Alston & Bird Consumer Finance Blog

Consumer Financial Protection Bureau (CFPB)

CFPB’s “Overdraft Lending” Rule Faces Immediate Legal Challenge

What Happened?

On December 12, 2024, the Consumer Financial Protection Bureau (CFPB) issued its final “overdraft lending” rule aimed at curbing overdraft fees charged by banks and credit unions with more than $10 billion in assets, also known as very large financial institutions (VLFIs). The CFPB characterized the rule as closing “an outdated overdraft loophole that exempted overdraft loans from lending laws.” This is the most recent development in the CFPB’s effort to address so-called junk fees.

That same day, a group of banks and financial trade associations—including the Mississippi Bankers Association, the Consumer Bankers Association, the American Bankers Association, and America’s Credit Unions—filed a lawsuit against the CFPB challenging the rule and seeking an injunction.

Why Does it Matter?

Key Provisions

Under the final rule, Regulation Z will apply to overdraft credit provided by VLFIs unless the VLFI provides such overdraft credit at or below costs and losses. As a result, VLFIs will have to choose one of the following options in connection with fees for overdraft credit: (1) capping fees for overdraft credit at the greater of $5 or at an amount that covers their costs and losses; or (2) disclosing the terms of overdraft credit in accordance with the Truth in Lending Act (TILA) and its implementing regulation, Regulation Z.

The CFPB’s final rule amends the definition and exemptions related to “Finance Charges” under Regulation Z and establishes new definitions related to “Overdraft Credit.” Currently, most overdraft fees are generally excluded from the definition of “Finance Charge”, and, therefore, overdraft services are not covered by TILA and Regulation Z The final rule amends this exclusion by creating a new defined term, “Above Breakeven Overdraft Credit,” and excludes such overdraft credit from the exemption for “charges imposed by a financial institution for paying items that overdraw an account.”

“Above Breakeven Overdraft Credit” is defined as “overdraft credit extended by a very large financial institution to pay a transaction on which, as an incident to or a condition of the overdraft credit, the very large financial institution imposes a charge or combination of charges exceeding the average of its costs and charge-off losses for providing non-covered overdraft credit.” The charges will be deemed to exceed the average costs and charge-off loses if they exceed the greater of: (1) the pro rata share of the very large financial institution’s total direct costs and charge-off losses for providing non-covered overdraft credit in the previous year; or (2) $5. A charge that exceeds this amount will be considered a finance charge and, therefore, imposing such charge on overdraft credit will result in the overdraft credit being considered “Covered Overdraft Credit.”

VLFIs should prepare to comply with this new rule by its effective date of October 1, 2025.

The Challenge to the Rule

A group of financial trade associations and banks filed suit in the Southern District of Mississippi challenging the final rule as improperly imposing an expansive and complex new regulatory regime on overdraft services offered by VLFIs, replete with de facto price caps and significant restrictions on the terms under which overdraft services can be offered.

The plaintiffs bring four challenges to the rule under the Administrative Procedure Act (APA), TILA, and the Consumer Financial Protection Act (CFPA).

First, they allege that the CFPB exceeded its statutory authority under TILA by interpreting “Credit” as encompassing overdraft services, and amending “Finance Charge” to include “Above Breakeven Overdraft Credit.” This, they argue, implicates the major questions doctrine—which bars agencies from making major policy decisions without clear congressional authorization—because the final rule will likely impact millions of Americans and billions of dollars of transactions.

Second, the plaintiffs allege the CFPB exceeded its statutory under TILA by imposing substantive credit restrictions when TILA is merely a disclosure statute. They argue this, too, implicates the major questions doctrine.

Third, the plaintiffs allege that the CFPB exceeded its statutory authority under the CFPA by imposing an unlawful fee cap on discretionary overdraft services because the CFPA itself expressly prohibits this kind of fee cap: the CFPB is prohibited from “establish[ing] a usury limit applicable to an extension of credit offered or made by a covered person to a consumer.”

Finally, the plaintiffs allege that the rule is arbitrary and capricious in violation of the APA because, among other things, it: (1) contains an inadequate cost-benefit analysis; (2) does not explain the change in the CFPB’s interpretation of TILA—namely, the CFPB’s reinterpretation of the definition of “Credit” as encompassing overdraft services; and (3) targets large institutions by imposing a $10 billion asset threshold, but ignores smaller financial institutions that similarly charge overdraft fees.

What Do I Need To Do?

