The Consumer Financial Protection Bureau - The New Sheriff in Town
Title X of the Dodd-Frank Act created the Consumer Financial Protection Bureau (“Bureau” or “CFPB”). This Bureau is focused solely on consumer financial protection. The Bureau has six primary functions,1 including the authority and responsibility to supervise covered persons for compliance with Federal consumer financial law2 and take appropriate enforcement action to address violations of same. The Bureau does not supervise covered persons for safety and soundness the way bank regulators do; rather, its sole stated interest is the protection of financial consumers in particular.
One year old on July 21, 2012, this Bureau has spent its first year aggressively pursuing its mandate: to implement and enforce Federal consumer financial law. It has been actively issuing proposed and final regulations and guidance, as well as filing amicus briefs in various court proceedings. The Bureau has also been conducting and participating in exams of covered parties. Further, it has been gathering and analyzing consumer complaints. Notably, the Bureau’s collection of consumer complaints — which began in July 2011 and was first limited to credit cards — was expanded to handle mortgage complaints in December 2011, and expanded again in March 2012 to complaints concerning bank products and services, private student loans and other consumer loans.3 The Bureau expects to begin addressing complaints about other covered non-depository institutions by the end of 2012.4
To date the Bureau has collected and processed a staggering 45,000 complaints,5 over 37,000 of which have been forwarded to the target company for review and response. Some of these complaints have been referred by the Consumer Response Section of the Bureau to the Bureau’s Division of Supervision, Enforcement and Fair Lending and Equal Opportunity for further action.6 The Bureau recently acknowledged that it is currently conducting private investigations into alleged violations of the Federal consumer financial laws, and regulators have publically indicated that the Bureau will soon initiate enforcement actions.7
The issues that the Bureau is currently investigating are questions that management, compliance officers and Boards of Directors should be asking themselves now in order to begin to address potential issues before the Bureau enforcement begins. With enforcement risk looming, now is the time to pay attention and ensure compliance with the Bureau’s regulation and guidance, assess risks and establish best practices in areas of consumer protection compliance and consumer complaint management.8
Who Falls Under the Bureau’s Reach?
The Bureau’s consumer financial protection functions extend farther and wider than those of its transferor agencies.9 The Bureau’s regulatory authority and enforcement arm (including the power to require reports and conduct investigations) apply to large banks, large credit unions and their affiliates,10 and non-bank entities that engage in offering or providing consumer financial products or services. Section 1024 of Title X authorized for the first time federal supervision over non-banks engaging in financial transactions, such as: mortgage brokers, originators and mortgage servicers, payday lenders, private education lenders, and credit card companies. In addition, the Bureau’s supervisory and enforcement authority applies to any “service provider”11 of the large banks or large non-banks that provides a “material service” in connection with the offering or provision of a consumer financial product or service.12 Thus, a whole new body of direct and indirect financial services providers are now subject to examination over, and compliance with laws that they never before had to be concerned with, in particular, Title X’s prohibition of unfair, deceptive and abusive acts or practices, the impact of which can have significant financial and reputational consequences for the service providers, banks and non-banks.
In recent guidance,13 the Bureau advised that it intends to exercise to the fullest extent its regulatory authority over service providers, including its authority to examine them for compliance with Title X’s prohibition of unfair, deceptive, or abusive acts or practices. Significantly, that guidance warned that depending on circumstances, “legal responsibility may lie with the supervised bank or nonbank as well as with the supervised service provider.” The message being conveyed is that a bank or non-bank cannot delegate its responsibility of complying with Federal consumer financial law by engaging a service provider for certain services. Accordingly, it will be important to have effective processes in place to manage the new risks of the service provider relationship created by the Bureau.14
What is on the Enforcement Horizon?
In addition to the authority to enforce “enumerated consumer laws,” the Bureau also has the authority to prohibit “unfair, deceptive, or abusive acts or practices.” As noted above, the Bureau is looking not only at covered banks and non-banks for their compliance but also their service providers to ensure that these prohibited acts and practices are not taking place.15 While the industry has been guided for years on what is unfair or deceptive by the FTC and Federal banking agencies,16 “abusive” is a new standard upon which compliance and enforcement risk hinges. The Bureau’s Supervision and Examination Manual (“Manual”), dated October 2011, provides guidance on what an “abusive” act or practice may look like.17 The description, however, of what is “abusive” is broad and leaves much to be interpreted. Moreover, a covered party may be in technical compliance with all other applicable Federal consumer protection laws, and still be in violation of UDAAP.18 Where will the Bureau be looking for possible violations of UDAAP? Recent guidance advises that “the presence of complaints alleging that consumers did not understand the terms of a product or service may be a red flag [of a UDAAP] indicating that examiners should conduct a detailed review of the relevant practice.”19 The Manual and related guidance further instructs the examiners that “every complaint does not indicate violation of law. When consumers repeatedly complain about an institution’s product or service, however, examiners should flag the issue for possible further review.”20 It goes on to note that even a “single substantive complaint” may be enough to raise serious concerns that warrant further review.21 At bottom, consumer complaints are considered an “essential source”22 for identifying potential violations of UDAAP.
