In January 2019 the Consumer Financial Protection Bureau (“Bureau”) published its 271-page report assessing its Ability to Repay-Qualified Mortgage rule.  This Bureau must conduct this assessment under section 1022(d) of the Dodd-Frank Act, which mandates that the agency publish a report of its assessment within five years of the effective date of the rule.   You can find the report, which is entitled the “Ability-to-Repay and Qualified Mortgage Rule Assessment Report” (the “Report”), here.  We previously wrote about here.   This report finds that the market has not adopted “non-QM” lending to the extent it expected.  We believe that because of the planned sunset of a temporary safe harbor in the rule for loans approved for sale to the GSEs, the industry may need to begin looking at how to safely conduct non-QM lending. 



Recall that in July 2010, the Dodd-Frank Act amended to the federal Truth in Lending Act (“TILA”) to require lenders to make a good faith determination that borrowers have the ability to repay the loan before a loan is made, create a safe harbor for “qualified mortgages,” and require the Bureau to issue rules implementing this requirement. In response, on January 30, 2013 the Bureau published the Final Rule implementing the Ability to Repay requirements in the Federal Register (“ATR Rule”), which became effective almost one year later on January 10, 2014.

The stated purpose of the Dodd-Frank Act’s ability-to-repay requirement was to ensure “consumers are offered and receive residential mortgage loans on terms that reasonably reflect their ability to repay the loans, the loans are understandable and not unfair, deceptive or abusive.”  But Congress also stated an interest in ensuring that and consumers still had access to “responsible, affordable” credit.

To that end, the ATR Rule required mortgage lenders to ensure that all borrowers had the ability to repay their loans by considering eight specific elements:

1.      The borrower’s current or reasonably expected income or assets, other than the value of the dwelling;

2.      The borrower’s employment status;

3.      The monthly payment on the loan;

4.      The monthly payment on any simultaneous loan(s) that the creditor knows or has reason to know will be made;

5.      The monthly payment for mortgage-related obligations;

6.      The borrowers’ current debt obligations, alimony, and child support;

7.      The overall monthly debt-to-income ratio or residual income; and

8.      The borrower’s credit history.


The ATR Rule established the Qualified Mortgage loan which, by application of the ATR Rule, results in three classes of mortgage loans: The Safe Harbor Qualified Mortgage loan (“Safe Harbor Loan”), the Rebuttable Presumption Qualified Mortgage Loan (“Rebuttable Presumption Loan”)(collectively, these two are “QM Loans”), and the Non-Qualified Mortgage Loan (“Non-QM Loans”).

Safe Harbor Qualified Mortgage: Generally, a Safe Harbor Loan  is one in which the borrower has limited-to-no opportunity to  challenge the lender’s determination that the borrower had the ability to repay the loan at time of origination, provided the lender determined the borrower’s the Debt-to-Income Ratio (“DTI”) did not exceed 43% as calculated by Appendix Q to Regulation Z, and the points and fees do not exceed 3% of the total loan amount.  Here, the lender is afforded strongprotection from a claim by a borrower that the lender failed to establish the borrower’s ability to repay at the time of the loan was made.

Importantly, in the ATR Rule, the Bureau deemed any loan underwritten pursuant to Fannie Mae or Freddie Mac’s guidelines as a Safe Harbor Loan, even if the DTI exceeded 43% or the points and fees exceeded 3% of the total loan amount. This temporary QM exemption, commonly referred to as the “GSE patch”, expires by operation of rule on January 10, 2021, or whenever the GSEs come out of conservatorship, whichever comes first. Additionally, the Federal Housing Authority, the Veterans Administration, the United States Department of Agriculture and the Rural Housing Service all issued regulations pursuant to their respective regulatory authority to deem any loans insured by any of those agencies as a Safe Harbor QM Loan.

Rebuttable Presumption Qualified Mortgage: Generally, a Rebuttable Presumption Loan  is a QM loan that is “higher priced.”  For these loans, the lender is presumed to have complied with the ATR Rule, but the borrower is permitted to challenge or “rebut” that presumption by showing, for example, he lender’s underwriting practices were unsafe or unsound. The loans falling into this category are those in which the DTI did not exceed 43%, the points and fees did not exceed 3% of the total loan amount, and the loan is a Higher Priced Mortgage Loan as defined in Regulation Z (i.e., where the APR is greater than the Freddie Mac Average Prime Offer Rate plus 1.5% for first mortgages and 3.5% for second mortgages). Here, a borrower must first meet a certain legal burden of proof before the lender could be exposed to liability in such a lawsuit for failing to comply with the ATR Rule.  

