Alston & Bird Consumer Finance Blog

Federal Trade Commission (FTC)

Strike Force on Unfair and Illegal Pricing Holds First Public Meeting: CFPB Director Highlights Work on Junk Fees

What Happened?

As reported by Alston & Bird’s Antitrust Group, the Federal Trade Commission and the Department of Justice hosted the first public meeting of the Strike Force on Unfair and Illegal Pricing (the “Strike Force”).  President Biden announced the Strike Force’s formation in March 2024 to strengthen interagency efforts to root out and stop illegal corporate behavior that burdens American families through anticompetitive, unfair, deceptive, or fraudulent practices.  Officials from several agencies, including the CFPB, highlighted their work to lower prices across multiple industries for Americans.

Why Does it Matter?

With regards to the CFPB, Director Chopra highlighted some of its work on cracking down on so-called “junk fees,” many of which we have previously highlighted here, here, and here.

The CFPB has been prolific on its junk fee initiative, issuing 14 press releases, 10 blog posts, three enforcement actions, promulgating rules, commissioning eight reports, as well as issuing Advisory Opinions, Circulars and videos. In its prepared remarks at the Strike Force meeting, the CFPB Director outlined the Bureau’s work on junk fees imposed by companies that process payments, in this case for children’s school lunches. In his recent remarks, Director Chopra makes clear, the agency is not stopping and forecasted that:

  • The CFPB is looking at the costs for credit reports and credit scores and using existing laws to ensure that fees for such credit products are “fair and reasonable.”
  • The Bureau is “closely scrutinizing all aspects of the credit card market.”
  • The CFPB is “investigating the role of not just individual executives, but also the investors, like private equity funds, that call the shots.” According to Director Chopra, such controlling investor or other investment vehicle could be subject to direct liability if they are “calling the shots.”

What Do I Need to Do?

Companies subject to CFPB supervision should consult with consumer protection and antitrust counsel to make sure they are not inadvertently engaging in anticompetitive, deceptive, unfair or fraudulent practices, when setting pricing or when imposing, adding, or changing fees.

Companies should also evaluate their pricing and fee practices to ensure they are making independent decisions for setting prices.

When changing pricing or adding fees, companies should look closely at the CFPB’s priorities, which is wide and deep and includes fees in mortgage origination, mortgage servicing, credit cards, and payment processors, among others.

CFPB and FTC Amicus Brief Signals Stance on “Pay-to-Pay” Fees under FDCPA

What Happened?

On February 27, the Consumer Finance Protection Bureau (CFPB) and the Federal Trade Commission (FTC) filed an amicus brief in the 11th Circuit case Glover and Booze v. Ocwen Loan Servicing, LLC arguing that certain convenience fees charged by mortgage servicer debt collectors are prohibited by the Fair Debt Collection Practices Act (FDCPA).  This brief comes on the heels of an amicus brief Alston & Bird LLP filed on behalf of the Mortgage Bankers Association (MBA).  In its brief, the MBA urged the 11th Circuit to uphold the legality of the fees at issue.

While litigation surrounding convenience fees has spiked in recent years, there is no consensus on whether convenience fees violate the FDCPA.  Federal courts split on the issue, as there is little guidance at the circuit court level, and the issue before the 11th Circuit is one of first impression.  Consequently, the 11th Circuit’s ruling could significantly impact what fees a debt collector is permitted to charge, both within that circuit and nationwide.

Why is it Important?

Convenience fees or what the agencies refer to as “pay-to-pay” fees are the fees charged by servicers to borrowers for the use of expedited payment methods like paying online or over the phone.  Borrowers have free alternative payment methods available (e.g., mailing a check) but choose to pay for the convenience of a faster payment method.

Section 1692f(1) of the FDCPA provides that a “debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt,” including the “collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.”  The CFPB and FTC argues that Section 1692f(1)’s prohibition extends to the collection of pay-to-pay fees by debt collectors unless such fees are expressly authorized by the agreement creating the debt or affirmatively authorized by law.

First, the agencies contend that pay-to-pay fees fit squarely with the provision’s prohibition on collecting “any amount” in connection with a debt and that charging this fee constitutes a “collection” under the FDCPA.  Specifically, the agencies attempt to counter Ocwen’s argument that the fees in question are not “amounts” covered by Section 1692f(1) because the provision is limited to amounts “incidental to” the underlying debt. They argue that fees need not be “incidental to” the debt in order to fall within the scope of Section 1692f(1). In making this point, the agencies claim the term “including” as used is the provision’s parenthetical suggests that the list of examples is not an exhaustive list of all the “amounts” covered by the provision.  Further, the agencies attempt to counter Ocwen’s argument that a “collection” under the FDCPA refers only to the demand for payment of an amount owed (i.e., a debt). They argue that Ocwen’s understanding of “collects” is contrary to the plain meaning of the word; rather, the scope of Section 1692f(1) is much broader and encompasses collection of any amount , not just those which are owed.

