Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 10, CFPB Director Rohit Chopra discussed the digital market before the 2022 National Association of Attorneys General Presidential Summit. In his remarks, Chopra first discussed the evolution of advertising models over time, describing how the persuasion of advertising continues to be used to target an individual based on “voluminous amounts of personal data.” Chopra also discussed HUD’s 2019 complaint against a social media platform, stating that it “illustrates the stark differences between traditional advertising and today’s digital marketing.” According to Chopra, the social media platform “helped advertisers limit the audience for ads and enabled advertisers to target specific groups of people to the exclusion of protected classes.” Chopra further noted that “state attorneys general have already begun to recognize that these platforms are not passive advertisers.” Chopra also noted that the CFPB recently issued an interpretive rule explaining that the service provider exemption for “time or space” will typically not apply to the digital marketing services offered by major platforms (covered by InfoBytes here). Chopra described that though “they may be providing space for ads, these firms are commingling many other features that go well beyond the exemption.” To conclude, Chopra expressed that “banking is under threat.” He described that “sensitive data is viewed as more valuable to firms than our actual selves,” and that “advances in technology should help our economy and society advance, rather than incentivizing a rush to seize our sensitive financial data and to allow tech giants to evade existing laws that other firms must comply with.”
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
On August 10, the CFPB announced a consent order against a California-based fintech company for allegedly using an algorithm that caused consumers to be charged overdrafts on their checking accounts when using the company’s personal finance-management app. According to the Bureau, the app promotes automated savings with a proprietary algorithm, which analyzes consumers’ checking-account data to determine when and how much to save for each consumer. The app then automatically transfers funds from consumers’ checking accounts to accounts held in the company’s name. The Bureau asserted, however, that the company engaged in deceptive acts or practices in violation of the CFPA by (i) causing consumers’ checking accounts to incur overdraft charges from their banks even though it guaranteed no overdrafts and represented that its app never transferred more than a consumer could afford; (ii) representing that it would reimburse overdraft charges (the Bureau claims the company has received nearly 70,000 overdraft-reimbursement requests since 2017); and (iii) keeping interest that should have gone to consumers even though it told consumers it would not keep any interest earned on consumer funds. Under the terms of the consent order, the company is required to provide consumer redress for overdraft charges that it previously denied and must pay a $2.7 million civil penalty.
On August 8, the CFPB announced that it is hosting two events to discuss the technical implementation required to prepare for the Bureau’s Small Business Lending Data Collection Rulemaking, which is a requirement under Section 1071 of the Dodd-Frank Act. According to the Bureau, the meetings will be geared toward in-house bank technologists or providers that provide compliance software to banks. Among other things, the meetings will: (i) share how the Bureau builds regulatory compliance technology systems; (ii) discuss possible approaches to authentication and application programming interfaces; and (iii) review technical data submission standards, edits and validations. The Bureau stated that the meetings “will not discuss or seek input on the merits or potential outcome of any ongoing rulemakings or take questions pertaining to the substance of such rulemakings.” According to the CFPB’s spring rulemaking agenda that was released earlier this summer, a final rule is expected in March 2023 (covered by InfoBytes here).
Recently, the CFPB received a rulemaking petition seeking validation of credit score models for credit unions. The petition, which seeks “a rule governing the requirement to periodically validate credit scores for all lending or financing entities,” argues that validation is necessary to measure the effectiveness of credit scores being used to measure credit risk. Claiming that general letters of compliance from credit reporting agencies are inadequate, the petitioner explains that these letters do not “address the misapplication of credit scores by banks, credit card issuers, auto financing groups or individual credit unions that are the primary cause of errors and financial exclusion.” According to the petitioner, “[o]nly a statistically valid empirically derived study based on funded and declined loans will resolve many of the issues in consumer lending today.” The petitioner points out that validation reports “provide the information necessary to measure the efficiency of the credit score being used to measure credit risk,” and that “[d]emographic comparisons of funded and declined applicants can also be used to identify if the underwriting guidelines used in the application of credit scores result in acceptable percentages of financial inclusion for minorities or protected consumer groups.”
