The King Kong of Rules Has Arrived: Proposed Rule on Personal Financial Data Rights
The Dodd-Frank Act, adopted in 2010, created the CFPB and directed it to enact certain regulations. One of those is a regulation that requires financial institutions to provide consumers data about their transactions and accounts. This month, the CFPB proposed the long-awaited rule on "personal financial data rights." The proposal would require credit card issuers and financial institutions that offer Regulation E accounts (such as checking accounts and prepaid accounts) to share account data directly with customers or their authorized third parties.
The covered financial institutions would be required to provide specified covered data: transaction information; account balance; information to initiate payment to or from a Regulation E account; terms and conditions (e.g., fee schedule, APR, and rewards program terms); upcoming bill information; and basic account verification information (i.e., the name, address, phone number, and email associated with the account). Financial institutions would have to establish consumer and developer interfaces that meet certain technical standards. The rule does not establish those technical standards, but proposes that they be set by an independent body created by industry and approved by the CFPB.
Additionally, the rule would set forth certain requirements for third parties (e.g., financial technology companies) to become authorized to receive customer data. Third parties would be permitted only to use the information as "reasonably necessary" to provide the service requested by the consumer and would be prohibited from using the information for targeted advertising, cross selling of other products or services, or selling covered data. It would also limit the length of time a third party could use information after it was authorized by the consumer. The CFPB is accepting public comments on the proposal through the end of December. The agency plans to issue a final rule in October of next year.
It is hard to overstate how big the impact of this rule will be on the consumer finance market. If you need a visual, picture King Kong (the rule) climbing up the Empire State Building (the market). If adopted, the rule will impact nearly everything about the way consumer financial services are provided today. If it works as the CFPB intends, it will make it easier for consumers to switch between banks or credit card providers by easily transferring things like automatic payments to the new provider. According to the CFPB, this will spur competition and reduce the incidence of data breaches by requiring that financial institutions share data through APIs, rather than screen scraping. But it's unclear exactly how this rule will work in practice. The CFPB has never authorized a "standards setting organization" before, nor has it prescribed particular standards for "interfaces." The regulation could become technologically outdated nearly as soon as it is implemented. Also, it is not at all clear the CFPB has the legal authority to propose a rule that requires data be shared with "authorized third parties." The Dodd-Frank Act required only that financial institutions provide data to customers themselves. We here at Explainer Things will be watching this movie closely. Who's bringing the popcorn and the Whoppers?
Junk Fees Are the New Gremlins, Multiplying by the Minute
The Biden administration's consumer regulators have made it a signature goal to address "junk" fees. Just this month, there were several new efforts to limit hidden fees in consumer products. First, FTC released a proposed rulemaking that would not prohibit fees but would instead require clearer disclosures of them. The proposal provides that advertising a good or service with a price that is not the total price for the good or service would be an unfair practice prohibited by the FTC Act. It would require covered companies to provide a disclosure including the total of all fees or charges a consumer must pay, except government taxes and shipping charges. Public comments on this proposal will be accepted until 60 days after the proposal is formally published, likely in early November.
The CFPB, not wanting to miss out, also took several new steps to address junk fees. First, it issued a special edition of Supervisory Highlights summarizing violations of consumer finance law related to junk fees found in prior exams of banks and consumer finance companies. For example, the CFPB reemphasized prior findings related to providers who charge consumers multiple NSF fees for the same transaction, unanticipated overdraft fees, and certain deposit return fees. The CFPB also highlighted fees for paper statements that were never mailed or delivered, failure of auto loan servicers to provide certain refunds, and failure of remittance transfer providers to disclose certain third-party fees that must be disclosed under the Remittance Rule.
The CFPB separately issued an Advisory Opinion concluding, in brief, that large depository institutions may not charge a fee to respond to a consumer's information request. The Opinion interprets a rarely cited provision of the Dodd-Frank Act, section 1034(c). That provision requires depository institutions and credit unions with more than $10 billion in assets to "comply with a consumer request for information in the control or possession of such covered person." In the Advisory Opinion, the CFPB concludes that covered banks and credit unions "may not impose conditions that unreasonably impede consumers' information requests. The practice of charging fees to respond to an information request would generally unreasonably impede consumers' exercise of their rights under section 1034(c)."
