InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB publishes HMDA review
On March 3, the CFPB published findings from a voluntary review of the 2015 HMDA Final Rule issued in October 2015, as well as subsequent related amendments that eased certain reporting requirements and permanently raised coverage thresholds for collecting and reporting data about closed-end mortgage loans and open-end lines of credit (covered by InfoBytes here). Under Section 1022(d) of Dodd-Frank, the Bureau is required to conduct an assessment of each significant rule or order adopted by the agency under federal consumer financial law. The Bureau noted that it previously determined that the 2015 HMDA Final Rule “is not a significant rule for purposes of section 1022(d)” and said the decision to conduct the review was voluntary.
The Report on the Home Mortgage Disclosure Act Rule Voluntary Review found, among other things, that (i) “[c]onsistent with the 2015 HMDA Final Rule’s increase in the closed-end reporting threshold for depository institutions, HMDA coverage of first lien, closed-end mortgages decreased between Q1 of 2017 and Q1 of 2018, from 97.0 percent to 93.8 percent”; (ii) for all financial institutions originating closed-end mortgages, “the share of those institutions reporting HMDA data decreased between 2015 and 2020, with the largest decreases observed in 2017 and 2020” after the reporting threshold rose from 25 loan originations to 100 loan originations; (iii) revising data points to include the age of applicant and co-applicant race, ethnicity, gender, and income, increased the amount of compiled data; and (iv) analyzing data assists in detecting fair lending risk and discrimination in mortgage lending. “HMDA’s expanded transactional coverage improved the risk screening used to identify institutions at higher risk of fair lending violation by improving the accuracy of analysis and thus reducing the false positive rate at which lenders were mistakenly identified as high risk,” the report said.
The report also noted that interest rate data “provides an important observation that enables data users, including government agencies, researchers, and consumer groups to analyze mortgage pricing in order to better serve HMDA’s purposes. In particular, interest rate information brings a greater transparency to the market and facilitates enforcement of fair lending laws.” The Bureau further noted that HMDA data is “crucial” to federal regulators when conducting supervisory examinations and enforcement investigations. The Bureau commented that the “requirement to report new HMDA data points greatly increased the accuracy of supervisory data since the additional data points are now used to assess fair lending risks and are subject to supervisory exams for accurate filing to HMDA,” adding that the data is “also used to estimate appropriate remuneration amounts for harmed consumers.”
D.C. Circuit says CFPB’s Prepaid Rule does not mandate model disclosures for payment companies
On February 3, the U.S. Court of Appeals for the D.C. Circuit reversed a district court’s decision that had previously granted summary judgment in favor of a payment company and had vacated two provisions of the CFPB’s Prepaid Rule: (i) the short-form disclosure requirement “to the extent it provides mandatory disclosure clauses”; and (ii) the 30-day credit linking restriction. As previously covered by InfoBytes, the company sued the Bureau alleging, among other things, that the Bureau’s Prepaid Rule exceeded the agency’s statutory authority “because Congress only authorized the Bureau to adopt model, optional disclosure clauses—not mandatory disclosure clauses like the short-form disclosure requirement.” The Bureau countered that it had authority to enforce the mandates under federal regulations, including the EFTA, TILA, and Dodd-Frank, and argued that the “EFTA and [Dodd-Frank] authorize the Bureau to issue—or at least do not foreclose it from issuing—rules mandating the form of a disclosure.”
The district court concluded, among other things, that the Bureau acted outside of its statutory authority, and ruled that it could not presume that Congress delegated power to the agency to issue mandatory disclosure clauses just because Congress did not specifically prohibit it from doing so. Instead, the Bureau can only “‘issue model clauses for optional use by financial institutions’” since the EFTA’s plain text does not permit the Bureau to issue mandatory clauses, the district court said. The Bureau appealed, arguing that both the EFTA and Dodd-Frank authorize the Bureau to promulgate rules governing disclosures for prepaid accounts, and that the decision to adopt such rules is entitled to deference. (Covered by InfoBytes here.) However, the Bureau maintained that the Prepaid Rule “does not make any specific disclosure clauses mandatory,” and stressed that companies are permitted to use the provided sample disclosure wording or use their own “substantially similar” wording.
In reversing and remanding the ruling, the appellate court unanimously determined that because the Bureau’s Prepaid Rule does not mandate “specific copiable language,” it is not mandating a “model clause,” which the court assumed for purposes of the opinion that the Bureau was prohibited from doing. While the Prepaid Rule imposes formatting requirements and requires the disclosure of certain enumerated fees, the D.C. Circuit stressed that the Bureau “has not mandated that financial providers use specific, copiable language to describe those fees.” Moreover, formatting is not part of a “model clause,” the appellate court added. And because companies are allowed to provide “substantially similar” disclosures, the appellate court held that the Bureau has not mandated a “model clause” in contravention of the EFTA. The appellate court, however, did not address any of the procedural or constitutional challenges to the Bureau’s short-form disclosures that the district court had not addressed in its opinion, but instead directed the district court to address those questions in the first instance.
