Alston & Bird Consumer Finance Blog

Unfair, Deceptive and Abusive Acts or Practices (UDAAP)

CFPB Expands its Reach with Final Rule Establishing Nonbank Registry of Public Settlements, Consent Orders and Enforcement Actions

What Happened?

On June 3, 2024, the Consumer Financial Protection Bureau (CFPB or Bureau) issued its Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders Final Rule (the Final Rule), a 486-page rule imposing new obligations on nonbank entities that offer or provide a consumer financial product or service. At a high level, the Final Rule contains three primary requirements.

First, the Final Rule requires certain nonbank entities (Covered Nonbanks) to register with the CFPB’s new nonbank registry (NBR) and provide information about the nonbank and certain public Federal, State, or local written orders imposing obligations on the nonbank based on violations of certain consumer protection laws.

Second, for those Covered Nonbanks subject to the Bureau’s supervisory authority under section 1024(a) of the Consumer Financial Protection Act of 2010 (CFPA), the Final Rule will require such supervised registered entities to annually identify the executive(s) responsible for and knowledgeable of the nonbank’s efforts to comply with the orders identified in the NBR and submit an annual written statement and attestation.

Third, the Final Rule describes the registration information that the Bureau may make public.

The Final Rule takes effect on September 16, 2024 (the Effective Date) but establishes different implementation dates for different categories of Covered Nonbanks. Covered Nonbanks will be required comply with the Final Rule by as early as October 16, 2024.

Why Does it Matter?

The Final Rule represents yet another novel interpretation by the Bureau of its authority under the Dodd-Frank Act. As stated by the Bureau, “the registry will accomplish a number of goals, with a particular focus on monitoring for risks to consumers related to repeat offenders of consumer protection law.” As set forth below, the scope and requirements of the Final Rule are broad and complex, and failing to comply with these new requirements can perpetuate a “repeat offender” label.

The Final Rule Applies to Covered Nonbanks

With certain exceptions, the Final Rule will apply to covered persons as defined in the CFPA, including persons that engage in offering or providing a consumer financial product or service, as defined in the CFPA. Under the CFPA, a “covered person” is (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of such person if such affiliate acts as a service provider to such person. Among others, consumer financial products and services generally include the following, to the extent they are offered or provided for use by consumers primarily for personal, family, or household purposes:

  • Extending credit and servicing loans;
  • Extending or brokering certain leases of personal or real property;
  • Providing real estate settlement services;
  • Engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds;
  • Selling, providing, or issuing stored value or payment instruments;
  • Providing check cashing, check collection, or check guaranty services;
  • Providing payments or other financial data processing products or services to a consumer by any technological means;
  • Providing financial advisory services;
  • Collecting, analyzing, maintaining, or providing consumer report information or certain other account information; and
  • Collecting debt related to any consumer financial product or service.

The Final Rule does not apply to:

  • An insured depository institution or insured credit union (e.g., an FDIC-insured bank);
  • A person who is a covered person solely due to being a “related person,” as provided in the Dodd-Frank Act (e.g., controlling shareholders, consultants, and independent contractors, if the person is a covered person only because the person is a “related person” and not a covered person for another reason);
  • A State, including federally recognized Indian tribes;
  • A natural person;
  • Certain motor vehicle dealers;
  • A person that qualifies as a covered person under the Dodd-Frank Act only because of conduct excluded from the CFPB’s rulemaking authority, such as certain activities related to charitable contributions.

All other covered persons are covered by the Final Rule and are considered “Covered Nonbanks” for purposes of the Final Rule.

Orders Covered by the Final Rule

The Final Rule applies to “Covered Orders.” A Covered Order is a final public order issued by an agency or court (whether or not issued by settlement or consent) that:

  • Identifies a Covered Nonbank by name as a party subject to the order;
  • Was issued at least in part in any action or proceeding brough by any Federal Agency, State Agency, or Local Agency;
  • Contains public provisions that impose obligations on the Covered Nonbank to take certain actions or to refrain from taking certain actions;
  • Imposes such obligations on the Covered Nonbank “based on” an alleged violation of a “Covered Law”; and
  • Has an effective date on or later than January 1, 2017.

