CFPB Issues New Supervisory Highlights

The Bureau of Consumer Financial Protection (CFPB), on September 6, 2018, published a new issue of its Supervisory Highlights report.  This issue of Supervisory Highlights, the only one issued this year so far, provides information on the CFPB’s supervisory findings in the areas of auto loan servicing, credit card account management, debt collection, mortgage servicing, and payday lending.  Of particular interest is that the CFPB included findings from fair lending examinations of small business lending at supervised institutions, and provides information on its Office of Innovation’s efforts to update the CFPB’s no action letter and trial disclosure program policies. 

Updates to the No Action Letter and Trial Disclosure Policies

The report notes that the CFPB’s new Office of Innovation is “in the process of revising” the CFPB’s “no action letter” and “trial disclosure” policies to increase participation by companies seeking to advance new products and services.  The CFPB did not provide any timeframe or description of the process it is using for these revisions. 

As you may know, the CFPB issued its current “Final Policy on No-Action Letters” in February 2016 under former Director Cordray.  Many in the industry have viewed the current policy as unworkable, and only one no action letter has been issued under the current policy (the report provides a status update on the CFPB’s ongoing work monitoring the entity that obtained that no action letter).  The trial disclosure policy is authorized under section 1032(e) of the Dodd-Frank Act and allows the public to obtain a compliance safe harbor to test trial disclosures with the purpose of improving on a model form.  This policy has also been viewed as unworkable, though it could provide significant benefits to the industry if utilized, as it could result in significant regulatory changes.

It would be beneficial if the CFPB published proposed changes to these policies for notice and comment, as input from the industry could greatly enhance the CFPB’s efforts.  These two policies could significantly benefit the public by enabling further innovation in the consumer financial services markets.  We encourage the industry to provide input to the agency to assist its efforts in improving these policies. 

UPDATE:  The CFPB will publish a proposed policy on trial disclosure programs on Monday, Sept. 9, 2018, with comments due Oct. 10, 2018.  You can find the proposal here: https://www.federalregister.gov/documents/2018/09/10/2018-19385/policy-to-encourage-trial-disclosure-programs.  I will post a summary of that proposal on this blog.  Please note that our firm is uniquely positioned to assist your organization with submitting a comment letter to this proposal, or designing a trial disclosure program.  While at the CFPB, I led the CFPB’s qualitative and quantitative consumer testing of the TRID mortgage disclosures, which remains the most extensive testing the CFPB has conducted.  I can provide your organization with unique insight into the intersection of consumer testing, policy objectives, and regulatory requirements.

Small Business Lending

The report notes that the Equal Credit Opportunity Act applies to business-purpose credit and that the CFPB began conducting examinations of institutions’ small business lending in 2016 and 2017 for compliance with ECOA.  The CFPB stated that these examinations focused on the risks of an ECOA violation in underwriting, pricing, and redlining.  The CFPB stated that it, “anticipates an ongoing dialogue with supervised institutions and other stakeholders as [it] moves forward with supervision work in small business lending.” 

The CFPB stated in the report that it found that institutions “effectively managed the risks of an ECOA violation in their small business lending programs,” including self-monitoring.  However, the CFPB stated that it observed institutions collect and maintain only limited data on small business lending decisions, which could impede their ability to monitor and test for the risks of ECOA violations through statistical analyses.  This is an interesting point, considering that the CFPB retained in its Spring 2018 rulemaking agenda its rulemaking to implement Dodd-Frank Act section 1071.  As I’ve written about before, this provision added section 1691c–2 to ECOA requiring the CFPB to issue rules creating a data collection and reporting requirement for small, women-owned, and minority-owned business loans, similar to HMDA.  The agenda scheduled “prerule activities” for March 2019. 

The report also notes that the CFPB’s supervisory program includes a fair lending assessment of the institution’s compliance management system related to small business lending, using Module II of the ECOA Baseline Review Modules.  These reviews include assessments of the institution’s board and management oversight, compliance program (policies and procedures, training, monitoring, and/or audit, and complaint response), and service provider oversight.  The examinations also use the Interagency Fair Lending Examination Procedures.

Mortgage Servicing Findings

The CFPB’s findings in mortgage servicing exams included servicers that failed to timely place consumers who successfully completed trial modifications into permanent modifications.  One or more servicers failed to move hundreds of consumers to permanent modification for more than 30 days.  The CFPB also identified servicers that charged consumers more than permitted under loan modification agreements.  The CFPB stated that the errors were data driven, affecting the modified loan’s starting balance, step-rate and interest-rate changes, deferred interest, and amortization maturity date when the loan was entered into the servicing system.  The CFPB identified both of these issues as unfair practices under the Dodd-Frank Act’s prohibition against unfair, deceptive, or abusive act or practices (UDAAP). 