In the 80s classic film Gremlins, Gizmo's progeny mogwai are cute and fuzzy until they are fed after midnight. Then the fuzzy little mogwai turn slimy and mean and multiply exponentially. Back-end consumer fees are a lot like gremlins. At first, there were just a few of them and they seemed harmless. A fee for overdrawing your checking account? Fine. But a fee to receive a statement? A fee to talk to a live person? A fee when you deposit a check that bounces through no fault of your own? The case the agencies make to the public regarding junk fees is clear. Just as no one likes the fuzzy little mogwai after they turn into gremlins, no one likes paying fees they do not understand and that are not clearly disclosed.
We hope the FTC and the CFPB will not move towards prohibiting fees altogether; that would be a big stretch of the agencies' authority. When many states passed laws banning credit card surcharges, courts and most states determined such prohibitions violated the First Amendment. The same outcome could occur here if the agencies ban fees just because they no longer look like the cute little mogwai. On the other hand, it behooves any business to continually reassess whether its fees are clearly disclosed, fairly and evenly assessed, and reasonably related to the cost of providing the underlying product or service. If that's the case, the likelihood of regulatory scrutiny is far lower. And don't worry, the bills we send our clients never include junk fees.
You Probably Saw the Latest CFPB Enforcement News
The CFPB is increasing enforcement personnel by 50 percent with the intent of opening more investigations, "including matters with significant market impact" and "to meet resource demands from [the] increasing number of matters in contested litigation." The CFPB enforces federal consumer financial laws for banks and other depository institutions with total assets of more than $10 billion, and their affiliates, plus it oversees all nonbanks that offer consumer financial services, including fintechs, debt collectors, and mortgage servicers.
With a 50 percent increase of its enforcement personnel and intentions to increase investigations, it is highly likely folks we all know will be impacted, whether from informal CFPB investigations (e.g., collecting info from public sources and other enforcement agencies) or formal investigations, such as civil investigative demands, or CIDs.
The CID is an integral part of a formal CFPB enforcement investigation. It is akin to a subpoena and the CFPB uses it to demand information, including documents and data, as well as answers to written questions and oral testimony. CIDs can be very broad in scope and responding to them often requires companies to divert resources away from normal business operations. The CFPB can only issue a CID for cause, and it must state the nature of any alleged wrongful conduct. Perhaps the most common CID trigger is consumer complaints, but other triggers include the CFPB's whistleblower hotline, supervisory examinations, agency referrals, and market intelligence. The CFPB typically allows a very short amount of time to respond to a CID.
CIDs are like the Saw horror movie series, don't you think? The series revolves around John "Jigsaw" Kramer, a serial killer bent on punishing wrongdoers (as he sees them) through a series of potentially deadly investigations—I mean puzzles. To give his subjects ("victims" is a little harsh even for this Halloween-themed analogy, amiright?) a chance of survival, Jigsaw gives cryptic rules they must follow. Occasionally a subject follows the rules and survives.
So, what are the rules of survival if your company receives a CID? Well, first, take it very seriously. Call us immediately, or, if you must, other experienced counsel. The CID will include deadlines and response instructions. It will outline the process for requesting a modification or even setting aside the CID. Pay close attention to document-submission requirements, the definitions included in the CID, and the "applicable period" it covers. Work with counsel to understand your abilities to respond given your resources and the scope of CID. Put document holds in place and prepare for your meet and confer—essentially, your first opportunity to tell your story to the CFPB's enforcement team. Ultimately, it's imperative that you are thorough, timely, and accurate in your CID response.
How do we know these things? Well, at least some of us have seen the entire Saw franchise and know how to solve Jigsaw's puzzles. But, more importantly, we are experienced at successfully working with the CFPB and can help you survive the CID gauntlet! (Next month, look for us to highlight the CFPB's enforcement priorities.)
Scream VII: The HMDA-Face Killer
The CFPB announced this month it had filed a lawsuit against Freedom Mortgage Corporation. The agency alleged Freedom violated both HMDA and the terms of a 2019 consent order related to Freedom's 2014 – 2017 HMDA filings. The agency claims Freedom's HMDA data errors were caused by widespread, systemic issues and compliance management systems failures. A file review of 2020 HMDA data found sufficient data errors to require Freedom Mortgage to refile its data, which ultimately included changes to "almost 20%" of all submitted loans and "over 174,000 data entries." The CFPB also argues Freedom did not have an effective system for sampling and validating loan files to ensure an accurate HMDA data submission.
A critical issue in this lawsuit is the CFPB's 2019 consent order with Freedom. According to the order, Freedom previously violated HMDA by "intentionally misreporting" data concerning borrower demographics. Under the terms of the order, which remains in effect until 2024, Freedom agreed to improve its HMDA data policies, procedures, and processes. In last week's filing, the CFPB claims Freedom "failed to implement adequate changes" and improve the accuracy of its HMDA filings.