VLFIs should consider what changes they need to make to their overdraft services to comply with the new rule by October 1, 2025, assuming that the new rule survives legal challenge.

That said, the legal challenge here has a meaningful chance of success. Recently, courts have been more willing to strike down rules under the major questions doctrine. It is also unclear how much genuine resistance the CFPB will put up in response to this challenge given the forthcoming change in administration. Assuming the new administration does not support this rule, it would likely be more efficient for the CFPB to allow the rule to be challenged and struck down than for it to attempt to repeal the rule, which will require a formal notice-and-comment rulemaking.

CFPB Proposes to Include Coerced Debt in the Definition of “Identity Theft”

What Happened?

On December 9, the Consumer Financial Protection Bureau (“CFPB”) issued an advance notice of proposed rulemaking(“ANPR”), seeking stakeholder input regarding amending the definitions of “identity theft” and “identity theft report” in Regulation V, which implements the Fair Credit Reporting Act (“FCRA”).

Specifically, the CFPB is proposing to expand the definition of “identity theft” to include actions taken “without effective consent,” which would prevent credit reporting agencies from refusing to block any type of debt obtained through coercion (such as through domestic abuse or elder abuse) from credit reports.

Why Does It Matter?

This proposed rulemaking started as a petition submitted to the CFPB by the National Consumer Law Center and the Center for Survivor Agency and Justice through the CFPB’s public petition procedures. In requesting the rulemaking, the petitioners cited relevant research and statistics, to support its request, including that:

  • between 94 and 99 percent of domestic violence survivors experienced economic abuse; and
  • a majority of domestic violence survivors remained in abusive relationships in part because of the coerced debt.

Based on public responses to this petition, the CFPB determined that the issue of “coerced debt” warrants rulemaking activity with the expectation that abuse survivors will experience significant increases to their credit scores. According to the CFPB’s blog post accompanying the ANPR, one study found that one third of survivors of abuse who managed to remove coerced debt from their credit report saw their credit score improve at least 20 points.

Specifically, the CFPB is soliciting feedback on the following questions:

  1. What information exists regarding the prevalence and extent of harms to victims of economic abuse, particularly coerced debt? How does the consumer reporting system, including provisions relating to identity theft, currently contribute to or reduce those harms?
  2. To what extent do protections under the FCRA or other Federal or State laws exist for victims of economic abuse with respect to consumer reporting information? What barriers exist that may prevent survivors of economic abuse from availing themselves of existing protections?
  3. Does coerced debt reflect the survivor’s credit risk independent of the abuser? Why or why not? Is there any data addressing the relevance of coerced debt to the survivor’s credit risk independent of the abuser?
  4. What are the costs and benefits of the proposed amendment outlined by the petition for rulemaking?
  5. The petition defines “coerced debt” as “all non-consensual, credit-related transactions that occur in a relationship where one person uses coercive control to dominate the other person.” What alternatives to that language should the CFPB consider?
  6. Comments to the petition identify survivors of intimate partner violence, domestic abuse, and gender-based violence as groups that would benefit from explicit inclusion of coerced debt as a form of identity theft. Commenters noted specific vulnerabilities for older Americans, children in foster care, and survivors of color.
    1. What barriers do these groups face as a result of coerced debt?
    2. How would the proposed amendments outlined in the petition for rulemaking reduce those barriers?
    3. Are there other populations who experience problems with coerced debt and whose experiences should be considered in the proposed rulemaking?
    4. How would the proposed amendments outlined in the petition for rulemaking address the needs of these other populations?
  7. Should the CFPB propose the amendments outlined by the petition for rulemaking? What alternatives should the CFPB consider? For instance:
    1. What documentation should a person be required to produce to show that their debt was coerced?
    2. What self-attestation mechanisms could be considered for meeting the standard for an identity theft report?
    3. Are there circumstances that should give rise to a presumption of coercion?
    4. Should the CFPB propose general protections related to coerced debt, specific protections for survivors of domestic or intimate partner violence, or a combination?

What Do I Need To Do?

Any party that would like to submit a comment may do so until March 7, 2025. Any interested party should identify comments by Docket No. CFPB-2024-0057, and should submit them through the Federal eRulemaking Portal, via email at ANPR-Coerced-Debt@cfpb.gov, or through the mail sent to the CFPB’s Legal Division.