A “Covered Law” means one of the following laws, to the extent that the violation of law found or alleged “arises out of conduct in connection with the offering or provision of a consumer financial product or service”:

  • A Federal consumer financial law;
  • Any other law as to which the Bureau may exercise enforcement authority;
  • The prohibition on UDAPs under section 5 of the FTC Act or rules or orders issued thereunder;
  • A State law prohibiting UDAPs/UDAAPs as identified in Appendix A to the Final Rule;
  • A State law amending or otherwise succeeding a law identified in Appendix A to the Final Rule, to the extent the law is materially similar to its predecessor; or
  • A rule or order issued by a State agency for the purpose of implementing a State law referenced in the two preceding bullet points.

According to the Bureau, “an obligation is ‘based’ on alleged violation where the order identifies the covered law in question, asserts or otherwise indicates that the covered nonbank has violated it, and imposes the obligation on the covered nonbank at least in part as a result of the alleged violation, even where the order contains provisions clearly stating that the entity does not concede or admit liability.” While the Bureau clarifies the meaning of “based on,” the Bureau declines to provide clarity “for determining the circumstances under which violations of covered laws arise out of conduct ‘in connection with the offering or provision of a consumer financial product or service.’”

It is also noteworthy, that the CFPB declined to narrow the definition of Covered Orders to those involving consumer harm. As a result, even orders of a clerical, technical, or administrative nature could be in scope.

Initial Registration Requirements

During each implementation submission period (discussed below), for all Covered Orders that (1) have an effective date from January 1, 2017, through the start of the Covered Nonbank’s submission period, and (2) for Covered Orders issued prior to September 16, 2024, remains effective as of September 16, 2024, each Covered Nonbank that is identified as a party to such Covered Order must register with the NBR and provide the following information, in the format provided by the Bureau (such filing instructions have not yet been released) within 90 days from the applicable implementation date or after the effective date of the applicable Covered Order:

  • A fully executed, accurate and complete copy of the Covered Order (except nonpublic portions may be omitted);
  • The name of the agency(ies) and court(s) that issued or obtained the Covered Order, as applicable;
  • The effective date of the Covered Order;
  • The expiration date of the Covered Order, if any;
  • All Covered Laws found to have been violation, or for orders issued upon the parties’ consent, alleged to have been violated;
  • Any docket, case, tracking, or similar identifying number(s) assigned to the Covered Order by the applicable agency(ies) or court(s); and
  • The name and title of the attesting executive with respect to the Covered Order, if the registered entity is a supervised registered entity.

Annual Supervisory Reports for Supervised Registered Entities

Supervised Registered Entity

The annual reporting requirements apply to an “supervised registered entity” defined to mean a registered entity that is subject to supervision and examination by the Bureau. The definition includes:

  • An entity that qualifies as a larger market participant for consumer financial products or services, as defined in the CFPA;
  • An entity subject to an order by the Bureau exercising supervisory authority over certain nonbanks based on a risk determination in accordance with the CFPA; and
  • An affiliate of an insured depository institution and insured credit unions with more than $10 billion in total assets.

The definition excludes:

  • A service provider that is subject to Bureau examination and supervision solely in its capacity as a service provider and that is not otherwise subject to Bureau supervision and examination;
  • A motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, with limited exception;
  • Persons with less than $5 million in annual receipts resulting from offering or providing all consumer financial products or services;
  • A person that qualifies as a covered person based solely on conduct that is the subject of, and that is not otherwise exempted from, an exclusion from the Bureau’s supervisory authority under the CFPA; and
  • An affiliate of an insured depository institutions and insured credit unions with less than $10 billion in total assets.

Designation of Attesting Executive

A supervised registered entity subject to a Covered Order is required to annually designate one attesting executive for each Covered Order and all submissions related to that order who is “its highest-ranking duly-appointed senior executive officer (or, if the supervised registered entity does not have any duly appointed officers, the highest-ranking individual charged with managerial or oversight responsibility for the supervised registered entity) whose assigned duties include ensuring the supervised registered entity’s compliance with Federal consumer financial law, who has knowledge of the entity’s systems and procedures for ensuing compliance with the covered order, and who has control over the entity’s efforts to comply with the covered order.”