Non-Qualified Mortgage:  A loan that is defined as neither a Safe Harbor Loan or a Rebuttable Presumption Loan is generally defined as a Non-QM loan. This is a loan where the lender is not afforded any legal protections regarding the quality of their underwriting and their assessment of the borrower’s ability to repay the loan. This applies to loans that did not meet the QM standard because the DTI ratio exceeded 43%, or the requirements in Appendix Q were not used to determine ability to repay, the loan contained certain attributes that disqualify it from being a QM loan, or points and fees exceeded 3% of the total loan amount. Here, the borrower need only allege – without proof - that the lender maintained unsafe and unsound underwriting practices triggering an ATR Rule violation, shifting the legal burden to the lender to prove otherwise.

The Report

Currently, there exists no single data set for the Bureau to assess the impact of the ATR Rule. To achieve its objective, the Bureau turned to different industry sources to generate the Report, including FHFA’s National Mortgage Database, Black Knight’s “McDash” data set, CoreLogic’s Loan-Level Market Analytics data, Home Mortgage Disclosure Act data, Desktop Underwriter and Loan Prospector Automated Underwriting data, the Mortgage Bankers Association’s Annual Mortgage Bankers Performance Reports, the Conference of State Bank Supervisors Public Survey data, Application data from nine unnamed lenders who provided information to the Bureau specifically for this assessment, the responses of 190 lenders who responded  to a lender survey the Bureau commissioned for this assessment, and other industry data and reports.

Armed with this data, the Bureau was able to draw conclusions about multiple facets of the ATR Rule in the Report, including the effects it had on loan performance, the impact the GSE Patch had on the intended effects of the ATR Rule, and how Non-QM loans fared during this period.

As it relates to the last – Non-QM loans – the Bureau reported that it had expected a greater presence of Non-QM loans since the ATR Rule went into effect. Between the GSE Patch and legal uncertainty associated with Non-QM loan, the Bureau postulates that this could have chilled the enthusiasm for lenders to make Non-QM loans. Based on the following statements in the Report, we gain a sense of the Bureau’s impressions of Non-QM.

·        In 2005-2007, approximately 24 to 25 percent of loans originated had DTIs exceeding 45%. After the ATR Rule came into effect, only 5 to 8 percent of conventional loans for home purchase had DTIs exceeding 45%. (Pages 9 and 82).

·        The ATR Rule displaced between 63 and 70 percent of approved applications for home purchase among Non-QM high-DTI borrowers during the period of 2014 – 2016. According to the data sources, this translates into a reduction of between 1.5 and 2.0 percent of all loans for home purchase. (Pages 10 and 117).

·        At the time the ATR Rule went into effect the Bureau expected that there would be a “robust and sizable market” for non-QM loans beyond the 43 percent threshold and structured the ATR Rule to try to ensure that this market would develop. The Bureau appears surprised this did not happen. (Page 26).

·        The extra risk associated with Non-QM loans is one of the factors that has had a chilling effect on the mass adoption of Non-QM loans; and thus, is affecting access to credit to some degree. (Pages 116 and 118).

·        The ATR Rule had at least some chilling effect on the submissions or approvals of Non-QM loans, though the Bureau was not sure if the result was an intended or unintended consequence. (Page 149).

·        The Bureau estimates that non-QM loans primarily consists of loans that are not eligible for purchase by GSEs, with DTI ratios exceeding 43 percent. Borrowers may include those with irregular income, certain self-employed borrowers, and those with little or no credit history. (Page 116)

·        Forty percent of loan applications for self-employed borrowers experienced issues in complying  with Appendix Q for income qualification (Table 22, Page 155).

·        Lack of broader adoption of Non-QM by the industry may occur because of the higher inherent risk associated with self-employed borrowers and the difficulties in complying with the income documentation requirements in Appendix Q. (Page 154).