As everyone knows, there are certain rules someone must abide by to survive a scary enforcement action:
- When a regulator calls, you should never say, "Who's there?" It's a death wish. You might as well go outside to investigate a strange noise.
- If you're in a meeting with supervision or enforcement staff never say, "I'll be right back." You won't be. Don't leave to get a coffee or Spindrift by yourself, just stay with the group.
- Don't forget the rule of sequels. If there's already been a consent order, the sequel has to have a higher body count. Or more convoluted methods of torture. Sometimes both.
It's hard enough to survive a night reviewing HMDA filings when systems are working properly, but it's even harder when you're also trying to remedy information system breakdowns. HMDA reporters should have a process where data is captured, audited, and periodically checked by compliance and/or legal over the course of the year. This helps catch and resolve systemic issues early. When an HMDA reporter is also dealing with attention from regulators, it is critical to identify root causes, document improvements, and quantify results. This will help rebut claims that an entity has failed to improve. Crunching all these numbers and detailing all of your results may seem tedious at the time, but don't forget—if you're right about this, it could save someone from torment (maybe someone on your HMDA team).
Return of the Living Dead: The CFPB Lives to Fight Another Day?
The Supreme Court held oral arguments this month in a much-watched case intended to resolve a circuit split on the constitutionality of the CFPB's funding structure. The Dodd-Frank Act instructs that the CFPB receives funding from the Federal Reserve System, then the CFPB's director determines the amount necessary to operate the CFPB, up to a maximum of 12 percent of the Federal Reserve's total operating expenses. The challengers, including Community Financial Services Association of America (CFSA), argue this structure violates the Appropriations Clause because (i) the CFPB unilaterally determines its funding needs with no oversight and in violation of the Constitution's Appropriations Clause; (ii) it operates in "perpetuity;" and (iii) the budget cap is so high the CFPB will never reach it. The CFPB claims its funding structure is similar to other agencies funded by fees, assessments, and investments, such as the U.S. Customs Service, the U.S. Post Office, and the U.S. Mint. It also argues appropriate requirements are met because the Dodd-Frank Act laid out the amount, duration, source, and purpose of the funding.
Based on the questions asked during oral argument, the justices may be aligned on the constitutionality question. In addition to the three liberal justices expected to side with the CFPB, Justices Barrett and Kavanaugh appeared skeptical of CFSA's position. Justice Barrett focused on when a "standing appropriation becomes a problem" and Kavanaugh questioned whether the funding structure is truly "perpetual." Justices Kagan, Jackson, and Sotomayor all appeared to accept the CFPB's funding structure as constitutional, with Justice Sotomayor telling CFSA, "I'm sorry…I'm trying to understand your argument, and I'm at a total loss." A decision is expected no later than June 2024.
Given the many conservative justices on the Supreme Court, many observers expect it to side with the challengers and find the is the CFPB unconstitutionally funded. The Court may not accept that storyline and seems poised to save the CFPB from near certain death. Does that make the CFPB a zombie? Either way, if you are holding out hope that the Supreme Court will abolish the CFPB or deem its prior rules invalid, we say, "Don't hold your breath" (unless you're looking for a really convincing ghost costume for Halloween). All justices, even several of the conservatives, appeared to struggle finding the CFPB's funding structure unconstitutional. That only Justice Sotomayor asked about a potential remedy suggests the other justices felt no need to go into this line of questioning.
That's Shaken, Not Stirred: FCC Targets Telecom Companies on Robocall Standards
The FCC announced new enforcement orders against 20 telecom companies for failing to comply with TCPA’s requirement to implement an interconnected framework to prevent unlawful robocalls. Those requirements are known as "STIR/SHAKEN," or the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. Each of the identified companies has 14 days to show cause why they should not be removed from the FCC’s Robocall Mitigation Database. For companies removed from the database, providers will not be allowed to carry their traffic, their customers would be blocked, and no traffic originating from those companies will be allowed to reach the called party.
