist with remediating the issues highlighted in the order and report to NYDFS on remediation progress.
The consent order has far-reaching implications for all financial services companies that come under the jurisdiction of the NYDFS.
The trading platform is a wholly owned subsidiary of a financial services company that offers U.S.-based retail investors the ability to trade stocks, options, and crypto currency on a commission-free basis through its broker-dealer subsidiary. The trading platform is licensed by the NYDFS to engage in virtual currency and money transmitter businesses in New York. Of primary concern for the NYDFS was the platform’s alleged reliance on its parent company’s compliance and cybersecurity programs through enterprisewide systems that the NYDFS found to be inadequate. Additionally, according to NYDFS, the platform allegedly had few to no qualified personnel or management involved in overseeing those programs, which NYDFS has implicitly indicated cannot be outsourced.
Fed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”
The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”
Halperin discusses invoking UDAAP under CFPA
On June 29, the American University Washington College of Law held a symposium centered in part around the CFPB’s new approach for examining institutions for unfair conduct. During the CFPB’s New Approach to Discrimination: Invoking UDAAP symposium, CFPB Assistant Director for the Office of Enforcement Eric Halperin answered questions related to updates recently made to the Bureau’s Unfair, Deceptive, or Abusive Acts or Practices Examination Manual. These updates detail the agency’s view that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service as an unfair act or practice. (Covered by a Buckley Special Alert here.) The Bureau published a separate blog post by its enforcement and supervision heads explaining that they were “cracking down on discrimination in the financial sector,” and that the new procedures would guide examiners to look “beyond discrimination directly connected to fair lending laws” and “to review any policies or practices that exclude individuals from products and services, or offer products or services with different terms, in an unfairly discriminatory manner.”
Assistant Director Halperin’s remarks were followed by a discussion of the Bureau’s revisions to its Examination Manual by a panel that consisted of David Silberman of the Center for Responsible Lending, Kitty Ryan of the American Bankers Association, and John Coleman of Buckley LLP, which was moderated by Jerry Buckley. Topics covered included a June 28 letter that trade associations sent to the CFPB urging recission of revisions to the Examination Manual.
In his interview with American University Law School Professor V. Gerard Comizio, Halperin stated that the CFPB’s Examination Manual updates provide guidance on how examiners will implement the Bureau’s statutory authority to examine whether an act or practice is unfair because it may cause or is likely to cause substantial injury to consumers that is not reasonably avoidable and not outweighed by countervailing benefits to consumers or competition. He stressed that the update does not create a new legal standard under the three prongs of the unfairness standard. Halperin also discussed how the Bureau’s UDAAP authority interacts with laws enacted specifically to prevent discriminatory conduct such as ECOA and the Fair Housing Act, and touched on steps institutions should consider taking to ensure compliance. Notably, when asked whether the Bureau intends to pursue disparate impact claims under the CFPA, Halperin stated that disparate impact, along with disparate treatment, are wholly distinct concepts from Dodd-Frank’s prohibition on unfair acts and practices. He added that in assessing an unfair act and practice, the key is to examine the substantial injury prong and then assess the reasonable avoidability and the countervailing benefits prongs. He further explained that the unfairness test does not contain an intentional standard and noted that there have been cases brought by both the FTC and the Bureau where there was injurious conduct that was not intentional or specifically known to the party engaging in this practice. According to Halperin, substantial injury alone is not sufficient to prove unfairness and using disparate impact as the mechanism of proof is not what the Bureau uses to prove an unfairness claim.
Halperin reiterated that the CFPB Examination Manual is designed to provide transparency to financial institutions about the types of issues that examiners will be inquiring about in furtherance of determining whether there has been an unfair act or practice under the current framework, and does not extend or create new law. In terms of practical compliance implications, Halperin said most financial institutions should already have robust UDAAP compliance systems in place and should already be looking for potential unfair acts or practices and examining patterns and group characteristics to identify the root cause of any issues, and to avoid substantial injury to consumers. With respect to a white paper recently sent to CFPB Director Rohit Chopra from several industry groups and the U.S Chamber of Commerce urging the Bureau to rescind the UDAAP exam manual (covered by InfoBytes here), Halperin commented that he has not had time to fully digest the white paper in detail but hoped that some of what was discussed during the symposium, particularly on the legal principles that will be used both in the exam manual and in any supervision and enforcement actions, clarifies that the Bureau is looking for conduct that violates the unfairness test.