·        [S]elf-employed borrowers who do not qualify for a loan that is eligible for purchase or guarantee by one of the GSEs or federal agencies need to qualify under the general QM standard in order to obtain a QM loan. Lenders who responded to the Bureau’s survey in preparation of the Report indicated that lenders may find it difficult to comply with Appendix Q relating to the documentation and calculation of income and debt for self-employed borrowers. (Page 11)

·        Non-QM loans are now making the way to market in greater numbers than the initial years following the effective date of the Final ATR Rule, largely targeting self-employed borrowers. (Page 197).

·        The application data show a far greater decline in high-DTI lending in the non-GSE space compared to loans purchased or guaranteed by the GSEs.. Although the Bureau expected that loans with DTI above the 43 percent threshold would increasingly be originated outside the GSE Patch(i.e., as non-QM loans), the available data suggests that the opposite is happening. (Page 191)

·        One of the reasons lenders tended to flock to Fannie and Freddie is because the underwriting guidelines are far more established than those set forth in Appendix Q, which has some perceived lack of clarity. The Bureau discovered that lenders found the information contained in Appendix Q confusing and unworkable, and is ambiguous and leads to uncertainty. (Page 192).

·        Approximately 29 percent of loans sold to Fannie Mae and 21 percent of loans sold to Freddie Mac have DTIs over 43%. (Page 195). This is greater than the Bureau had anticipated when the ATR Rule went into effect.


What This Means

The following conclusions could be drawn from this:

·        Even though Non-QM loans, particularly those made to self-employed borrowers, perform well, lenders still have limited Non-QM loan offerings.

·        Lenders seemed to favor making  Safe Harbor loans, especially those intended to be sold to the GSEs where the DTI can exceed 43%.

·        By applying the requirements of Appendix Q, self-employed borrowers have greater challenges in securing a loan approval from a lender than, for example, borrowers who evidence income via a W2. Safe Harbor Loan

·        Fannie and Freddie appear to adjust to market conditions, by adjusting their guidelines to market demands, whereas the Bureau’s Appendix Q does not offer such adjustments and has room for improvement

·        There is no evidence in the Report suggesting that the additional controls and legal impacts of the Non-QM provisions reasonably mitigates the risk to the consumer.

This means there is still opportunity to improve the ATR Rule with more clarity and adjustments to the legal impact of some of its provision, while still achieving its primary objective of ensuring consumers are offered loans that reasonably reflect their ability to repay.  Trade associations, including both the Mortgage Bankers Association and the American Bankers Association, and other stakeholders have expressed interest in working with the Bureau to discuss possible amendments to the ATR Rule.  Among other things, we expect these efforts will include discussions concerning some adjustments to Appendix Q, the GSE Patch, and the perceived risk associated with Non-QM loans.


Of primary concern for the industry should be the potential expiration of the GSE patch.  As it is evident that, because of the availability of the GSE patch, lenders have been avoiding the Non-QM space for high-DTI borrowers (and perhaps for other loan types as well) , the upcoming expiration in 2021 would have a great impact of lenders’ compliance programs and risk profiles.  The CFPB may extend the patch, or revise the ATR rule to address this issue, but the CFPB could also let the patch expire taking no further action.  It may be prudent for lenders to start considering how to safely take part in the non-QM market. 


Please contact us if you would like any assistance with your organization’s non-QM program or other issues under the ATR rule.

Consumer Financial Protection Bureau Issues ANPR for PACE Financing

In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) amended the Truth in Lending Act to require the Consumer Financial Protection Bureau (CFPB) to prescribe ability to repay related regulations, and associated penalties for violations, with respect to “Property Assessed Clean Energy” (PACE) financing.  The regulations are required to account for the unique nature of such financing.  The CFPB, on March 5, 2019, issued an Advance Notice of Proposed Rulemaking for this rulemaking.  The deadline for comments is 60 days from publication in the Federal Register.

The statute defined “Property Assessed Clean Energy financing” relatively broadly as financing to cover the costs of home improvements that result in a tax assessment on the real property of the consumer.  The 2018 provisions authorized the CFPB to collect information and data deemed necessary, and required consultation with state and local governments and bond-issuing authorities. 