CFPB releases spring 2022 semi-annual report
On December 6, the CFPB issued its semi-annual report to Congress covering the Bureau’s work for the period beginning October 1, 2021 and ending March 31, 2022. The report, which is required by Dodd-Frank, addresses several issues, including complaints received from consumers about consumer financial products or services throughout the reporting period. The report highlighted that the Bureau, among other things, has: (i) conducted an assessment of significant actions taken by state attorneys general and state regulators related to federal consumer financial law; (ii) initiated 21 fair lending supervisory activities to determine compliance with federal laws, including ECOA, HMDA, and UDAAP prohibitions, and engaged in interagency fair lending coordination with other federal agencies and states; (iii) “encouraged lenders to enhance oversight and identification of fair lending risk and to implement policies, procedures, and controls designed to effectively manage HMDA activities, including regarding integrity of data collection”; and (iv) launched a new Diversity, Equity, Inclusion, and Accessibility Strategic Plan to increase workforce and contracting diversity.
In regard to supervision and enforcement, the report highlighted the Bureau’s public supervisory and enforcement actions and other significant initiatives during the reporting period. Additionally, the report noted rule-related work, including advisory opinions, advance notice of proposed rulemakings, requests for information, and proposed and final rules. These include rules and orders related to the LIBOR transition, fair credit reporting, Covid-19 mortgage and debt collection protections for consumers, small business lending data collection, and automated valuation model rulemaking.
CFPB finalizes nonbank supervisory rule
On November 10, the CFPB announced a final rule finalizing changes to a nonbank supervision procedural rule issued in April. As previously covered by InfoBytes, the Bureau announced earlier this year that it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. Specifically, the Bureau said it intends to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible. Concurrently, the Bureau issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. Provisions outlined in the procedural rule would exempt final decisions and orders by the Bureau director from being considered confidential supervisory information, thus allowing the Bureau to publish the decisions on its website. Subject companies would be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released, the Bureau said.
After reviewing public comments received on the procedural rule, the Bureau incorporated certain changes to clarify the standard that the agency will apply when deciding what information is appropriate for public release, in whole or in part. The Bureau explained that information falling within Freedom of Information Act Exemptions 4 and 6 (which protect confidential commercial information and personal privacy) will not be published. Additionally, the Bureau said it may also choose to withhold information if the director determines there is other good cause to do so. The final rule also extends the deadline from seven to ten business days for nonbanks to submit input about what information should be released. The final rule will take effect upon publication in the Federal Register.
Notably, the Bureau emphasized that the “amended procedures only relate to the initial decision to extend supervision to a nonbank entity” and “do not affect the confidentiality of any ensuing supervisory examination or any other aspect of the supervisory process.”
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
Chopra previews Section 1033 rulemaking on consumers’ rights to data
On October 25, CFPB Director Rohit Chopra spoke before an industry event where he announced that the Bureau will soon release a discussion guide for small businesses to further the agency’s Section 1033 rulemaking efforts with respect to consumer access to financial records. As announced in the Bureau’s Spring 2022 rulemaking agenda, Section 1033 of Dodd-Frank provides that, subject to Bureau rulemaking, covered entities such as banks must make certain product or service information, including transaction data, available to consumers. The Bureau is required to prescribe standards for promoting the development and use of standardized formats for information made available to consumers under Section 1033. In 2020, the Bureau issued an advanced notice of proposed rulemaking seeking comments to assist in developing the regulations (covered by InfoBytes here).
Chopra explained that, before issuing a proposed rule, the Bureau must first convene a panel of small businesses that represent their markets to solicit input on proposals the CFPB is considering. Chopra said the Bureau plans to “hear from small banks and financial companies who will be providers of data, as well as the small banks and financial companies who will ingest the data,” and will also gather input from intermediary data brokers that facilitate data transfers (“fourth parties”). He noted that a report will be published in the first quarter of 2023 based on comments received during the process, which will be used to inform a proposed rule that is slated to be issued later in 2023. Chopra said the Bureau hopes to finalize the rule in 2024, stating “[w]hile not explicitly an open banking or open finance rule, the rule will move us closer to it, by obligating financial institutions to share consumer data upon consumer request, empowering people to break up with banks that provide bad service, and unleashing more market competition.”