The CFPB also identified servicers initiating foreclosure after representing that they would not do so if a consumer accepted a loss mitigation offer by a certain date, and the consumer timely accepted.  Again, the CFPB labeled this practice a UDAAP violation.  The CFPB also identified as a risk of a deceptive practice under UDAAP a servicer providing a notice to consumers who submitted a complete loss mitigation application less than 37 days from a scheduled foreclosure sale that the servicer would notify them of a decision on the application within 30 days, but proceeded to conduct the scheduled foreclosure sales without making a decision on the application.  Notably, the report stated that the CFPB, “did not find that this conduct amounted to a legal violation but observed that it could pose a risk of a deceptive practice.”

Other Findings

In the CFPB’s auto loan servicing examinations, the CFPB identified failures of servicers to apply insurance payments after a total vehicle loss according to the promissory note and failed to cancel repossessions according to their programs, which the CFPB labeled unfair practices.  In its credit card examinations, the CFPB identified failures to reevaluate APRs after rate increases according to the CARD Act.   In its debt collection examinations, the CFPB identified failures of debt collectors to cease debt collection and properly validate debts according to the FDCPA.  In its payday lending examinations, the CFPB identified as a UDAAP issue a lender providing notices that it would repossess consumers’ vehicles when it had no practice or relationships to do so.  In addition, the CFPB identified violations of UDAAP and Regulation E involving the use of unauthorized debit card or ACH credentials to initiate electronic funds transfers.  The CFPB also identified invalid authorizations of preauthorized electronic funds transfers being used in loan agreements. 

Conclusion

If you would like to discuss any of these issues, please contact us.  We advise many clients on these and similar issues.  In addition, if you are interested in pursuing a no action letter or a trial disclosure program under the CFPB’s current policies, our firm can assist.  As noted above, while at the CFPB, I led the CFPB’s qualitative and quantitative consumer testing of the TRID mortgage disclosures and can assist your organization in designing a trial disclosure program.

You can access the report here: https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-releases-latest-supervisory-highlights/

 

CFPB Issues Annual Privacy Notice Exception Rule under GLBA

The Bureau of Consumer Financial Protection (CFPB or Bureau) on August 10, 2018 amended Regulation P, which implements the Gramm-Leach Bliley Act (GLBA), to provide an exemption for certain financial institutions from providing an annual privacy notice under GLBA.  The amendment will be effective September 17, 2018.

The amendment implements a December 2015 statutory change to GLBA that provided an exception to the annual privacy notice requirement for financial institutions that do not share nonpublic personal information (NPI) about customers except under certain statutory exceptions under GLBA, and have not changed their privacy policies.   The statutory change is already effective.  The CFPB now has issued this rulemaking to implement the change and provide more specific criteria than what was in the statute.  In addition, the rule eliminates the alternative delivery method that allowed providing the annual privacy notice on a website that the CFPB had previously added to Regulation P in 2014 to address regulatory burden, as this statutory amendment applies to the institutions that would have qualified for the CFPB’s alternative method.

Specifically, the new provision generally provides that a financial institution is exempt from the annual notice requirement if it: (i) provides NPI to nonaffiliated third parties only in accordance with the exceptions from the notice and opt-out requirements; and (ii) has not changed its policies and practices with regard to disclosing NPI from those disclosed in its most recent privacy notice.  If a financial institution loses the exception because it changes its policies and procedures, it must begin providing annual privacy notices according to the timing required under Regulation P. 

As our readers know, information sharing with affiliates, and disclosure and opt-out requirements, intersect under GLBA and FCRA.  It is worth noting that financial institutions that share consumer information with their affiliates and must provide an opt-out under FCRA (either under sections FCRA sections 603(d)(2)(A)(iii) or 624) can still qualify for this annual privacy notice exception, but would be required to provide any opt-out disclosure required under FCRA separately.  In addition, changes to such sharing with affiliates that would require a new disclosure and opt-out under FCRA would not cause a financial institution to lose this exception (but, again, a separate disclosure under FCRA may be required).  It is also worth noting that voluntarily disclosing and providing an opportunity to opt-out from certain unrestricted sharing under GLBA would not preclude an institution from being subject to the exception, even if it changes its policies and procedures for such sharing (although such an institution may want to provide a separate disclosure of any changes to its sharing that was previously the subject of a voluntary disclosure for UDAAP purposes).

We frequently handle federal and state privacy issues for its clients.  Please let us know if you’d like to discuss this amendment or would like any additional information.