In its ANPR, the CFPB requested information regarding the following:

·       written materials associated with PACE financing transactions;

·       descriptions of current standards and practices in the PACE financing origination process;

·       information relating to civil liability under TILA for violations of the ATR requirements in connection with PACE financing, as well as rescission and borrower delinquency and default;

·       information about what features of PACE financing make it unique and how the Bureau should address those unique features; and

·       views concerning the potential implications of regulating PACE financing under TILA.

In issuing the request, CFPB Director Kathleen Kraninger indicated in the Press Release that the agency will use the information to develop a later Notice of Proposed Rulemaking, and that the:

information solicited will enable the Bureau to better understand the market and unique nature of PACE financing . . . [and] help the Bureau formulate proposed regulations that not only would achieve statutory objectives but also would reflect a careful consideration of costs and benefits. 

The statutory text can be found here:

A copy of the CFPB’s ANPR can be found here:

The related press release can be found here:

Please let us know if you would like assistance with drafting a comment letter, or would like to discuss any issues related to PACE financing.    

Does Your Organization Need to Comply with the California Consumer Privacy Act of 2018?

·        The California Consumer Privacy Act of 2018 is a comprehensive new law that stands to become the most significant and far-reaching data privacy law in the nation.

·        Most businesses, including businesses located in other states, that have or use personal information of California residents must comply with substantial new requirements or face potential civil liability from Attorney General enforcement and aggrieved California residents.

·        Companies, including mortgage originators, servicers and some vendors, doing business in California may need to update their policies, procedures, training and audit functions to comply.


The California Consumer Privacy Act (“CCPA”), (AB-375 (2018), as amended by SB-1121 (2018) (codified at Cal. Civ. Code § 1798.100 et. seq.) is a groundbreaking new law to protect California residents from the potential misuse of personal information.

The CCPA, signed by Governor Jerry Brown on June 28, 2018, becomes effective on January 1, 2020 and gives California residents new rights with respect to the collection of their personal information. Under the CCPA, a consumer can require businesses to disclose what information they collect about the consumer, where they collected the information from, and with whom they have shared the information. California residents may also require businesses to delete their personal information and can opt-out of the sale of their personal information to third parties. To prevent retaliation, businesses are prohibited from discriminating against California residents for exercising their rights under the CCPA. The CCPA provides for a private right of action with attention-grabbing statutory damages for each violation, as well as for enforcement by the state’s Attorney General.

The CCPA, as enacted and subsequently amended, represents a compromise between a grass-roots coalition consisting of privacy advocates that gained influence in the wake of several high-profile incidents (such as the Facebook scandal) and competing business interests that pushed for more business-friendly provisions. This far reaching legislation has much in common with the European Union’s General Data Protection Regulation (“GDPR”) that went into effect in 2018, and could serve as bellwether for other states to follow in the years to come.

Key CCPA Exemptions

It should be noted that not all businesses will be subject to the CCPA. Many, including small businesses, non-profits, consumer reporting agencies subject to the Fair Credit Reporting Act, and health care providers regulated by the Health Insurance Portability and Accountability Act, will be partially or completely exempt from the requirements of the CCPA.

Significantly, amendments to the CCPA clarified, among other things, that certain provisions of the CCPA do not apply to information that is already protected under the Graham-Leach-Bliley Act (GLBA). These exclusions-and the provisions of the CCPA they do not apply to-are very important for the financial services industry to understand. Below we discuss the scope of the law in more detail.

Delayed Enforcement and Other Limitations

The aforementioned amendments also delayed enforcement of the CCPA by the state’s Attorney General to the earlier of six months after publication of the final implementing regulations or July 1, 2020, and limited the private right of action to situations in which data breaches involved unredacted or unencrypted personal information and the breach was caused by a failure to maintain reasonable security measures.

Implementing Regulations

The California Attorney General is not required to publish final rules until July 1, 2020. The Office of the AG has begun holding public forums in January and February, 2019 as part of the CCPA rulemaking process (see: For those of you who are based in California and potentially subject to the CCPA, I would urge you to attend and be proactive on this important new law.

Scope of the CCPA

The CCPA applies to covered “businesses”, which includes any business that collects personal information from California residents and: (1) has gross revenues exceeding $25 million annually; (2) buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling personal information. It also includes entities that are controlled by or control such businesses if they share common branding.

