Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 6, the CFPB issued its semi-annual report to Congress covering the Bureau’s work for the period beginning October 1, 2021 and ending March 31, 2022. The report, which is required by Dodd-Frank, addresses several issues, including complaints received from consumers about consumer financial products or services throughout the reporting period. The report highlighted that the Bureau, among other things, has: (i) conducted an assessment of significant actions taken by state attorneys general and state regulators related to federal consumer financial law; (ii) initiated 21 fair lending supervisory activities to determine compliance with federal laws, including ECOA, HMDA, and UDAAP prohibitions, and engaged in interagency fair lending coordination with other federal agencies and states; (iii) “encouraged lenders to enhance oversight and identification of fair lending risk and to implement policies, procedures, and controls designed to effectively manage HMDA activities, including regarding integrity of data collection”; and (iv) launched a new Diversity, Equity, Inclusion, and Accessibility Strategic Plan to increase workforce and contracting diversity.
In regard to supervision and enforcement, the report highlighted the Bureau’s public supervisory and enforcement actions and other significant initiatives during the reporting period. Additionally, the report noted rule-related work, including advisory opinions, advance notice of proposed rulemakings, requests for information, and proposed and final rules. These include rules and orders related to the LIBOR transition, fair credit reporting, Covid-19 mortgage and debt collection protections for consumers, small business lending data collection, and automated valuation model rulemaking.
On November 10, the CFPB announced a final rule finalizing changes to a nonbank supervision procedural rule issued in April. As previously covered by InfoBytes, the Bureau announced earlier this year that it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. Specifically, the Bureau said it intends to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible. Concurrently, the Bureau issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. Provisions outlined in the procedural rule would exempt final decisions and orders by the Bureau director from being considered confidential supervisory information, thus allowing the Bureau to publish the decisions on its website. Subject companies would be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released, the Bureau said.
After reviewing public comments received on the procedural rule, the Bureau incorporated certain changes to clarify the standard that the agency will apply when deciding what information is appropriate for public release, in whole or in part. The Bureau explained that information falling within Freedom of Information Act Exemptions 4 and 6 (which protect confidential commercial information and personal privacy) will not be published. Additionally, the Bureau said it may also choose to withhold information if the director determines there is other good cause to do so. The final rule also extends the deadline from seven to ten business days for nonbanks to submit input about what information should be released. The final rule will take effect upon publication in the Federal Register.
Notably, the Bureau emphasized that the “amended procedures only relate to the initial decision to extend supervision to a nonbank entity” and “do not affect the confidentiality of any ensuing supervisory examination or any other aspect of the supervisory process.”
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.
On October 13, the CFPB and Federal Reserve Board finalized the annual dollar threshold adjustments that govern the application of TILA (Regulation Z) and the Consumer Leasing Act (Regulation M) (available here and here), as required by the Dodd-Frank Act. The exemption threshold for 2023, based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers, will increase from $61,000 to $66,400, except for private education loans and loans secured by real or personal property used or expected to be used as the principal dwelling of a consumer, which are subject to TILA regardless of the amount. The final rules take effect January 1, 2023.
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
On September 28, seven banking industry groups sued the CFPB and Director Rohit Chopra claiming the agency exceeded its statutory authority when it released significant revisions to the UDAAP exam manual in March, which included making clear its view that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice. (Covered by a Buckley Special Alert.) At the time of issuance, the Bureau emphasized that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service.
Plaintiff trade groups argued in their complaint filed in the U.S. District Court for the Eastern District of Texas that the Bureau violated its authority outlined in the Dodd-Frank Act by claiming it can examine entities for alleged discriminatory conduct under its UDAAP authority. They contended that “the CFPB cannot regulate discrimination under its UDAAP authority at all because Congress declined to give the CFPB authority to enforce anti-discrimination principles except in specific circumstances,” and that, moreover, the Bureau’s “statutory authorities consistently treat ‘unfairness’ and ‘discrimination’ as distinct concepts.” While the trade groups said they “fully support the fair enforcement of nondiscrimination laws,” they emphasized that they “cannot stand by while a federal agency exceeds its statutory authority, creates regulatory uncertainty, and imposes costly burdens on the business community.”
The trade groups' suit also claimed that the Bureau violated the Administrative Procedure Act by failing to go through the proper notice-and-comment process when amending the Supervision and Examination Manual. Calling the manual updates “arbitrary” and “capricious,” the trade groups claimed the changes failed to consider the Bureau’s prior position on UDAAP authority and “did not grapple with Congress’s decision to narrowly define the FTC’s unfairness authority to screen out the same kind of power that the CFPB is now claiming for itself.” The complaint also called into question the Bureau’s funding structure, arguing that because the structure violates the Appropriations Clause it should be declared unconstitutional and the exam manual updates set aside.
A statement released by the U.S. Chamber of Commerce, one of the trade group plaintiffs bringing the law suit, says the Bureau “is operating beyond its statutory authority and in the process creating legal uncertainty that will result in fewer financial products available to consumers.” U.S. Chamber Executive Vice President and Chief Policy Officer Neil Bradley added that the “CFPB is pursuing an ideological agenda that goes well beyond what is authorized by law and the Chamber will not hesitate to hold them accountable.”