Next, focusing on the FDCPA’s exception for fees “permitted by law,” the agencies contend that a fee is not permitted by law if it is authorized by a valid contract (that implicitly authorizes the fee as a matter of state common law). The agencies suggest if such fees could be authorized by any valid agreement, the first category of collectable fees defined by Section 1692(f)(1)—those “expressly authorized by the agreement creating the debt”—would be superfluous. Lastly, the Agencies argue neither the Electronic Funds Transfer Act nor the Truth in Lending Act – the two federal laws Ocwen relies on in its argument – affirmatively authorizes pay-to-pay fees.

What Do You Need to Do?

Stay tuned. The 11th Circuit has jurisdiction over federal cases originating in Alabama, Florida, and Georgia. Its ruling is likely to have a significant impact on whether debt collectors may charge convenience fees to borrowers in those states, and it could be cited as persuasive precedent in courts nationwide.

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan.  The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.

Takeaway

Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.

Joint Trade Associations Reject the CFPB’s “Discrimination-Unfairness” Theory

In a June 28 letter to Director Chopra and accompanying White Paper and press release, the ABA, CBA, ICBA, and the U.S. Chamber of Commerce have called on the Consumer Financial Protection Bureau (CFPB or Bureau) to rescind recent revisions made to its UDAAP examination manual that had effectuated the CFPB’s controversial theory that alleged discriminatory conduct occurring outside the offering or provision of credit could be addressed using “unfairness” authority. The White Paper characterized the primary legal flaws in the CFPB’s action as follows:

  • The CFPB’s conflation of unfairness and discrimination ignores the text, structure, and legislative history of the Dodd-Frank Act. For example, the Dodd-Frank Act discusses “unfairness” and “discrimination” as two separate concepts and defines “unfairness” without mentioning discrimination. The Act’s legislative history refers to the Bureau’s antidiscrimination authority in the context of ECOA and HMDA, while referring to the Bureau’s UDAAP authority separately.
  • The CFPB’s view of “unfairness” is inconsistent with decades of understanding and usage of that term in the Federal Trade Commission Act and with the enactment of ECOA. Congress gave the CFPB the same “unfairness” authority that it gave to the Federal Trade Commission in 1938, which has never included discrimination. It makes no sense that Congress would have enacted ECOA in 1974 to address discrimination in credit transactions if it had already prohibited discrimination through the FTC’s unfairness authority. For the same reason, Congress could not have intended in 1938 for unfairness to “fill gaps” in civil rights laws that did not exist.
  • The CFPB’s view is contrary to Supreme Court precedent regarding disparate impact liability. The CFPB’s actions and statements indicate it conflates unfairness with disparate impact, or unintentional discrimination. The Supreme Court has recognized disparate impact as a theory of liability only when Congress uses certain “results-oriented” language in antidiscrimination laws, e.g., the Fair Housing Act. The Dodd Frank Act neither contains the requisite language, nor is it an antidiscrimination law.
  • The CFPB’s action is subject to review by courts because it constitutes final agency action – a legislative rule – that is invalid, both substantively and procedurally. The CFPB’s action carries the force and effect of law and imposes new substantive duties on supervised institutions. However, the Bureau did not follow Administrative Procedure Act requirements for notice-and-comment rulemaking. Additionally, the CFPB’s interpretation is not in accordance with law and exceeds the CFPB’s statutory authority. The CFPB’s action should be held unlawful and set aside.
  • The CFPB’s action is subject to Congressional disapproval under the Congressional Review Act. A Member of Congress can request a GAO opinion on whether the CFPB’s actions are a rule, which can ultimately trigger Congressional review using the procedures established in the Congressional Review Act.

The White Paper concludes:

“Such sweeping changes that alter the legal duties of so many are the proper province of Congress, not of independent regulatory agencies, and the CFPB cannot ignore the requirements of the Administrative Procedures Act and Congressional Review Act. The CFPB may well wish to ‘fill gaps’ it perceives in federal antidiscrimination law. But Congress has simply not authorized the CFPB to fill those gaps. If the CFPB believes it requires additional authority to address alleged discriminatory conduct, it must obtain that authority from Congress, not take the law into its own hands. The associations and our members stand ready to work with Congress and the CFPB to ensure the just administration of the law.”

Take-away:

The position taken in the White Paper that the CFPB’s actions were contrary to law may be an indication that the trade groups intend to mount an APA legal challenge. Alternatively, the arguments made could in theory form a defense to any CFPB supervisory or enforcement action premised upon its new “discrimination-unfairness” theory. Financial institutions subject to CFPB examination would be well-advised to consider the arguments raised by the groups.