“Personal Information” includes a person’s name, Social Security number, driver’s license number, account numbers, medical and health insurance information, browsing or search history data, biometric data and geolocation data. The definition also includes any algorithmic or other “inferences” about a consumer that are based upon the personal information. Note that information that is lawfully made available to the general public from federal, state, or local government records falls outside of this otherwise broad definition.

Significantly, the CCPA excludes “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act”, which could mean that entities subject to the GLBA will not need to comply with the CCPA for much of the consumer information they collect. But note that the CCPA states that the exemption does not apply to a new private right of action for data breaches of “nonencrypted or nonredacted personal information” that result from an entity’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”.

It would be prudent to analyze the extent to which this exemption applies to your organization, considering that your organization may engage in activity that is not subject to the GLBA.

New Powers for California Residents

As previously mentioned, California residents will gain broad new powers that are designed to safeguard their personal information under the CCPA. Examples of the new powers include the rights to:

·        Request that a business disclose the categories and specific pieces of personal information the business has collected, and the purposes for which it shall be used;

·        Request disclosure of certain information;

·        Have personal information deleted;

·        Prohibit a third party from selling personal information that has been sold to it unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out; and

·        Direct a business that sells personal information about the consumer to third parties not to sell that information.

In addition, minors must consent to the sale of their personal information before a business can sell it.

Anti-Discrimination Requirement

Covered businesses will be saddled with numerous requirements, including providing certain disclosures in their online privacy policy. A provision of note is the CCPA’s anti-discrimination requirement - businesses may not discriminate against a consumer because the consumer exercised their rights under the bill. Examples include denying goods or services, charging different prices (including through the use of discounts unless the difference is reasonably related to the value provided to the consumer), or providing a different level or quality of services. However, businesses may offer financial incentives and a different price, rate, level, or quality of goods or services to the consumer if it is directly related to the value provided to the consumer by the consumer’s data, and so long as the business does not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

Civil Actions and Attorney General Enforcement

The CCPA grants California residents the right to sue for violations and bestows prosecutorial powers in the state’s Attorney General. A consumer whose nonencrypted or nonredacted personal information is hacked as a result of a violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action to recover damages of $100 to $750 per occurrence or actual damages, whichever is greater. As noted above, this private right of action may apply to businesses that are subject to the GLBA exemption. The Attorney General may also seek civil penalties against violators.

Protections Afforded to Covered Businesses

Fortunately, the CCPA does provide limited carve-outs for what might be described as good-faith efforts to comply. The CCPA allows covered businesses to cure any alleged violation within 30 days if it has implemented and maintained reasonable security procedures and practices. Also note that it is possible that a failure to have such security protocols, standing alone, could give rise to violations.

Pay Attention to the CCPA

Although the CCPA provides an exemption for information subject to the GLBA, banks, mortgage lenders, mortgage brokers, mortgage servicers, and other businesses operating in the financial services industry that deal with California residents should take note of the CCPA and analyze whether any of their activities would be subject to it, including performing a comprehensive data assessment. They should compile an inventory of information that may be subject to the new law, and update their internal policies and procedures, training and audit functions to ensure compliance with any duties that are deemed not exempt. Although it is not required under the CCPA, businesses may consider creating a GDPR-like “data protection officer” position to help ensure that the mandates of the law are carried out.

Please contact us if you would like assistance with understanding or implementing your obligations under the CCPA.

The CFPB’s Proposed No Action Letter and Product Sandbox Policy: It’s Playtime!

The Consumer Financial Protection Bureau (CFPB or Bureau) on December 13, 2018 published a proposal to revise its No-Action Letters Policy issued in 2016 (2016 Policy), and also propose a new “Product Sandbox” (Proposal).  As you may know, many federal regulatory agencies, including the CFPB, the Securities and Exchange Commission, and the Commodity Futures Trading Commission, have a procedure to provide a no-action letter in response to a request from a person, in which the agency indicates it will not take a supervisory or enforcement action against the person based on a particular set of facts.  The Bureau said in the Proposal that the 2016 Policy’s application process and regulatory relief were insufficient, indicated by the fact that only one no-action letter has been issued under the policy.  The Bureau’s goal with the Proposal is to make the 2016 Policy more useful to the public.  