While the Bureau expects that under most circumstances the supervised registered entity would designate one single individual as its attesting executive for all of the Covered Orders to which it is subject, the Final Rule does not include such a requirement as the Bureau recognizes that there may be situations where there is no one executive with the requisite knowledge for all Covered Orders.

The entity must authorize the attesting executive to perform the duties of an attesting executive on behalf of the supervised registered entity with respect the Covered Order, including providing prompt access to all documents and information related to the supervised registered entity’s compliance with all applicable Covered Orders to make the required annual statement, as described below.

Annual Statement

The Annual Statement requirement applies prospectively to Covered Orders with an effective date after the Nonbank Registry Implementation Date. The Bureau states that it will treat the written statement submitted by the supervised registered entity as confidential supervisory information but does intend to publish the name and title of the attesting executive as it believes that publication of the executive’s name “will provide an incentive to pay more attention to covered orders.”

On or before March 31st of each calendar year, the supervised registered entity must submit to the NBR a written statement for each Covered Order signed by the attesting executive. Such statement must include:

  • A general description of the steps that the attesting individual has undertaken to review and oversee the supervised registered entity’s activities applicable to the Covered Order for the preceding calendar year; and
  • Attest whether to the attesting executive’s knowledge, the supervised registered entity during the preceding calendar year identified any violations or instances of noncompliance with any public provisions of the Covered Order.

The Bureau does not establish any minimum procedures or steps the attesting executive must take in order to review and oversee the entity’s activities. With that said, the Bureau declined “to impose a reasonableness, good faith or other standards regarding the steps that the attesting executive has undertaken to review and oversee the supervised registered entity’s activities subject to the applicable covered order.” The Bureau also declined to impose materiality requirements as to the types of violations that must be declared – even minor ones are important to the Bureau.


Supervised registered entities are required to maintain documents and other records to provide reasonable support for its written statement for 5 years after its submission is required.

Optional One-Time Registration of NMLS-Published Covered Orders

In lieu of requiring compliance with the registration and annual reporting requirements, a Covered Nonbank that is identified by name with respect to an NMLS-published Covered Order may elect to comply with a one-time registration option. The CFPB will specify what information the Covered Nonbank must provide to the NBR for purposes of identifying the NMLS-published Covered Order and for coordinating with the NMLS. Upon supplying this information, the Covered Nonbank will have no further reporting obligations with respect to that Covered Order. A Covered Nonbank may avail itself of this one-time registration for all or some of its NMLS-published orders, which are those orders published on the NMLS Consumer Access website. However, “no covered order issued or obtained at least in part by the Bureau shall be an NMLS-published covered order.” Thus, if the applicable Covered Order was issued either by a court or the Bureau itself, or brought at least in part by the Bureau, this optional one-time registration is not available to such order. That is because the Bureau is requiring such orders to be included in the NBR so that the CFPB can monitor and enforce its own orders as well as obtaining the annual written statement regarding CFPB orders.

Termination of Registration Requirements

Covered Orders are subject to ongoing registration requirements until it is deemed to expire under the Final Rule, or all relevant provisions are fully terminated by an agency or court or under its own terms on a date expressly provided for in the Covered Order.

The Final Rule provides that a Covered Order that does not expressly provide for a termination date and is not otherwise terminated earlier is deemed to expire 10 years after its effective date. Alternatively, if a Covered Order provides for a termination date that is longer than 10 years, the Covered Order is not deemed to have terminated until the longer period provided for in the order.

The Final Rule requires that Covered Nonbanks notify the Bureau within 90 days from the date any Covered Order is modified, terminated, or abrogated.

If a Covered Order expires, is terminated, or is otherwise modified such that it is no longer a Covered Order, then the Covered Nonbank is relieved of ongoing registration and written statement obligations with respect to such order after the Covered Nonbank files a final notice with the Bureau. That is not to say, however, that the Covered Order would be removed from the CFPB’s registry. Subject to the Bureau’s discretion, the CFPB may maintain information on Covered Orders and the Covered Nonbanks subject to them on the NBR indefinitely.