Covered parties need to be thinking today about how they are collecting, reviewing and responding to consumer complaints on financial products and services and alleged failures to comply with Federal consumer financial laws and regulations. After all, the Bureau has already looked at over 45,000 consumer complaints, and may be more aware than a covered party of possible violations occurring in its own institution. Publicly, the Bureau has also been actively looking at a broad spectrum of products and practices including reverse mortgages, debt collection, foreclosure related services, and forced place insurance products. Consequently, implementation of compliance with consumer protection laws and a consumer complaint management scheme before Bureau intervention will be key for the days ahead.
Are We in the Quiet Before the Storm?
Well-funded and headed by Richard Cordray, the former State Attorney General for Ohio, it is widely projected that his Bureau will be pro-active and aggressive in its enforcement of Federal consumer protection laws. Not surprisingly, Richard Cordray was recently quoted as stating that, “[T]here will be enforcement action this year.”23 Moreover, it is publically known that the Bureau is privately conducting investigations. Thus, it is not a question of if, but of when.
What Does the Bureau’s Enforcement Power Look Like?
The Bureau has the power to conduct joint investigations, issue subpoenas and civil investigative demands, bring cease and desist proceedings, injunction proceedings and conduct hearings. Pursuant to its civil investigative demand power, the Bureau can require the subject to produce documents, produce tangible things, file written reports or answers, give oral testimony or a combination of the aforementioned.24
In addition, the Bureau has the authority to commence civil proceedings in the U.S. District Courts, or in any court of competent jurisdiction of a state in a district where there defendant is located or resides or is doing business too seek relief, including civil penalties,25 for violations of Federal consumer financial laws.
The Court in a civil action and the Bureau in an adjudication proceeding, respectively, have been given the jurisdiction and authority to grant legal and equitable relief.26 Relief available includes monetary penalties that can pack a lot of punch — reaching up to $1 million per day for every day a covered party “knowingly” violates a Federal consumer protection law. The other relief available also includes the power to rescind or reform contracts, order refund of monies or return real property, restitution, disgorgement or compensation for unjust enrichment.
Is There Notice Before Enforcement?
In a bulletin released by the Bureau in November of 2011, the Bureau gave notice of some of the actions it may take, at its discretion, prior to commencing enforcement.27 Most notably, the Office of Enforcement, may, prior to recommending that the Bureau commence enforcement, “give the subject of such recommendation notice of the nature of the subject’s potential violations and may offer the subject the opportunity to submit a written statement in response.” The primary focus of this responsive statement, also referred to as a NORA letter, should be on legal and policy matters relevant to the potential proceeding. However, if factual assertions are relied upon, the response must be made under oath by a person with personal knowledge of the facts.28 A subject will have only 14 days from receipt of notice to respond. Understandably, notice by the Office of Enforcement may not always be appropriate, such as in instances of ongoing fraud or other situations that may require quick action.29
A word of caution for covered parties is that the NORA letter may be discoverable by third parties.30 The Bureau’s Rule on Confidential Treatment of Privileged Information, released on July 5, 2012, will become final on August 6, 2012.31 This Rule seeks to protect a covered entity’s submission of privileged information to the Bureau in response to a request for information during an examination. This Rule may not protect information voluntarily contained in a NORA.
What About the Federal Banking Agencies’ Enforcement Authority?
For all insured depository institutions and credit unions with assets in excess of $10 billion, or any affiliate thereof, the Bureau has primary enforcement authority with respect to compliance with federal consumer financial laws. The federal banking agencies that regulate such "large" institutions will continue to have enforcement authority under their long-standing enforcement powers under Section 8 of the Federal Deposit Insurance Act (the "FDI Act") for violations of law generally. However, with respect to violations of Federal consumer financial laws specifically by such "large" institutions, if a federal banking agency wishes to trigger enforcement, the agency must first recommend that the Bureau initiate an enforcement action. If the Bureau does not initiate an enforcement action within 120 days of receipt of the recommendation, then the federal banking agency may initiate an enforcement action under its FDI Act enforcement powers.
For depository institutions with assets under $10 billion, the Bureau has no enforcement authority with respect to compliance with Federal consumer financial law. This means that the federal banking agencies have exclusive enforcement authority over these smaller institutions with respect to compliance with Federal consumer financial law.