On August 4, the CFPB released a report highlighting risks associated with new product offerings that the agency claimed blur the line between payments and commerce. The report examined the development of new capabilities—like “super apps,” buy now, pay later (BNPL), and embedded commerce—that have the potential to streamline payments, facilitate commerce, and enhance user experience, but may also create opportunities for companies to aggregate and monetize consumer financial data. With respect to “super apps,” the Bureau warned that these services have “morphed” into a “bank in an app” model, providing a “wide array of financial, payment and commerce functions within a single app.” These financial services super apps may seem to be more convenient than having multiple relationships with different organizations, the Bureau said, but cautioned that using these products may limit consumer product and service choice. “While consumers can opt to use a payment offering outside an app, such super apps create the potential for providers to steer consumers to specific solutions and/or limit access to some products.”
The report also raised concerns about tech firms offering their own lending or BNPL products. The Bureau pointed out that BNPL options, which provide unsecured short-term credit allowing consumers to split purchases into four equal interest-free payments at the point of sale, have “soared in recent years” as a popular alternative to credit cards. The Bureau noted it is “carefully focused on the shift toward real-time payments in the United States,” and is “seeking to mitigate the potential consequences of large technology firms moving into this space.”
The Bureau further stressed it is “carefully monitoring the payments ecosystem as part of a multifaceted effort to promote fair, transparent, and competitive markets for consumer financial services,” and said it is currently working on Dodd-Frank Act rules that would give consumers more control over the personal financial data that they choose to share with finance and payment apps. The Bureau also stated that it is “assessing new models of lending integrated with payments and ecommerce, such as BNPL,” and plans to issue a report on its findings and make a determination as to whether any regulatory interventions are appropriate. Last year, the Bureau issued a series of orders to five companies seeking information regarding the risks and benefits of the BNPL credit model (covered by InfoBytes here).
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.
The CFPB Ombudsman’s Office issued its midyear update for 2022, which “provides an independent, impartial, and confidential resource to informally assist individuals, companies, consumer and trade groups, and others in resolving issues with the CFPB.” The Ombudsman received 1,108 individual inquiries—the most it has received in a six-month period for the past ten years. The Ombudsman noted that the CFPB had processed certain incoming consumer correspondence as inquiries rather than as consumer complaints, and as a result, they were not forwarded for company response. Based on the feedback, the Bureau added FAQs to the “Submit a complaint” webpage. In addition, later this year the Ombudsman plans to provide a summary of the feedback and recommendations from its post-examination survey of supervised entities, along with a further summary of the findings in its annual report. The update also discussed suggestions on draft CFPB materials, noting that “some of our feedback centered around clarity for the public as well as consideration of the public’s expectations in engaging with the CFPB.” Finally, the update noted that the Ombudsman’s Office intends to host a virtual Ombudsman Forum with organizations assisting consumers in the Midwest region. Feedback will be summarized in its annual report.
On August 1, the U.S District Court for the Western District of Wisconsin granted over $29.2 million to the CFPB, revising a $59 million judgment that was thrown out by the U.S. Court of Appeals for the Seventh Circuit last year. As previously covered by InfoBytes, in July 2021, the 7th Circuit vacated a 2019 restitution award in an action brought by the CFPB against two former mortgage-assistance relief companies and their principals (collectively, “defendants”) for violations of Regulation O. In 2014, the CFPB, FTC, and 15 state authorities took action against several foreclosure relief companies and associated individuals, including the defendants, alleging they made misrepresentations about their services, failed to make mandatory disclosures, and collected unlawful advance fees (covered by InfoBytes here). The district court’s 2019 order (covered by InfoBytes here) held one company and its principals jointly and severally liable for over $18 million in restitution, while another company and its principals were held jointly and severally liable for nearly $3 million in restitution. Additionally, the court ordered civil penalties totaling over $37 million against company two and four principals.
According to the recent opinion and order, the district court concluded that it would be “appropriate” to characterize the redress as legal restitution because the “plaintiff’s claim is against defendants generally and not one, identifiable fund or asset,” calling it “valid and necessary” for consumers to be compensated for the advance fees they paid. Instead of ordering “complete restitution,” the district court noted it would require the defendants to “refund 50% of the moneys paid, which plaintiff shall return directly to the injured parties to the extent practical,” because the 7th Circuit “found that defendants' conduct was not the product of reckless disregard of the CFPA, but rather a failure to fit themselves under an exception for the delivery of legal services.”
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Jeffrey P. Naimon to provide “An update on key fair lending cases and the CRA and UDAAP rules” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The Evolving Regulatory Landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference