 |
|
 |
|
Two New Rules from the CFPB Target Overdraft and NSF Fees
In late January, the CFPB proposed two separate rules targeting so-called "junk" fees on consumer checking accounts; the first related to overdraft fees and the second related to NSF or "nonsufficient funds" fees. The overdraft proposed rule would fundamentally restructure and restrict overdraft services in consumer asset accounts (e.g., checking accounts) when offered by financial institutions that exceed $10 billion in assets. The proposal would have no impact on smaller banks and credit unions with less than $10 billion in assets. The proposal deems overdrafts to be credit subject to the Truth in Lending Act, including the rules applicable to credit cards, unless the bank restricts its overdraft fees to below a limit prescribed by the CFPB. The proposal would reverse a longstanding regulatory provision first adopted in 1969 which determined that overdraft services on an asset account were credit, yet exempt from coverage under TILA for certain policy reasons. If adopted, the rule would require very large banks that charge fees over the prescribed limits to establish a separate credit account for customers, provide certain disclosures related to that separate credit account, including the APR, and require that consumers be able to repay the overdraft credit on a regular periodic payment schedule.
The NSF proposed rule would prohibit NSF fees on any transaction denied "instantaneously or near-instantaneously" by a financial institution. In general, the prohibition on NSF fees would apply to one-time debit card transactions that are not preauthorized, ATM transactions, and certain P2P transactions but not to transactions initiated by check or ACH. The proposed rule is premised on the CFPB's finding that NSF fees for real-time transactions are abusive because consumers receive no benefit from a declined transaction and only incur costs, while financial institutions incur only minimal costs for declined real-time transactions. The agency acknowledges in the proposed rule that financial institutions typically do not charge NSF fees for declined real-time transactions and that the proposal is largely a preventative measure. The agency is concerned financial institutions may begin charging NSF fees for these transactions in light of declining revenue once the overdraft proposal takes effect.
The proposed NSF rule reminds us of the futuristic Spielberg take on Philip K. Dick's short story, Minority Report. Psychics called "precogs" knew when people were planning to commit crimes and a special pre-crime police force (led by Tom Cruise) would make arrests before the crimes happened. The CFPB is channeling its inner precog to stop abusive NSF fees before they start, predicting banks might adopt them soon. And the overdraft proposal recalls Minority Report in the sense that the rule would apply only to a small segment of financial institutions—very large ones with assets over $10 billion. If overdraft fees are so harmful for consumers, shouldn't the CFPB's proposal apply to all banks and credit unions, not just a minority of them (approximately 175 only)? Especially when the CFPB's research supporting the rule shows that small banks generate proportionally more revenue from overdraft fees than larger ones?
What do the TCPA and Burning Books Have In Common?
In mid-December, the FCC adopted a new rule under the TCPA significantly impacting a company's ability to place telemarketing calls to consumers using an automatic telephone dialing system or prerecorded or artificial voice. Under the new rule, companies must obtain prior express written consent to place telemarketing calls or texts to consumers on a "one-to-one basis." In other words, to qualify as prior express written consent, the consumer must "clearly and conspicuously authorize no more than one identified seller to deliver or cause to be delivered" the telemarketing call/text. Noting that certain comparison shopping websites may be negatively impacted by this rulemaking, the FCC did allow for such websites to obtain consent for multiple sellers to place calls, but only where that website provides opportunities for the consumer to directly consent to calls/texts from that seller (e.g., through a check box list allowing the consumer to select the companies s/he wishes to receive calls from or providing a click through to the company's website so the consumer can provide direct consent). The new rule also requires a call/text to be "logically and topically associated with the interaction that prompted the consent."
The FCC adopted a 12-month implementation period for the one-to-one consent rule, which began to run after the final rule was published in the Federal Registers on January 26, 2024. So businesses will need to be in compliance with the new rule as of January 27, 2025.