Publication and Correction of Submissions to the NBR

Publication of NBR Information

The Final Rule provides that the CFPB may publish certain information about registered Covered Nonbanks and Covered Orders on its website. However, the written statement will be treated as confidential supervisory information. In addition, at its discretion, the CFPB may also publish aggregations or summary reports using the information submitted to the CFPB’s NBR.

Corrections of Submissions

If any information submitted to the NBR was inaccurate when submitted and remains inaccurate, a Covered Nonbank must file a corrected report in the form and manner specified by the Bureau within 30 days after the date on which the Covered Nonbank becomes aware or has reason to know of the inaccuracy. In addition, the Bureau may at any time and in its discretion direct a Covered Nonbank to correct errors or other non-compliant submissions to the NBR.

Implementation Submission Periods and Ongoing Registration

Implementation Submission Periods

The Final Rule provides for phased implementation dates that vary depending on the type of Covered Nonbank. As reflected in the below table, the Final Rule provides the following 90-day registration window for each category of Covered Nonbank to register all Covered Orders with effective dates from January 1, 2017, until the start of that implementation submission period:

Covered Nonbank Type

Registration Submission Period*

Registration Deadline*

Larger Participant CFPB-Supervised Covered Nonbanks

Covered Nonbanks that are larger participants of a market for consumer financial products or services described under 12 U.S.C. 5514(a)(1)(B) as defined by one or more rules issued by the Bureau

October 16, 2024 through January 14, 2025 January 14, 2025
Other CFPB-Supervised Covered Nonbanks

Covered Nonbanks described under any other provision of 12 U.S.C. 5514(a)(1)

January 14, 2025 through April 14, 2025 April 14, 2025
All other Covered Nonbanks April 14, 2025 through July 14, 2025

July 14, 2025

* The Final Rule requires any dates that fall on a Saturday, Sunday, or Federal holiday be converted to the next day that is not a Saturday, Sunday, or Federal holiday. The Bureau has adjusted the above implementation submission period dates accordingly.

As noted above, during each of the above Registration Submission Periods, the Covered Nonbank must register all Covered Orders that: (1) have an effective date from January 1, 2017, through the start of the Covered Nonbank’s Registration Submission Period, and (2) for Covered Orders issued prior to September 16, 2024, the Covered Order remains effective as of September 16, 2024.

By way of example, assume an Other CFPB-Supervised Covered Nonbank has the following orders (that otherwise meet the definition of a Covered Order): (1) an order that took effect on January 1, 2016, and that expires on January 1, 2026, (2) an order that took effect on January 1, 2017, and that expires on October 30, 2025, and (3) an order that becomes effective on January 1, 2025, and that expires on January 1, 2031. During the applicable Registration Submission Period (noted above), the Other CFPB-Supervised Covered Nonbank:

  • Would not register the first order (effective January 1, 2016) because it took effect before January 1, 2017.
  • Must register the second order (effective January 1, 2017) because it took effect on or after January 1, 2017 (and prior to the start of the applicable submission period) and remained in effect as of September 16, 2024.
  • Must register the third order (effective January 1, 2025) because it took effect on or after September 16, 2024, and prior to the start of the applicable submission period.

Ongoing Registration

After the start of a Covered Nonbank’s implementation submission period, a Covered Nonbank must begin complying with the Final Rule’s ongoing registration timing requirements to register new Covered Orders and to submit changes or updates related to previously registered Covered Orders. Generally, a Covered Nonbank must return to the NBR and make a registration submission within the identified 90-day window for each of the following events:

  • Any updates or changes to the nonbank’s identifying information or administrative information, within 90 days after the date of that change.
  • Any amendments to previously registered Covered Orders, including changes to submitted order information, within 90 days after the date the amendments are made.
  • Any new Covered Orders applicable to the Covered Nonbank (with effective dates on or after the start of the applicable implementation period), within 90 days after the effective date of the new Covered Order.
  • A revised filing if there is any termination or expiration (as discussed above) of a previously registered Covered Order, within 90 days after the effective date of that termination or expiration.