As I describe below, I believe the Bureau’s proposed changes to its no-action letter policy would ease the process of obtaining a no-action letter, and broaden the situations to which such a letter would be an option.  In addition, I believe the proposed “Product Sandbox” could be very useful to the industry, both existing companies and new FinTech entrants to the marketplace, in the creation of new products and services that do not fit squarely in the existing federal consumer financial protection laws.  The comment deadline is February 11, 2019. 

1.  No-Action Letter Proposal

A.  Streamlined Application Process

The Bureau’s Proposal would revise the 2016 Policy to streamline the application process and expand the regulatory relief available.  To that end, the Proposal would remove some of the required elements of an application and indicate the Bureau’s intention to grant or deny an application within 60 days of notifying the applicant that the application is complete.  The 2016 Policy provided no time frame for a response from the Bureau.

In addition, the Proposal would remove the general expectations under the 2016 Policy of a data-sharing commitment and a time limitation for the NAL.  Specifically, the 2016 Policy provides that NALs will specify the time period limitation of the NAL and places an emphasis on the sharing of data about the product in question with the Bureau, requiring discussion of this topic in the application and consideration of this issue by the Bureau.  But the Proposal states that the “default assumption” would be that NALs have no time limit.  The Proposal would also state that the data-sharing expectations would be eliminated, because it was “unduly burdensome” and inconsistent with the no-action letter policies of other federal agencies.

Further, the Proposal would remove the complex set of 10 factors that the Bureau evaluates under the 2016 Policy.  Instead, the Proposal would provide that the Bureau will more simply evaluate the “quality and persuasiveness of the application” with an emphasis on the consumer benefits, consumer risks and how the applicant intends to mitigate them, and the particular legal uncertainty cited in the application.

B.  Greater Assurance of Regulatory Relief

The Proposal would also revise the 2016 Policy to increase the assurance of regulatory relief provided by a NAL.  Under the 2016 Policy, NALs are issued by Bureau staff and only provide a statement that staff will not recommend an enforcement or supervisory action.  The Proposal would provide that NALs are issued by Bureau officials, rather than the Bureau’s staff.  The NAL would still only provide a statement that the Bureau in its discretion will not seek a supervisory or enforcement action, rather than provide a regulatory safe harbor.  But the provision of such a letter by Bureau officials rather than staff would arguably make NALs more binding on the Bureau and perhaps give them greater weight with other regulatory agencies. 

In addition, in an apparent effort to provide even greater assurances to recipients of NALs, the Proposal would also remove several disclaimers that are included in NALs under the 2016 Policy, which serve to limit the certainty and assurance of a NAL issued under that policy.  Specifically, these disclaimers under the 2016 Policy are that: (1) the letter does not constitute “a determination by the Bureau or its staff,” an interpretation, or a waiver or safe harbor for any applicable law; (2) the letter is not an “official expression of the Bureau’s views;” (3) any explanatory discussion in the letter should not be interpreted as an interpretation, waiver, or safe harbor, and is not binding on the Bureau; (4) the staff is not necessarily in agreement with any analysis, interpretation of data, or any other matter in the request; and (5) the NAL is, “not intended to be honored or deferred to in any way by any court or any other government agency or person.”

Finally, the Bureau also stated in the Proposal its intention to coordinate with other federal and state regulatory agencies on the provision of “no-action” relief.  The Proposal would require an application to the Bureau to state whether coordination with other regulators is requested and to identify those regulators.  The Bureau also stated it is interested into entering into agreements with state regulators that provide “no-action” relief, which would provide another means of applying for and obtaining an NAL from the Bureau. 

C.  Broader Scope

The Proposal also appears to be intended to expand the reach of the 2016 Policy to a greater swath of the industry and regulatory uncertainties.  The 2016 Policy contains the statement that, “No-Action Letters are not intended for either well-established products or purely hypothetical products that are not close to being able to be offered.”  In addition, the 2016 Policy requires applications to show how the new product would be “likely to provide substantial benefit to consumers differently from the present marketplace.”  These statements indicate that the 2016 Policy is very much focused on new products.  But the Proposal would eliminate these statements from the policy, which appears intended to allow NALs with respect to well-established products that are presently in the marketplace, and even hypothetical products.