At the End of the Day, What Does This All Mean?
It is a new day and there is a new Sheriff in town. Risk assessment, risk management, complaint management and robust compliance are top priorities. As the Bureau evolves and the meaning of “abusive” morphs into a more concrete meaning, covered parties can best protect themselves by engaging in best practices that comply with the Bureau’s guidance.
1The Bureau’s Six Primary Functions include: 1) conducting financial education programs; 2) collecting, investigating, and responding to consumer complaints; 3) collecting, researching, monitoring, and publishing information relevant to the functioning of markets for consumer financial products and services to identify risks to consumers and the proper functioning of such markets; 4) supervising covered persons for compliance with the Federal consumer financial law, and taking appropriate enforcement action to address violations of Federal consumer financial law; 5) issuing rules, orders, and guidance implementing Federal consumer financial law; and 6) performing such support activities as many be necessary or useful to facilitate the other functions of the Bureau. See Sec. 1021 (c). up
2See generally Sec. 1021, of Subtitle B — General Powers of the Bureau. See also Sec. 1002(14). Under Title X, “Federal consumer financial law,” includes: 1) the provisions of Title X, such as Sec. 1031’s prohibition of unfair, deceptive or abusive acts or practices (“UDAAP”); 2) the enumerated laws found at Sec. 1002(12), which include the Alternative Mortgage Transaction Parity Act of 1982, the Consumer Leasing Act of 1976, the Electronic Fund Transfer Act, the Equal Credit Opportunity Act, the Fair Credit Billing Act, the Fair Credit Reporting Act, the Home Owners Protection Act of 1998, the Fair Debt Collection Practices Act, subsections (b) - (f) of section 43 of the Federal Deposit Insurance Act, sections 502 - 509 of the Gramm-Leach-Bliley Act, the Home Mortgage Disclosure Act of 1975, the Home Ownership and Equity Protection Act of 1994, the Real Estate Settlement Procedures Act of 1974, the S.A.F.E. Mortgage Licensing Act of 2008, the Truth in Lending Act, the Truth in Savings Act, section 626 of the Omnibus Appropriations Act, 2009, and the Interstate Land Sales Full Disclosure Act; 3) the laws for which authorities are transferred under Subtitles F and H; and 4) any rule or order prescribed by the Bureau under Title X, enumerated consumer law or authorities transferred under subtitles F & H. Federal consumer financial law does NOT include the Federal Trade Commission Act. Title X should be reviewed and consulted for other exceptions. up
3 See the CFPB’s Consumer Response Annual Report, dated March 31, 2012. up
4See Id. up
5 See Id., and the CFPB’s Consumer Response: A Snapshot of Complaints Received, dated June 19, 2012. up
6See the CFPB’s Consumer Response Annual Report, dated March 31, 2012. The complaint database, referred to in the report, is publicly viewable and is creating concerns by the consumer financial industry that it might result in making them a target of plaintiffs’ law firms or consumer protection groups which can utilize the public information for their own aims in unfair and deceptive practices actions. Under the process for complaint handling set-up by the Bureau, a company has 15 calendar days to respond to the complaint. The company can respond to the consumer via a secure portal; the consumer then has an opportunity to dispute the response. The Consumer Response section prioritizes for review and investigation those complaints where the consumer disputes the response or where the companies fail to timely respond. For more information on the CFPB’s complaint collection and processing see the report of the CFPB, on Consumer Response Annual Report, dated March 31, 2012 and CFPB’s Consumer Response: A Snapshot of Complaints Received, dated June 19, 2012. See also the Bureau’s proposed rule on Disclosure of Consumer Complaint Data, Federal Register, Vol. 77, No. 121, 6/22/12. up
7See New York Times article, “New Agency Plans to Make Over Mortgage Market,” by Wyatt, E., 7/5/12. See also the statements made by Richard Hackett, Assistant Director, Office of Installment & Liquidity Lending Markets Research, Markets & Regulations CFPB, at the PLI Program on 4/24/12, titled “Title X & XIV of the Dodd-Frank Act: The New Consumer Financial Protection Bureau” (his statements were made with the caveat that his statements are his own and not those of the Bureau); and the CFPB Annual Report 2012, Fair Debt Collections Practices Act (“FDCPA”), at pp. 17, wherein the Bureau stated that it is “currently conducting non-public investigations of debt collection practices to determine whether they violate FDCPA or the Dodd-Frank Act.” up
8Supervised entities are expected “to have an effective compliance management system adapted to it business strategy and operations.” See the Supervision and Examination Manual, CMR 1, dated October 2011. up
9Consumer financial protection functions previously held by the Board of Governors, the FDIC, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Department of Housing and Urban Development were transferred to the Bureau as annunciated in Section 1061 of Title X. The FTC and the Bureau have overlapping authority with regards to certain enumerated consumer laws; there is currently a Memorandum of Understanding in place between the two agencies with regards to the enforcement of the Fair Debt Collection Practices Act. See The CFPB Annual Report 2012, Fair Debt Collection Practices Act, at p. 21 and App. A. up