Financial Services Advisory: CFPB Finalizes Open Banking Rule on Consumer Financial Data Rights

Executive Summary
8 Minute Read

Our Financial Services Group unpacks the Consumer Financial Protection Bureau’s final rule on consumer financial data rights under Section 1033 of the Dodd–Frank Act.

  • The rule requires “data providers” to provide consumers and authorized third parties, upon request, with access to certain consumer financial data
  • “Data providers” include Regulation E banks and credit unions, Regulation Z card issuers, payment facilitators, and digital-wallet providers
  • Compliance deadlines are staggered based on institution size, with an exclusion for financial institutions with less than $850 million in assets

_______________________________________________________________

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rule on personal financial data rights under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act. Known as the “open banking rule,” it permits consumers to access, control, and share their financial data with authorized third parties. The rule creates a significant shift in control over consumer data in the United States, and it is intended to provide consumers with greater control over financial data, foster competition, and stimulate innovation across the financial services industry. The rule applies broadly to banks, credit unions, and nonbank financial institutions, all of which must make consumer financial data available upon authorized request.

Key Provisions

The rule requires a “data provider” to make available, without charge, “covered data” about consumer financial products and services to consumers and certain “authorized third parties,” in electronic form, upon request by the consumer. The rule requires the provision of such data in standardized, machine-readable formats to promote consistency between financial institutions and third parties. The CFPB will name standard-setting bodies to develop consensus standards to assess compliance with the rule.

Who is a “data provider”?

The CFPB has said its definition of “data provider” will continue to evolve, but it has prioritized financial institutions and card issuers. The rule defines a “data provider” as:

  • A financial institution – that is, a bank or credit union – as defined in Regulation E, 12 CFR 1005.2(i), excluding those with less than $850 million in assets.
  • A card issuer as defined in Regulation Z, 12 CFR 1026.2(a)(7), including buy now/pay later providers.
  • Any other person that “controls or possesses information concerning a covered consumer financial product or service that the consumer obtained” from that person, including providers offering payment facilitation products and services such as digital-wallet providers.

What is “covered data”?

The rule defines “covered data” as essential consumer financial information, including:

  • At least 24 months of transaction information in the control or possession of the data provider.
  • Account balance information.
  • Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider, including an account and routing number that can be used to initiate an Automated Clearing House transaction.
  • Terms and conditions, or agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, including pricing information such as APRs and other pricing terms.
  • Upcoming bill payment information.
  • Basic information needed for account verification, limited to name, address, email address, and phone number associated with the covered consumer financial product or service.

Data providers will not have to provide confidential commercial information, including proprietary algorithms that might be used to derive credit or risk scores and information that is used solely for the purpose of fraud detection, money laundering, or other unlawful behavior.

Who is an “authorized third party”?

Fintech apps and data aggregators that offer services to consumers using their data are included as third parties. Authorized sharing with these entities must be based on informed consent that is to be renewed annually.

  • A “third party” means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.
  • To access a consumer’s data, the third party must (1) provide the consumer with an authorization disclosure containing key terms of the data access; (2) provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to obligations set forth in the final rule; and (3) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • Third parties are limited in the collection, use, and retention of covered data to what is “reasonably necessary” to provide a product or service to a customer. Use of the data for targeted advertising, cross-selling of other products or services, or the sale of covered data are prohibited.

Stakeholder Perspectives and Compliance Considerations

Reactions to the final rule have been split. Consumer advocates have voiced support for the rule and the empowerment of consumers to control how and where their data can be used, as well as the ability to switch banks more easily. Just hours after the final rule was released, however, the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a community bank in Kentucky, filed a joint lawsuit in the Eastern District of Kentucky requesting injunctive relief. The plaintiffs allege that the CFPB overstepped its statutory authority (in that Section 1033 relates to a consumer’s right to access their own information and does not speak to access by authorized third parties) and will expose banks to unreasonable liability risk. Forcing banks to share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so, they allege, will increase fraud and the misuse of customer data.

Some of this concern stems from the allocation of responsibility for data security and accountability in the rule. It allows that data providers can deny access to data, but only if the denial is (1) directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and nondiscriminatory manner. Data providers must keep a record of when a consumer or third-party request is refused. In the event of a security breach, data providers must notify affected consumers and the CFPB promptly. Notably, the rule requires data providers to verify that third parties uphold data privacy and security standards, but it places limited regulatory obligations on third parties themselves, leaving accountability for data security largely with the data providers. Data providers argue that the rule essentially forces them to subsidize third-party access to consumer data without sharing the cost burden.