Further, the Proposal’s preamble notes that the Bureau will not disfavor NALs based on UDAAP, whereas the 2016 Policy contained a warning against seeking a NAL for UDAAP issues.  Specifically, the 2016 Policy states that, “UDAAP-focused NALs will be particularly uncommon,” because of the greater level of analysis required under UDAAP and resource issues.  The Proposal would revise the policy to specify that UDAAP is one of the laws that a NAL would cover. 

In addition, the Proposal would eliminate the 2016 Policy’s requirement that an application for a NAL show a “substantial regulatory uncertainty hindering the development of the product,” and how the application of the particular laws is “substantially uncertain.”  Instead, the Proposal would only require that an applicant identify the “potential uncertainty, ambiguity, or barrier” the NAL would address.  This change would extend the availability of NALs to more general compliance uncertainties.

Finally, the Proposal would also allow for applications from trade associations, service providers, and other third parties, in addition to the actual company offering the product or service in question.  The Proposal expressly states that a trade association can apply on behalf of its members. 

2.  Product Sandbox Proposal

The Bureau’s Proposal would add an entirely new program titled a “Product Sandbox,” which is designed to give even greater regulatory relief than the proposed NAL policy.  The Product Sandbox would, in addition to the “no-action” relief provided by a NAL, provide a time-limited compliance safe harbor or exemption from certain statutory and regulatory provisions.  This would provide greater legal protection than a NAL’s discretionary protection against Bureau supervisory or enforcement actions, because it would make the recipient immune from legal actions by other regulatory agencies and private litigants.  This proposal directly addresses one of the main criticisms of the 2016 Policy, which is that it does not provide sufficient legal protection against enforcement actions or lawsuits by entities and individuals other than the Bureau.

A.  Regulatory Relief

The Bureau’s Product Sandbox would make available three different forms of regulatory relief that could be applied to the product or service accepted into the sandbox:  

1.  Safe Harbor.  A statement of Bureau approvals under three possible statutes: (i) 15 U.S.C. § 1640(f) (TILA); (ii) 15 U.S.C. § 1691e(e) (ECOA); or (iii) 15 U.S.C. § 1693m(d) (EFTA).  This approval would provide a “safe harbor” of compliance under the applicable statutes and make the recipient “immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties.”  Note that the safe harbor would only be available under these statutes.

2.  Exemption.  A Bureau order providing an exemption from certain statutory provisions that provide for such authority, and their implementing regulations, or based on the Bureau’s general regulatory authority.  The Proposal provides as examples of the statutory provisions: (i) 15 U.S.C. § 1691c-2(g)(2) (ECOA); (ii) 15 U.S.C. § 1639(p)(2) (HOEPA); and (iii) 12 U.S.C. § 1831t(d) (FDIA).  The Proposal provides as an example of the general regulatory authority the Bureau’s authority under 15 U.S.C. § 5512(b)(1), under which the Bureau can “prescribe rules and issue orders and guidance as may be necessary or appropriate to enable the Bureau to administer and carry out the purposes and objectives of the Federal consumer financial laws, and to prevent evasions thereof.” 

Like the approval described above, this relief would also make the recipient “immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties,” with respect to the applicable relevant statutory or regulatory provisions. 

3.  No Action Relief.  No action relief is essentially the same as that provided by a NAL issued under the proposed policy.  Like a NAL, this relief would not be time-limited, as would the safe harbor and exemption described above.

In addition, the Proposal indicates the Bureau’s intention to coordinate with other regulatory agencies, including entering into agreements with state sandboxes, which would provide for an alternative means of admission into the Bureau’s sandbox.  

B.  The “Catch” – Time Limitation, Data-Sharing Requirement, and Compensation

The Product Sandbox would have the important advantage of providing greater legal protection, but the protection would be time-limited.  This time period would generally be two years.  The Proposal states that the Bureau “expects that two years would be appropriate in most cases.”  But the Proposal would provide for a process to obtain extensions of this initial time-period.  The Proposal states that the Bureau intends to grant extensions, “where there is evidence of consumer benefit and an absence of consumer harm.” 