The FCC is like the government in Ray Bradbury's book Fahrenheit 451. They pass a rule intended to address a particular social issue—accommodating society's shorter attention span in Fahrenheit 451 and a lead-generator loophole for the FCC—but, instead, the rule has unintended impacts in unrelated areas. In Fahrenheit 451, the rule ultimately led to the banning and burning of all books. In the FCC's case, the new rule could affect companies who do not even use lead generation because it only allows a single seller to obtain consent at a given time and only for a "logically and topically associated" purpose.
Until now, many companies obtained prior express written consent on behalf of themselves, as well as affiliated entities, subsidiaries, etc., who may not fall within the definition of "seller" as defined by the TCPA. The scope of that consent may have also broadly included any purpose, even if not logically or topically related to the reason the consumer originally gave consent. Under the new rule, consent obtained in this way may no longer qualify as prior express written consent. This is huge news and potentially upends the entire telemarketing industry. If your company makes outbound telemarketing calls using an autodialer or a prerecorded/artificial voice, with or without the assistance of lead generators, you will need to take a good hard look at your current prior express written consent language to make sure it complies with the new rules.
New California Regs on Automated Decisionmaking
We previously alerted clients that, as of March 2023, the California Privacy Protection Agency (CPPA) finalized regulations in only 12 of 15 California Consumer Privacy Act (CCPA) areas assigned to it under the CCPA. Recently, the CPPA announced it was adding the 13th CCPA area—draft automated decisionmaking regulations that "define important new protections related to businesses' use of" automated decisionmaking technologies. The draft regulations include new consumer notice requirements regarding automated decisionmaking technologies and rights relating to personal data used with the technologies. Those rights include opting out of having data used for automated decisionmaking and accessing information about how a business is using automated decisionmaking technology.
The CPPA released revised draft regulations on risk assessments for companies subject to the CCPA. The regulations define their scope of applicability and specify when businesses should conduct risk assessments. The draft regulations provide detail on stakeholder involvement and what must be included in risk assessments. At the very least, the draft regulations will require businesses to thoroughly understand key issues to complete risk assessments and how the processing of consumers' personal data impacts consumers. The draft regulations also contain specific requirements for use of automated decisionmaking technology.
If you're considering developing or using automated decisionmaking (i.e., artificial intelligence tools) you should study these regulations carefully, even in draft form. This isn't like the Soviet-led surprise invasion of Calumet, Colorado in Red Dawn—we have time to prepare. AI tools are complex. It will be difficult to comply with these requirements, especially if companies wait until a tool has already been developed. Building these capabilities into the tool at the outset, although still difficult, will be more feasible. In addition, the draft regulations on risk assessments shed light on what the CPPA expects businesses to consider when they weigh the benefits of using a tool with the risks posed to consumers. Businesses will do well to consider and document the issues included in the draft regulations so they are compliant when regulations become effective. Don't be caught off guard and forced to engage in guerilla tactics like a Wolverine! Review the regulations, understand how they will impact your business, and avoid WWIII with a regulator.
How Writing a Commenter Letter on a Rulemaking Proposal is Like Playing War Games
We get asked to draft comment letters on regulatory proposals quite frequently. Several members of Explainer Things cast have written federal regulations, so we have reviewed and responded to even more comment letters than we have written. Given the number of rulemakings in flight amongst state and federal regulators, we thought we would share some brief thoughts on how to write a good comment letter.
Details, facts, and specifics matter! Comment letters full of platitudes and whining are easily ignored. Those with details about how the proposed rule does not achieve its intended policy goals or are impossible to operationalize are harder to fluff off. And, legally, a federal agency cannot comply with the Administrative Procedures Act and ignore comments that contain substantive facts. Additionally, many rulemakings include detailed estimates from agency economists on the costs and benefits of the rule. We see commenters frequently overlook these parts of the rule. This is a mistake. As a result, assumptions made by the economists, which are often under-resourced, are left undisturbed. (Agencies are limited by the Paperwork Reduction Act in how much research they can do in some areas so some assumptions are necessarily based on little evidence.)