Chopra also expressed plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing. He stressed that doing so would “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.” He further noted that the Bureau is planning to assess ways to prevent incumbent institutions from improperly restricting access when consumers try to control and share their data, including by developing requirements for limiting misuse and abuse of personal financial data, fraud, and scams. Chopra said staff has been directed to consider alternatives to the “notice-and-opt out” regime that has been the standard for financial data privacy and to explore safeguards to prevent excessive control or monopolization by one or a handful of firms.
Agencies finalize TILA, CLA 2023 thresholds
On October 13, the CFPB and Federal Reserve Board finalized the annual dollar threshold adjustments that govern the application of TILA (Regulation Z) and the Consumer Leasing Act (Regulation M) (available here and here), as required by the Dodd-Frank Act. The exemption threshold for 2023, based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers, will increase from $61,000 to $66,400, except for private education loans and loans secured by real or personal property used or expected to be used as the principal dwelling of a consumer, which are subject to TILA regardless of the amount. The final rules take effect January 1, 2023.
Treasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
Trade groups object to CFPB’s revised UDAAP exam manual
On September 28, seven banking industry groups sued the CFPB and Director Rohit Chopra claiming the agency exceeded its statutory authority when it released significant revisions to the UDAAP exam manual in March, which included making clear its view that any type of discrimination in connection with a consumer financial product or service could be an “unfair” practice. (Covered by a Buckley Special Alert.) At the time of issuance, the Bureau emphasized that its broad authority under UDAAP allows it to address discriminatory conduct in the offering of any financial product or service.
Plaintiff trade groups argued in their complaint filed in the U.S. District Court for the Eastern District of Texas that the Bureau violated its authority outlined in the Dodd-Frank Act by claiming it can examine entities for alleged discriminatory conduct under its UDAAP authority. They contended that “the CFPB cannot regulate discrimination under its UDAAP authority at all because Congress declined to give the CFPB authority to enforce anti-discrimination principles except in specific circumstances,” and that, moreover, the Bureau’s “statutory authorities consistently treat ‘unfairness’ and ‘discrimination’ as distinct concepts.” While the trade groups said they “fully support the fair enforcement of nondiscrimination laws,” they emphasized that they “cannot stand by while a federal agency exceeds its statutory authority, creates regulatory uncertainty, and imposes costly burdens on the business community.”
The trade groups' suit also claimed that the Bureau violated the Administrative Procedure Act by failing to go through the proper notice-and-comment process when amending the Supervision and Examination Manual. Calling the manual updates “arbitrary” and “capricious,” the trade groups claimed the changes failed to consider the Bureau’s prior position on UDAAP authority and “did not grapple with Congress’s decision to narrowly define the FTC’s unfairness authority to screen out the same kind of power that the CFPB is now claiming for itself.” The complaint also called into question the Bureau’s funding structure, arguing that because the structure violates the Appropriations Clause it should be declared unconstitutional and the exam manual updates set aside.
A statement released by the U.S. Chamber of Commerce, one of the trade group plaintiffs bringing the law suit, says the Bureau “is operating beyond its statutory authority and in the process creating legal uncertainty that will result in fewer financial products available to consumers.” U.S. Chamber Executive Vice President and Chief Policy Officer Neil Bradley added that the “CFPB is pursuing an ideological agenda that goes well beyond what is authorized by law and the Chamber will not hesitate to hold them accountable.”
CFPB releases 2021 HMDA data
On September 15, the CFPB released a Data Point report titled 2021 Mortgage Market Activity and Trends, which analyzes residential mortgage lending activity and trends for 2021. The 2021 HMDA data encompasses the fourth year of data that incorporates amendments to HMDA by Dodd-Frank. The changes include new data points, revisions to some existing data points, and authorizes the CFPB to require new data points. As covered by a Buckley Special Alert, the CFPB issued a final rule that implemented significant changes that reflected the needs of homeowners and the evolution in the mortgage market.
The Bureau previously reported a 66.8 percent increase in originations from 2019 to 2020, largely driven by refinances. However, most of the increase from 2020 to 2021 was a result of jumbo home purchase loans. Other highlighted trends in mortgage applications and originations found in the 2021 HMDA data point include, among other things:
- 4,332 financial institutions reported at least one closed-end record in 2021, down by 3.1 percent from 4,472 financial institutions who reported in 2020;
- At least one closed-end mortgage loan had been reported by 4,332 financial institutions, down by 3.1 percent from 4,472 financial institutions in 2020;
- Black borrowers’ share of home purchase loans increased from 7.3 percent in 2020 to 7.9 percent in 2021; and
- “The refinance boom, especially in non-cash-out refinance that dominated mortgage market activities in 2019 and 2020, peaked in March 2021.”