In addition, the Product Sandbox would require the sharing of data with the Bureau, unlike the NAL process.  An application must state a description of data it will share with the Bureau, which should be about the impact of the product or service on consumers, along with a proposed schedule for sharing this data with the Bureau.  Further, the Product Sandbox would require participants to report the effects of the product or service in question on “complaint patterns, default rates, or similar metrics” to enable the Bureau to determine if it is causing “material, tangible harm to consumers.” 

Finally, and significantly, the approval into the sandbox would require a commitment by the recipient to compensate consumers for, “material, quantifiable, economic harm” caused by the recipient’s product or service offered under the Product Sandbox.  The Proposal would require an application to indicate the “amount of resources available to provide restitution for material, quantifiable, economic harm to consumers.”

C.  Application Process

The Bureau’s Proposal, similar to the NAL policy, would allow for applications from the companies that offer the product or service, as well as from trade associations, service providers, and other third parties.  The Proposal expressly states that a trade association can apply on behalf of its members. 

The application requirements would be more extensive than for the proposed NAL, because the applicant would need to address the data-sharing requirement, the time limitation, and the type of relief sought.  In addition, the Bureau’s Proposal indicates an intent to coordinate with state regulators regarding the Product Sandbox and thus, the application must indicate if the applicant requests coordination with other regulators and identification of those regulators. 

The Proposal states that the Bureau intends to grant or deny an application within 60 days of notifying the applicant that the Bureau has deemed the application to be complete.  The Bureau would, similar to the NAL process, evaluate an application based on its “quality and persuasiveness,” with an emphasis on the consumer benefits, consumer risks and how the applicant intends to mitigate and compensate for them, and the particular laws and uncertainty cited in the application.

3.  Conclusion and Considerations

A.  NAL Proposal

The Proposal would greatly enhance the benefits of a NAL and expand the applicability of the policy.  It appears the Proposal would allow companies with existing products that face general compliance uncertainties to obtain NALs, unlike the current policy, which only applies to new products and “substantial” uncertainties.  There are many areas of federal consumer finance regulation that lack clarity and this NAL process could be very useful to reduce regulatory uncertainty.  The Proposal would also enhance the regulatory relief of a NAL, in part by providing that NALs would be issued by Bureau officials, rather than by staff as under the current policy.  

B.  Product Sandbox

The Proposal’s Product Sandbox could prove to be even more useful to companies, both existing companies and new FinTech entrants to the marketplace, that are developing new products and services, because of the greater legal protection afforded by the program.  Although it would have a limited time duration and require data-sharing with the Bureau, the benefits of being able to test a product in the marketplace with essentially no legal risk under certain consumer financial protection laws could greatly benefit a company in many ways, for example, in finding customers or business partners. 

C.  Issues to Consider

There are some issues to consider regarding these proposed policies and whether they may be beneficial to your organization.  For example, the extent to which a company’s participation and information provided to the Bureau may be made public.  This issue is discussed in the Proposal with respect to both the NAL and Product Sandbox policies.  Applicants can request confidential treatment of certain information, but companies should consider whether and how much information would become public before deciding to participate.  A related issue is the extent to which participation in these programs would enhance or diminish their competitive advantage in the marketplace.  This may depend on how much information may become public. 

Issues specifically with respect to the Product Sandbox include whether the cost of the resources needed to complete and submit an application, as well as to set-up and maintain the required data-sharing with the Bureau, would outweigh the benefits of the program.  In addition, the required agreement to compensate consumers in the event of harm could be problematic. 

Finally, without coordination with state or other federal regulatory agencies, the regulatory relief under the Bureau’s Proposal would be limited to federal consumer finance laws.  For this reason, these two programs may not be a panacea for all compliance concerns.  There are other FinTech programs that may be beneficial in filling in some of the gaps or provide sufficient protection without participation in the Bureau’s proposed programs, such as the Office of the Comptroller of the Currency’s new FinTech charter, which makes national bank charters available to FinTech companies.

As noted above, the comment deadline for the Bureau’s Proposal is February 11, 2019.You can find these proposed policies at: let us know if you would like assistance with submitting a comment letter, or discuss submitting an application under these programs.