Let's imagine you sell chocolate hearts, and a federal rulemaking proposes to require chocolate wrappers contain sugar warnings on all sales after February 1st, just in time for Valentine's Day. If your comment letters says only that the agency has gone too far, you hate the proposal, your customers don't care about sugar content, and it will be expensive to do, you will not move the needle for the regulator. The agency likely expects this reaction from industry and will breathe a sigh of relief if this is all your comment says.
A better comment letter would:
- Specifically explain why the regulator exceeded its legal authority and include citations to the relevant statute and legislative history.
- Provide specific facts on the costs and process of changing packaging. Ask your business colleagues for details of and how the changes would need to be implemented.
- Include information, such as customer surveys or other public data, indicating that customers already know chocolate hearts contain sugar so no disclosure is necessary.
Each of these points, if well-taken, requires a response from the regulator. If the regulator has no legitimate response, it must either change the rule to address the point or risk a legal challenge to the rule.
Regulators don't always understand innovative products and how they fit into regulatory rubrics. When we explain products to regulators, we need to avoid being like Matthew Broderick's character, David Lightman, in War Games—assuming our intentions are understood by the faceless person or system on the other side of our communication and that we provided enough detail for them to make an informed decision. The consequences of assuming and providing too little detail can be significant. Recall WOPR (the supercomputer in War Games) didn't appreciate David was playing a game, nearly resulting in mutually assured destruction. Don't let assumptions or insufficient information be the reason regulation negatively impacts you. The more detail you provide in your letter, the more likely you are to get what you ask for. If you're considering commenting for the first time, or just have questions, please reach out. We'd love to chat with you about your comments and help you avoid Global Thermonuclear War!
The OCC Issues Guidance for Banks Engaged in BNPL
The OCC was busy talking fintech partnerships, artificial intelligence (AI), and BNPL lending in recent months. Donna Murphy, the acting head of the OCC's Office of Financial Technology, testified to the House on the agency's supervision and regulation of banks' use of evolving financial technology. A day later, the OCC issued a bulletin discussing prudent and sound risk management systems for banks involved in Buy Now Pay Later (BNPL) lending.
In her written testimony, Deputy Murphy recognized the banking industry's interest in entering into third-party relationships with fintechs and using AI in their technologies, products, and services. While the partnerships and technology have significant upsides, there is potential for consumer harm. When used appropriately, technology can strengthen a bank's safety and soundness, enhance consumer protections, improve compliance functions and systems for addressing financial crime, and assist in creating equal access to banking. But, the OCC urges banks to engage risk managers and compliance professionals through each step of implementation. The agency will continue with robust, risk-based supervision and industry monitoring to help banks innovate but also ensure they grow in a safe, sound, and fair way.
The OCC's guidance acknowledges BNPL can support consumers' financial capabilities and provide convenient and low-cost options; at the same time, recognizing BNPL loans can lead to credit, compliance, operational, strategic and reputational risks. The OCC urges banks to implement risk management systems commensurate with associated risks, and suggests implementing prudent lending policies and procedures that address loan terms, underwriting criteria, fees, charge-offs, etc. The agency advised banks to timely provide credit bureaus BNPL loan information, assess and implement controls to mitigate fraud risks, consider and address risks particular to BNPL loans, implement clear and standardized disclosure language, and comply with consumer protection laws and regulations.
On the one hand, we appreciate that the OCC is proactively releasing guidance for banks engaged in BNPL lending. That's better for our clients than jumping straight to an enforcement action when a bank or fintech violates unstated or ambiguous rules. On the other hand, it's not exactly front-page news for a banking regulator to tell banks to comply with existing laws and ensure that they have a risk management strategy for third-party relationships. Despite the lack of specificity in the guidance, anyone engaged in BNPL lending should be paying attention.