 

CFPB Enforcement Continues under Acting Director Mulvaney, Including Against Individuals: But “Responsible Conduct” Gets Attention

Since Acting Director Mulvaney took the helm of the Bureau of Consumer Financial Protection (CFPB) in November 2017, many have questioned whether the CFPB would continue its prior level of enforcement.  Although the CFPB has dropped some high profile lawsuits and investigations under Acting Director Mulvaney, it appears that the CFPB is pursuing other enforcement actions at a significant pace.  The CFPB has issued at least six settlements so far in 2018, including three in June and two in July. 

While this is an indication that the CFPB under Acting Director Mulvaney is still utilizing its enforcement powers, these actions most likely stem from investigations started under former Director Cordray.  It remains to be seen how many new investigations and enforcement actions have been started since Mulvaney became Acting Director.  Further, a new permanent Director could put in place a different policy towards the agency’s use of its enforcement powers.  But we can at least see from this June and July that the CFPB continues to pursue enforcement cases. 

Below, we highlight three recent enforcement actions that show the CFPB is enforcing in different areas of law and for different products.  The first illustrates that engaging in “responsible conduct” (including self-reporting, voluntary restitution, and cooperation with the CFPB, as described in the CFPB’s Bulletin 2013-06) can positively affect the outcome of an enforcement action, in this case resulting in no civil money penalty. 

The last two actions discussed show that, under Acting Director Mulvaney, certain cases can still result in enforcement actions against individuals and include bans from the industry. 

Large National Bank under the CARD Act

The CFPB, on June 29, issued a Consent Order against Citibank, N.A. for failing to reevaluate and reduce the APRs for about 1.75 million consumer credit card accounts as required in violation of the Credit Card Accountability Responsibility and Disclosure Act of 2009 (“CARD Act”) amendments to the Truth in Lending Act.  The CFPB also found that the bank failed to maintain reasonable policies and procedures about APR reevaluations as required.  The consent order requires the bank to pay $335 million in restitution to consumers affected by these practices. The bank must also submit a compliance plan within 60 days.

The CARD Act requires creditors to periodically reevaluate APRs based on certain factors for credit card accounts on which they have increased the APRs, including after imposing default APRs, and maintain reasonable policies and procedures on conducting the reevaluations.  Creditors are generally required to conduct APR reevaluations at least every six months after the rate increase.

The CFPB found that the bank conducted APR reevaluations, but did not apply the required factors correctly, which resulted in overcharges to consumers. The CFPB found several errors that generally involved using criteria that did not align with criteria used for underwriting new accounts or improperly applying the criteria, including an incorrect calculation of the consumer’s ability to pay and incorrect use of FICO scores.

We are often asked about the advantages and disadvantages of self-identifying violations to the CFPB (as well as voluntary corrective action and restitution).  It seems that in this case, self-identification and other “responsible conduct,” enabled the bank to avoid a civil money penalty, at least on top of the substantial restitution payment.  The CFPB noted in its order that the bank originally uncovered the violations in 2016, self-reported the deficiencies to the CFPB, and began providing voluntary restitution in early 2017.  The CFPB apparently took this conduct into account, as described in Bulletin 2013-06, noting in its announcement that, “the Bureau did not assess civil money penalties based on a number of factors, including that Citibank self-identified and self-reported the violations to the Bureau, and self-initiated remediation to affected consumers.”  This enforcement action is worth keeping in mind when evaluating whether to self-identify violations to the CFPB. 

You can find the CFPB’s announcement here: https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-settles-citibank-na/

National Credit Adjusters, LLC and its Former CEO under FDCPA and UDAAP

The CFPB, on July 13, issued a Consent Order against National Credit Adjusters, LLC and its part-owner and former CEO, Bradley Hochstein.  The CFPB found NCA maintained a network of debt collection agencies that used unlawful debt collection practices that harmed consumers in violation of the Fair Debt Collection Practices Act and the CFPB’s prohibition against unfair, deceptive, or abusive acts or practices.  The Consent Order imposed a $3 million civil money penalty against each of NCA and Hochstein, but suspended part of the payment if NCA and Hochstein pay $500,000 and $300,000 penalty, respectively.

According to the CFPB, NCA used collection agencies that told consumers they owed more than they were legally required to pay, and threatened consumers with lawsuits, visits from process servers, and arrest, when they did not have the legal authority to take those actions.  In addition, NCA continued to sell debt portfolios to these debt collection companies even with knowledge, or reckless disregard, of the harmful debt collection practices.  The CFPB pointed to a number of factors that added to NCA’s fault, including that NCA’s compliance personnel recommended that NCA sever its relationship with the debt collection companies due to their illegal collection acts and practices.  However, NCA and Hochstein continued placing accounts with the debt collectors. NCA also provided “critical assistance” to the debt collection companies, including drafting their policies and procedures to give a false impression the debt collectors complied with federal law.