During the rule comment period, a range on commentators raised concerns about potential overlaps and compliance complexities with other existing consumer financial laws, and the CFPB has attempted to address those issues in the final rule. Many comments focused on the need for clarity on how the rule interacts with laws such as the Electronic Fund Transfer Act (EFTA), Fair Credit Reporting Act (FCRA), and Gramm–Leach–Bliley Act (GLBA).

  • In comments before the final rule, data providers requested that the CFPB extend the Regulation E error resolution requirements to third parties such as data aggregators. The CFPB reasoned, however, that consumers should address these concerns with their primary financial institution, in line with statutory error resolution rights under the EFTA. Furthermore, data providers and third parties that are Regulation E financial institutions will continue to have error resolution obligations in the event of data breaches.
  • During the comment period to the final rule, there was concern that it would expand FCRA compliance. In the final rule, the CFPB clarified that data providers sharing information at the consumer’s request “does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations” and would not “alter the types of data, parties, or permissible purposes covered by the FCRA.”
  • Some commentors asked how the rule’s data limitations align with GLBA permissions. The CFPB states Section 1033’s data sharing requirements coexist with GLBA but do not override or replace its mandates, maintaining distinct protections under each law.

Compliance Tiers and Timeline

The rule provides compliance deadlines that are staggered based on institution size:

  • First Tier: Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
  • Second Tier: Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
  • Third Tier: Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
  • Fourth Tier: Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
  • Fifth Tier: Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.

Conclusion: Prioritizing Readiness

The CFPB’s Section 1033 rule represents a transformative shift in the U.S. financial regulatory landscape, centering consumer control over data rights and driving the industry to an open banking model. Fintech advocates view it as an essential step towards consumer empowerment, while banks and credit unions warn of risks to data security and have liability concerns. Even as the CFPB begins assessing applications for standard-setting bodies, legal and compliance teams from institutions and fintech companies alike should begin to look ahead, with a focus on data security, potential contractual updates with third parties, and regulatory alignment.


Originally published November 22, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

CFPB Releases Chart to Help Determine if Nonbank Registration is Required

What Happened?

On October 3, 2024, the CFPB released a Nonbank Registration: Orders Rule Coverage Chart (the “Chart”) that summarizes how  an entity that is subject to an order may determine if it must register that order under the CFPB’s recently-issued Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders Final Rule (“the Final Rule”).

 Why is it Important?

The Final Rule was issued earlier this year in June and requires certain nonbank entities to register with the CFPB’s Nonbank Registry (“NBR”) and provide information about certain Federal, State, or local orders imposing obligations on the nonbank entity based on violations of certain consumer protection laws. In general, an entity that is subject to an order must register that order with the NBR if the order is a “covered order” and the entity is a “covered nonbank,” as those terms are defined in the Final Rule. In addition, a covered nonbank that meets the definition of a “supervised registered entity” must also annually identify the executive(s) responsible for, and knowledgeable of, the entity’s efforts to comply with the orders identified in the NBR and submit an annual written statement and attestation. We covered the Final Rule in more detail in a previous blog post that can be found here.

Chart Summary

The Chart first considers whether an order is a “covered order” under the Final Rule. A covered order must meet all of the following criteria:

  • It is an order, i.e., any written order or judgment issued by an agency or court in an investigation, matter, or proceeding;
  • It is a final, public order issued by an agency or court;
  • Identifies a covered nonbank by name as a party subject to the order;
  • Was issued, at least in part, in any action or proceeding brought by any Federal, State, or local agency;
  • Contains public provisions that impose obligations on the covered nonbank to take certain actions or to refrain from taking certain actions;
  • Imposes obligations on the covered nonbank based on certain alleged violations of a covered law (e.g., Federal consumer financial laws, any other laws enforced by the CFPB, and certain unfair, deceptive, or abusive acts or practices laws at both Federal and State levels) and;
  • Has an effective date on or after January 1, 2017.

Under the Final Rule, an order is not a “covered order” if it is:

  • An order with effective date prior to September 16, 2024, that did not remain in effect as of September 16, 2024; or
  • An order issued to a motor vehicle dealer that is predominantly engaged in the sale, leasing, and servicing of motor vehicles within the meaning of the Dodd-Frank Act 12 USC § 5519(a).