Enforcement / Penalties for Noncompliance with Final Rule

General Enforcement

The Bureau declined to establish special rules or remedies for violation of the Final Rule. With that said, the Preamble to the Final Rule clearly states that the Final Rule is a Federal consumer financial law under the CFPA and that “[v]iolation of the [F]inal [R]ule would be an independent violation of Federal consumer financial law subject to enforcement as provided in the CFPA, and applicable remedies under law, including potential civil money penalties.”

Additional Enforcement Considerations for Supervised Registered Entities

With respect to supervised registered entities, the Final Rule clarifies that the obligation to designate an attesting executive or to submit a written statement when required to do so, belongs to the supervised registered entity, and not to any particular individual. Accordingly, the Bureau states that “[i]f a supervised registered entity failed to designate an attesting executive or to submit a written statement when required to do so, the supervised registered entity – not a particular individual – would potentially be subject to an enforcement action.”

Notwithstanding the foregoing, the Bureau stated its expectation that the requirement to designate a single attesting executive for a Covered Order will prompt the executive to focus greater attention on ensuring compliance, which in turn will increase the likelihood of compliance. The Bureau also indicated that it intends to use the information submitted under § 1092.204 to facilitate its efforts to assess compliance with any Covered Orders that may be enforced by the Bureau, and to make determinations regarding any potential Bureau supervisory or enforcement actions related to the Covered Order or any other identified risks to consumers. For example, “where information obtained under proposed 1092.204 indicates that a high-ranking executive has knowledge of (or has recklessly disregarded) violations of legal obligations falling within the scope of the Bureau’s jurisdiction, and has authority to control the violative conduct, the Bureau may use that information in assessing whether an enforcement action should be brought not only against the nonbank covered person, but also against the individual executive.” However, the Final Rule itself does not impose any legal obligation on the attesting executive to ensure compliance with any Covered Order.

Finally, with respect to the attestation required to be submitted as part of the annual written statement, the Bureau notes that Final Rule “does not purport to interpret provisions of criminal law . . . or to identify particular circumstances under which an attesting executive would become criminally liable for false statements,” however the Bureau indicates that it “expects attesting executives to submit truthful statements under the Final Rule and believes that the existence of other laws like 18 USC 1001 provides incentives in that regard.” Notably, however, 18 USC 1001 makes it a crime to make any false statements in any matter within the jurisdiction of the executive, legislative, or judicial branch of the U.S. government. Therefore, the Bureau appears to suggest that making a false attestation under the Final Rule may also constitute a crime under 18 USC 1001 or other applicable law.

What Do I Need to Do?

The Final Rule is complicated – some might say unnecessarily so – with lots of opportunities for missteps. Between the Final Rule and the Bureau’s recent apparent strategy to issue consent orders with indefinite terms, companies will need to be extra vigilant to avoid the scarlet letter designation of a repeat offender.  Now is the time to double down on compliance. This also holds true for Covered Nonbanks that are not subject to CFPB supervision as the Final Rule also coincides with the CFPB’s increased use of its so-called “dormant authority,” which empowers the Bureau to designate nonbanks for supervision based on certain risks to consumers. Covered Nonbanks that are designated for CFPB supervision must also comply with the additional reporting and attestation requirements applicable to supervised registered entities.

While the Final Rule does not establish any minimum procedures nor otherwise specify the steps an entity must take to comply with the Final Rule, failure to implement steps in accordance with the CFPB’s expectations will not be viewed positively by the Bureau. As a result, now is the time for nonbanks to work with counsel to understand and implement the Final Rule, as applicable, into their compliance management systems once the filing instructions are released.


CFPB’s War on Mortgage Fees Continues

What Happened?

Immediately following President Biden’s State of the Union Address announcing plans to lower homebuyer and refinancing costs, the CFPB issued a blog post seeking public input on how mortgage closing costs impact consumers. The CFPB also announced that it will work to monitor closing costs and, “as necessary, issue rules and guidance to improve competition, choice and affordability.” Significantly, the CFPB also signaled that it will continue to use its supervision and enforcement tools for companies that fail to comply with the law.

Why Is It Important?