Notably, the CFPB named Hochstein individually in the Consent Order due to his “managerial responsibility for NCA” and “direction and oversight” of NCA’s debt collection activities.

As a result, NCA and Hochstein are barred from certain collection practices, and Hochstein is permanently barred from working in any business that collects, buys, or sells consumer debt.

You can find the CFPB’s announcement here: https://www.consumerfinance.gov/about-us/newsroom/bureau-settles-national-credit-adjusters-llc-and-bradley-hochstein/

Settlement with Individual Defendant in Hydra Group Lawsuit

Also, on July 23, in a lawsuit the CFPB filed back in 2014 involving alleged violations by an online payday lender, the CFPB entered a stipulated final judgment and order against one of the individual defendants in the case with a civil money penalty of $1.  While that may sound small, there was also a five-year broadly worded ban from the industry, and requirements for full cooperation with the CFPB in its continuing investigation against the other defendants, and ongoing reporting for five years covering the individual’s compliance and other business activities.

Conclusion

The CFPB continues enforcement actions under Acting Director Mulvaney.  While, these enforcement actions likely involved investigations that began under former Director Cordray, Acting Director Mulvaney apparently approved these particular actions moving forward.  Moreover, these actions include orders against individuals that included civil money penalties and bans from business. 

Only time will tell whether and at what pace the CFPB will initiate new investigations.  It also remains to be seen how a new permanent Director, including, if confirmed, the President’s recent nominee, Kathy Kraninger (current Associate Director at the Office of Management and Budget), will place on enforcement.  In the meantime, however, lenders should continue to proceed with caution and take compliance seriously.

CFPB’s Statement about Partial HMDA Exemptions Added by S.2155

The Bureau of Consumer Financial Protection (CFPB) on July 5, 2018 issued a statement on the new “partial” exemptions from HMDA that were added by section 104 of S.2155, the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”), which was signed into law on May 24, 2018.  The CFPB’s statement briefly described the scope of the exemptions, and stated it will provide further guidance on the applicability of the Act to HMDA data collected in 2018 later this summer. 

The Act’s partial exemptions from HMDA apply to insured depository institutions and insured credit unions as follows: (1) to closed-end mortgage loans, if the institution originated fewer than 500 closed-end loans in each of the two preceding calendar years; and (2) to open-end lines of credit, if the institution originated fewer than 500 open-end lines of credit in each of the two preceding calendar years. 

The Act exempts such institutions from the “requirements of [HMDA section 304(b)(5) and (6), 12 U.S.C. § 2803(b)(5) and (6)]” for such transactions.  These are the new statutory provisions the Dodd-Frank Act added to HMDA that mandate the new data points that are required by the CFPB’s 2015 HMDA rule.  Institutions subject to the exemption are not required to collect or report the new data points, such as the ULI, credit score and model, rate spread, and the AUS.  But note that such institutions would remain otherwise subject to HMDA reporting.  The CFPB acknowledged in its statement that, “for these transactions, those institutions are exempt from the collection, recording, and reporting requirements for some, but not all, of the data points specified in current Regulation C.” 

Interestingly, these new Dodd-Frank Act statutory provisions give the CFPB discretionary authority to require other information not expressly mandated by HMDA, which the CFPB used to modify the requirements for certain former data points, such as the loan purpose, lien status, and denial reason.  It will be interesting to see whether and how this “partial exemption” will be applied by the CFPB to these data points that it modified using this discretionary authority. 

Also note that in December 2017, the CFPB issued a statement that it intended to issue a proposed rule to “reconsider” the “rule's discretionary data points.”  The CFPB’s Spring 2018 regulatory agenda has a proposed rule under HMDA scheduled for January 2019.  It is possible that the CFPB could roll back the new and modified data points that it added under its discretionary authority.

The CFPB also noted that the format and submission of LARs would not be impacted by the exemptions. Institutions filing HMDA data collected in 2018 will report under the previously-released 2018 Filing Instructions Guide (“FIG”).  But the CFPB plans to release a revised FIG later this summer with exemption codes that institutions subject to the partial HMDA exemptions would use for exempt data points. A beta version of the HMDA Platform for 2018 data will be available later this year so filers can test the submission of data collected in 2018.

You can access the CFPB’s statement here: https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-issues-statement-implementation-economic-growth-regulatory-relief-and-consumer-protection-act-amendments-home-mortgage-disclosure-act/.  Also note that federal banking agencies have issued similar statements as well.

Please let me know if you have any questions or would like to discuss.