10Section 1025 of Title X authorized the Bureau to supervise large insured depository institutions and credit unions with more than $10 billion in total assets. In addition, the Bureau has supervisory authority over all affiliates and service providers of a large bank and credit union. Section 1026 of Title X authorizes the Bureau to require reports from smaller insured depository institutions and to include its examiners at the prudential regulator’s examinations in order to assess compliance with the Federal consumer financial laws. up
11“Service Providers,” include any person who “provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that -- (i) participates in designing, operating, or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service (other than unknowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes).” Sec. 1002(26). Regarding examinations or requiring of reports by service providers, Sec. 1024(e) and 1025(d), state that the Bureau shall coordinate with the appropriate prudential regulator as applicable. Thus, under Title X, service providers are to be subject to the authority of the Bureau, “to the same extent as if such service provider were engaged in a service relationship with a bank, and the Bureau were an appropriate Federal banking agency under section 7 (c) of the Bank Service Company Act. up
12Presently, the Bureau is focusing on third party debt collectors/service providers hired by the large banks and non-banks. In addition, it is anticipated, that on the finalization of the Bureau’s proposed “larger participant” rule this summer, that larger non-bank debt collectors will fall under the Bureau’s supervisory and enforcement authority per Sec. 1024 (a)(1)(B). Last, under Section 1024(a)(1)(C), the Bureau’s authority may extend to others whom the Bureau has reasonable cause to determine has engaged or is engaging in conduct which poses risks to consumers with regard to the offering or provision of consumer financial products or services. up
13The CFPB Bulletin 2012-03, dated April 13, 2012, set forth guidance concerning service providers and the Bureau’s expectations with regards to banks and non-banks in managing the risks of the service provider relationships. Five specific steps that banks and non-banks should take to ensure their business arrangements do not pose “unwarranted risks to consumers,” include: 1) Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law; 2) Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contract or compliance responsibilities; 3) Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; 4) Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; 5) Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate. up
14See Id. at p. 2. up
15See Secs. 1021(c)(4), 1031(a), 1036 of Title X; and The CFPB Annual Report 2012, Fair Debt Collections Practices Act, p. 11. up
16See FTC guidance under Sec. 5 of the Federal Trade Commission Act. up
17The Supervision and Examination Manual, dated October 2011, mirrors the language of the Sec. 1031(d), in describing an abusive act or practice as one that: “Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or takes unreasonable advantage of — a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.” up
18See CFPB, Guidance Documents, Supervision and Examination Manual, Version 1.0, Consumer Laws and Regulations: Unfair, Deceptive or Abusive Acts or Practices. up
20The Supervision and Examination Manual, dated October 2011 at UDAAP 10. up
21Id. at UDAAP 10. up
22CAP, Guidance Documents, Supervision and Examination Manual, Version 1.0, Consumer Laws and Regulations: Unfair, Deceptive or Abusive Acts or Practices. up
23See Richard Cordray’s, Director of the Bureau, statement, “[T]here will be enforcement action this year, and we have quite a bit of activity going on.” New York Times article, “New Agency Plans to Make Over Mortgage Market,” by Wyatt, E., 7/5/12. up
24See Sec. 1052(c). up
25See Sec. 1055(c), which provides that, “Any person that violates, through any act or omission, any provision of Federal consumer financial law shall forfeit and pay a civil penalty pursuant to this subsection.” Three tiers of penalties are identified, including: a) For any violation of law, rule, or final order or condition imposed in writing by the Bureau, a civil penalty may not exceed $5,000 for each day during which such violation or failure to pay continues. b) Notwithstanding paragraph (a), for any person that recklessly engages in a violation of a Federal consumer financial law, a civil penalty may not exceed $25,000 for each day during which such violation continues. c) Notwithstanding paragraphs (a) and (b), for any person that knowingly violations a Federal consumer financial law, a civil penalty may not exceed $1,000,000 for each day during which such violation continues. up
26See Sec. 1055 (a). up
27See CFPB Bulletin 2011-14 (Enforcement), Notice and Opportunity to Respond and Advise, dated November 7, 2011. up
28See Id. up
29See Id. up
30 See Id. up
31See Federal Register, Vol. 77, No. 129, 7/15/12, regarding 12 CFR Part 1070, Confidential Treatment of Privileged Information. up