Next, the Chart considers whether a nonbank is a “covered nonbank.” A covered nonbank is a covered person under the Dodd-Frank Act that is not exempt from coverage under the Final Rule.  Under the Dodd-Frank Act, a “covered person” is (A) any person that engages in offering or providing a “consumer financial product or service”; and (B) any affiliate of such person if such affiliate acts as a service provider to such person. Among other things, consumer financial products and services generally include extending credit, servicing loans, brokering of certain leases of personal or real property, providing real estate settlement services, and collecting debt, to the extent that such products and services are offered or provided for use by consumers primarily for personal, family, or household purposes.

Under the Final Rule, a nonbank is not a “covered nonbank” if it is:

  • An insured depository institution or insured credit union (e.g., an FDIC-insured bank);
  • A “related person” under the Dodd-Frank Act (when that is the sole reason for qualifying as a covered person);
  • A State, including federally recognized Indian tribes;
  • A natural person;
  • Certain motor vehicle dealers; or
  • A person that qualifies as a covered person under the Dodd-Frank Act only because of conduct excluded from the CFPB’s rulemaking authority.

Implementation Submission Periods

The CFPB highlights the following key dates for the implementation submission periods on its website:

  • For Larger Participant CFPB-Supervised Covered Nonbanks, the registration submission period opens October 16, 2024, and the deadline to register is January 14, 2025.
  • For other CFPB-Supervised Covered Nonbanks, the registration period opens January 14, 2025, and the deadline to register is April 14, 2025.
  • For all other Covered Nonbanks, the registration period opens April 14, 2025, and the deadline to register is July 14, 2025.

What Do You Need to Do?

As of October 16, 2024, the registration submission period opened for Larger Participant CFPB-Supervised Covered Nonbanks, the first group of covered nonbank entities. The CFPB has issued rules identifying the criteria for “larger participants” in various consumer markets including automobile financing, student loan servicing, consumer reporting, consumer debt collection, and international money transfer markets. The requisite thresholds for covered nonbank entities in each market to be considered a “larger participant” are as follows:

  • Automobile Financing – At least 10,000 aggregate annual originations. 12 C.F.R. § 1090.108(b).
  • Student Loan Servicing – Account volume exceeds 1 million. 12 C.F.R. § 1090.106(b).
  • Consumer Reporting – Annual receipts resulting from consumer reporting are more than $7 million. 12 C.F.R. § 1090.104(b).
  • Consumer Debt Collection – Annual receipts resulting from consumer debt collection are more than $ 10 million. 12 C.F.R. § 1090.105(b).
  • International Money transfer – At least 1 million aggregate annual international money transfers. 12 C.F.R. § 1090.107(b).

Covered nonbank entities should ensure that they comply with the registration requirements and be aware of the upcoming deadlines in the coming months. Moreover, as advised in our last blog post covering the Final Rule, companies should double down on compliance and be extra vigilant to avoid the designation of a “repeat offender.”

CFPB Submits Comment Letter on Use of AI in Financial Services

What Happened?

On August 12, the Consumer Financial Protection Bureau (CFPB) submitted a comment letter in response to a Treasury Department Request for Information on the use of AI in financial services.

Why Is It Important?

Reiterating that “there is no ‘fancy new technology’ carveout to existing consumer financial laws,” the CFPB has emphasized that products and services built with innovative technologies must conform with consumer protection laws and regulations, including the Equal Credit Opportunity Act (ECOA), and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), in both origination and servicing practices.

The CFPB’s comments underscore the sustained regulatory focus on the use of emerging technologies, and the goal of responsible innovation balanced with consumer protection.  The CFPB has made clear that companies must comply with consumer financial protection laws when adopting emerging technology, stating, “[i]f firms cannot manage using a new technology in a lawful way, then they should not use the technology.”

The comment letter emphasizes the CFPB’s focus on the growing use of emerging and innovative technologies in consumer financial services, including machine learning, “traditional” forms of artificial intelligence, and generative artificial intelligence.  As the CFPB balances support for innovation in the consumer space, it is clear that it has set its sights squarely on how those technologies are used, and what the consumer impact may be.

What To Do Now?

Companies using (or considering using) emerging technologies should have clear governance mechanisms to ensure alignment between business priorities and appropriate risk management practices, including where vendors are engaged to provide innovative technology solutions.  There is no one size fits all model, however, and the use case for the technology will drive the primary risk analysis.  As use of emerging technologies continues to expand, ensuring stakeholder involvement and alignment should be a top priority.