Congress amended the TCPA in 2019 to give the FCC greater power to fight robocalls, including by requiring telecom companies to take action to prevent robocalls before they make it to a consumer's phone. STIR/SHAKEN, which arises from that legislation, uses a token mechanism to verify call authenticity. If a call cannot be authenticated, it is blocked. The FCC requires impacted providers to file certifications confirming compliance with STIR/SHAKEN or be excluded from the database. Compliant providers must block traffic from any provider that is not listed in the database. Since STIR/SHAKEN was implemented, the FCC reports a 99 percent drop in auto warranty scam robocalls, an 88 percent drop in student loan scam robocalls, and a “halt” to predator mortgage robocalls targeting homeowners nationwide.
Yes, we know that “shaken, not stirred” is not exactly a Halloween theme (although James Bond makes for a great Halloween costume), but we're not above low-hanging pop culture fruit. Since Congress amended the TCPA in 2019, the FCC has intently pushed STIR/SHAKEN and is getting some real results. The FCC's track record on STIR/SHAKEN is approaching James Bond success levels; he never failed to capture his target. The threat to remove service providers from the database is a significant, potentially company-ending sanction for non-compliant providers, and real evidence that the FCC takes robocalls seriously.
Frankenstein Returns: Consumer Lending Disclosures Morph Into Commercial Lending
Earlier this month, California's legislature passed a law eliminating the planned sunset for commercial loan disclosures. Lenders must continue to provide such disclosures indefinitely. California requires commercial lenders to provide consumer-like disclosures that include the total amount of funds loaned, the total dollar cost of the financing, and APR, among other things. When first adopted, the law was only temporary and would sunset on January 1, 2024. Now, small businesses will continue to receive these disclosures.
In addition, Connecticut, Florida, and Georgia recently passed their own commercial lending disclosures laws, joining New York, Utah, California, and Virginia (as discussed in Explainer Things Episode 2). Effective January 1, 2024, Connecticut's new law requires lenders making commercial loans of $250,000 or less to provide applicants with the financing amount, charges, APR, and other key terms. Florida's new law and Georgia's amendments to its Fair Business Practices Act are quite similar. Both states will now require that providers making commercial financing transactions less than $500,000 issue disclosures. In Georgia, providers will have to include an additional statement of whether there are any costs or discounts associated with prepayment. Both Florida and Georgia's new requirements take effect on January 1, 2024.
For years, state and federal laws required disclosures only for loans to consumers, such as the relatively standard Truth in Lending Act disclosures required under federal law. In recent years, though, several states have gone back to the lab to build new disclosures for commercial loans, oftentimes reusing parts of disclosures designed for consumer transactions. Now Connecticut, Florida, and Georgia have joined the party and will be requiring disclosures for loans to small businesses starting next year. But will these disclosures do what their creators intend? Or will they turn into a monster like the creature that Dr. Frankenstein created in his lab? Only time will tell.
Delaware Is Small But its New Privacy Law Is Hardly Child's Play
Last month, Delaware enacted its Personal Data Privacy Act, becoming the 12th state to enact a comprehensive privacy law. The Delaware Personal Data Privacy Act will apply to companies conducting business in Delaware if they either (1) control or process the personal data of at least 35,000 Delaware consumers or (2) control or process the personal data of at least 10,000 Delaware consumers and derive more than 20 percent of their gross revenue from selling personal data. While many aspects of Delaware's law are similar to Connecticut's Data Privacy Act, Delaware's applicability thresholds are much lower than Connecticut and other states, which require the processing of at least 100,000 consumers' personal data or processing personal data of at least 25,000 consumers while deriving at least 25 percent of gross revenue from the sale of personal data.
Delaware's law also strays from (most of) the pack in that it generally does not exempt nonprofits from its reach, with limited exceptions. Delaware exempts several types of health data covered by HIPAA, but does not have a blanket exemption for entities subject to HIPAA. Of note, institutions subject to the Gramm-Leach-Bliley Act are exempt from both states' laws, and information processed under the GLBA is also exempt. Delaware will also require companies to conduct a "data protection assessment" for certain high risk activities. These triggering activities can include things like any processing of sensitive data, sale of personal data, targeted advertising, and certain uses of AI and other automated decision-making if it is high risk.
Delaware's law does not allow consumers a private right of action, but is instead enforceable by the attorney general. It also provides a period of 60 days for a company to cure an alleged violation of the act.
Delaware may be a small state, but it is not too small to join the fight against dissemination of consumers' personal data. Perhaps Delaware was inspired by the unforgettable Chucky from the Child's Play movies. Chucky was small, but he packed a mean punch and never failed to scare kids and grownups alike. Don't be scared of privacy laws, but do make sure you know that new states are entering the privacy fight all the time. Make sure to check on whether you do business in Delaware such that you need to update your privacy policies.