The CFPB is putting companies on notice that the Bureau will be taking a close look at the total loans costs for originating a residential mortgage loan, including origination fees, appraisal fees, credit report fees, title insurance, discount points, and other fees. In particular, the CFPB is paying “significant attention to the recent rise in discount points,” and seems concerned with the lack of competition in connection with certain fees, such as lender’s title insurance and credit reports. The CFPB also has expressed concerns with how companies may charge lender credits and fees that are financed into the loan amount (through higher interest rates or mortgage insurance payments).

While the CFPB’s blog post does not identify any specific laws, it does provide some clues. First, the Bureau is concerned that some closing costs are high and increasing due to lack of competition. According to the Bureau, “[b]orrowers are required to pay for many of the costs associated with closing a home loan but cannot pick the provider and do not benefit from the service.” Taking unreasonable advantage of the inability of a consumer to protect their interests in selecting or using a consumer financial product or service could be construed as abusive under the Dodd-Frank Act’s UDAAP statute.

Because certain fees are fixed and don’t fluctuate with the loan size or interest rate, the Bureau is concerned that such fees could disproportionately impact borrowers with smaller loans, such as low-income borrowers, first-time borrowers, or Black or Hispanic borrowers.  This could present a fair lending problem under the Equal Credit Opportunity Act. Indeed, the CFPB already has announced that, pursuant to its authority to prevent unfair, deceptive, and abusive acts or practices (“UDAAPs”), the Bureau will begin examining institutions for alleged discriminatory conduct that the Bureau deems to be unfair.

Of course, Congress passed the Dodd-Frank Act to address many of the above concerns, and the TRID Rule already attempts to ensure that consumers are provided with greater and more timely information on the nature and costs of the residential real estate settlement process and are protected from unnecessarily high settlement charges.

What Do I Need to Do?

The CFPB is sending a strong message to the industry that closing fees will be receiving scrutiny from the CFPB.  And knowing that the CFPB has been on a hiring spree in its enforcement division, now is a good time to take a close look at the fees being charged from both a UDAAP and fair lending perspective.  The team at Alston & Bird has deep knowledge on mortgage fees and is happy to assist with such a review.

A Friendly Reminder of the Importance of Robust Consumer Complaint Handling Processes

What Happened?

On February 27, 2024, the California Department of Financial Protection and Innovation (the Department) entered into a public consent order with a company that provides consumer financial services to California residents. The consent order alleges that between January 2020 and September 2022, the Department received complaints from consumers raising concerns about their accounts and customer service interactions with the company, which the Department forwarded to the company for investigation and response. The Department also investigated the company’s handling of those consumer complaints.

The Department found that the company’s complaint handling was deficient in that “occasional mistakes” that occurred in the Company’s responsiveness to consumer complaints were substantial enough to have violated the California Consumer Financial Protection Law (CCFPL). The Department alleged that as between the company and the consumer, the company was in the better position to accurately evaluate the available information in most cases and to respond to consumers’ complaints in a timely manner and while the number of mistakes during the Department’s investigation period was relatively small in comparison to the overall number of consumer complaints received, the Department concluded that the mistakes were important to the affected consumers.

To resolve these allegations, the company agreed to (1) desist and refrain from violating the CCFPL through its complaint handling processes, (2) pay a penalty of $ 2.5 million, (3) enhance existing customer service procedures or processes, (4) establish, implement, enhance, and maintain testing policies, procedures, and standards reasonably designed to, at a minimum, ensure compliance with the law, and (5) report to the Department annually for two years on these standards. These standards require the company to:

  • Ensure customer service support 24 hours a day, seven days a week;
  • Ensure sufficient customer service support staffing;
  • Ensure sufficient customer service support training; and
  • Investigate and implement policies and procedures to maintain the accurate, prompt and proper handling of consumer complaints.

Why is it Important?

The CCFPL was enacted in September 2020 and grants the Department expanded authority over persons engaged in offering or providing a consumer financial product or service in California and their affiliated service providers. Notably, under the CCFPL, it is unlawful for a “covered person” or “service provider,” to do any of the following:

  • Engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (UDAAP) with respect to consumer financial products or services.
  • Offer or provide to a consumer any financial product or service not in conformity with any consumer financial law or otherwise commit any act or omission in violation of a consumer financial law.
  • Fail or refuse, as required by a consumer financial law or any rule or order issued by the Department thereunder, to do any of the following:
    • Permit the Department access to or copying of records.
    • Establish or maintain records.
    • Make reports or provide information to the Department.