On September 15, the CFPB released a Data Point report titled 2021 Mortgage Market Activity and Trends, which analyzes residential mortgage lending activity and trends for 2021. The 2021 HMDA data encompasses the fourth year of data that incorporates amendments to HMDA by Dodd-Frank. The changes include new data points, revisions to some existing data points, and authorizes the CFPB to require new data points. As covered by a Buckley Special Alert, the CFPB issued a final rule that implemented significant changes that reflected the needs of homeowners and the evolution in the mortgage market.
The Bureau previously reported a 66.8 percent increase in originations from 2019 to 2020, largely driven by refinances. However, most of the increase from 2020 to 2021 was a result of jumbo home purchase loans. Other highlighted trends in mortgage applications and originations found in the 2021 HMDA data point include, among other things:
- 4,332 financial institutions reported at least one closed-end record in 2021, down by 3.1 percent from 4,472 financial institutions who reported in 2020;
- At least one closed-end mortgage loan had been reported by 4,332 financial institutions, down by 3.1 percent from 4,472 financial institutions in 2020;
- Black borrowers’ share of home purchase loans increased from 7.3 percent in 2020 to 7.9 percent in 2021; and
- “The refinance boom, especially in non-cash-out refinance that dominated mortgage market activities in 2019 and 2020, peaked in March 2021.”
On September 15, the U.S. Court of Appeals for the Second Circuit held that New York’s interest-on-escrow law impermissibly interferes with the incidentals of national bank lending and is preempted by the National Bank Act (NBA). Plaintiffs in two putative class actions obtained loans from a national bank, one before and the other after certain Dodd-Frank provisions took effect. The loan agreements—governed by New York law—required plaintiffs to deposit money into escrow accounts. After the bank failed to pay interest on the escrowed amounts, plaintiffs sued for breach of contract, alleging, among other things, that under New York General Obligations Law (GOL) § 5-601 (which sets a minimum 2 percent interest rate on mortgage escrow accounts) they were entitled to interest. The bank moved to dismiss both actions, contending that GOL § 5-601 did not apply to federally chartered banks because it is preempted by the NBA. The district court disagreed and denied the bank’s motion, ruling first that RESPA (which regulates the amount of money in an escrow account but not the accruing interest rate) “shares a ‘unity of purpose’ with GOL § 5-601.” This is relevant, the district court said, “because Congress ‘intended mortgage escrow accounts, even those administered by national banks, to be subject to some measure of consumer protection regulation.’” Second, the district court reasoned that even though TILA § 1639d does not specifically govern the loans at issue, it is significant because it “evinces a clear congressional purpose to subject all mortgage lenders to state escrow interest laws.” Finally, with respect to the NBA, the district court determined that “the ‘degree of interference’ of GOL § 5-601 was ‘minimal’ and was not a ‘practical abrogation of the banking power at issue,’” and concluded that Dodd-Frank’s amendment to TILA substantiated a policy judgment showing “there is little incompatibility between requiring mortgage lenders to maintain escrow accounts and requiring them to pay a reasonable rate of interest on sums thereby received.” As such, GOL § 5-601 was not preempted by the NBA, the district court said.
On appeal, the 2nd Circuit concluded that the district court erred in its preemption analysis. According to the appellate court, the important question “is not how much a state law impacts a national bank, but rather whether it purports to ‘control’ the exercise of its powers.” In reversing the ruling and holding that that GOL § 5-601 was preempted by the NBA, the appellate court wrote that the “minimum-interest requirement would exert control over a banking power granted by the federal government, so it would impermissibly interfere with national banks’ exercise of that power.” Notably, the 2nd Circuit’s decision differs from the 9th Circuit’s 2018 holding in Lusnak v. Bank of America, which addressed a California mortgage escrow interest law analogous to New York’s and held that a national bank must comply with the California law requiring mortgage lenders to pay interest on mortgage escrow accounts (covered by InfoBytes here). Among other things, the 2nd Circuit determined that both the district court and the 9th Circuit improperly “concluded that the TILA amendments somehow reflected Congress’s judgment that all escrow accounts, before and after Dodd-Frank, must be subject to such state laws.”
In a concurring opinion, one of the judges stressed that while the panel concluded that the specific state law at issue is preempted, the opinion left “ample room for state regulation of national banks.” The judge noted that the opinion relies on a narrow standard of preempting only those “state laws that directly conflict with enumerated or incidental national bank powers conferred by Congress,” and stressed that the appellate court declined to reach a determination as to whether Congress subjected national banks to state escrow interest laws in cases (unlike the plaintiffs’ actions) where Dodd-Frank’s TILA amendments would apply.
On September 13, a collation of consumer advocacy groups sent a letter to CFPB Director Rohit Chopra, urging him to limit the use of forced arbitration in consumer contracts in cases where consumers have been “victimized by banking abuses or fraud.” Pursuant to the Dodd-Frank Act, Congress directed the Bureau to study the use of forced arbitration clauses in the consumer finance market and authorized it to write a rule to limit or restrict the practice, which resulted in a 2015 Arbitration Study report (covered by InfoBytes here). The report, according to the letter, “found that tens of millions of consumers were subject to forced arbitration clauses and class action bans in their credit card, deposit account, prepaid account, student loan, payday loan, and wireless carrier contracts,” and, among other things suggested only a small minority of consumers actually filed for forced arbitration. The letter argued that mandatory arbitration clauses in banks’ consumer contracts are “blocking millions of consumers from seeking justice,” and urged the Bureau to use its authority to ensure that “consumers are empowered to act as a group and on their own in the courts.” The letter concluded by urging the Bureau to “rein in forced arbitration in financial services.”