The CCFPL defines a “covered person” to mean, to the extent not preempted by federal law, any of the following:

  • Any person that engages in offering or providing a consumer financial product or service to a resident of California.
  • Any affiliate of a person described above if the affiliate acts as a service provider to the person.
  • Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.

A “servicer provider” includes any person that provides a material service to a covered person in connection with the offering or provision by that covered person of a consumer financial product or service, including a person that either:

  • Participates in designing, operating, or maintaining the consumer financial product or service.
  • Processes transactions relating to the consumer financial product or service, other than unknowingly or incidentally transmitting or processing financial data in a manner that the data is undifferentiated from other types of data of the same form as the person transmits or processes.

The term “service provider” does not include a person solely by virtue of that person offering or providing to a covered person either a support service of a type provided to businesses generally or a similar ministerial service, or time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.

Notwithstanding the broad definition of “covered person,” the CCFPL contains numerous exemptions, including for banks; licensed escrow agents; licensees under the California Financing Law; licensed broker-dealers or investment advisers; licensees under the Residential Mortgage Lending Act; licensed check sellers, bill payers, or proraters; and licensed money transmitters, among others.

The Department is authorized to impose civil money penalties for any violation of the CCFPL, rule or final order, or condition imposed in writing by the Department in an amount not to exceed the greater of $5,000 for each day during which a violation or failure to pay continues, or $2,500 for each act or omission. Reckless violations are subject to increased penalties not to exceed the greater of $25,000 for each day during which the violation continues, or $10,000 for each act or omission. For knowing violations, the Department is authorized to assess penalties not to exceed the lesser of one percent of the person’s total assets, $1 million for each day during which the violation continues, or $25,000 for each act or omission.

What Do You Need to Do?

It is always important to take consumer complaints seriously and to respond timely and accurately. Now is the time to review your company’s complaint management procedures to make sure they are robust. It is always important to mine your consumer complaints so that you can learn from them and correct errors timely to ensure mistakes don’t recur, and the Department’s latest settlement is a reminder that companies subject to the CCFPL also have a legal obligation to do so.

CFPB’s Proposed Insufficient Fund Fee Rule – Narrow in Scope with Potential for Greater Impact

What Happened?

On January 24, 2024, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule that would prohibit covered financial institutions from imposing a nonsufficient funds (NSF) fee when consumers initiate transactions that are instantaneously or near instantaneously declined (the Proposed Rule). According to the CFPB, such fees are not based on the transaction amount or processing cost and take unreasonable advantage of a consumer’s lack of understanding of the material risk, costs or conditions of the product or service. In the Preamble to the Proposed Rule, the CFPB recognizes that “currently covered financial institutions rarely charge NSF fees on covered transactions” and, thus, the “CFPB is proposing this rule primarily as a preventive measure.” With that said, the Proposed Rule is significant in that the Bureau also clarifies its approach to assessing abusive practices.

Why is it Important?


In January 2022, the CFPB launched an initiative to reduce certain fees charged by banks and other companies under its jurisdiction, by issuing a Request for Information (Fee RFI) seeking public comment regarding fees that are not “subject to competitive processes that ensure fair pricing.” The CFPB continues to focus on these so-called “junk fees,” which the Bureau described in its Fee RFI, in part, as “fees that far exceed the marginal cost of the service they purport to cover, implying that companies are not just shifting costs to consumers, but rather, taking advantage of a captive relationship with the consumers to drive excess profits.” The Bureau’s attention is now on NSF fees.

The Proposed Rule

The Proposed Rule may be narrow in scope, but much broader in potential impact. It would prohibit a “financial institution” from charging an NSF fee to a consumer who attempts to withdraw, debit, pay, or transfer funds from their “account” that is declined instantaneously or near instantaneously by the “financial institution.” For purposes of the Proposed Rule, the term “account” and “financial institution” are defined consistent with Regulation E. Thus, a financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services. An account is defined equally broad to include: (i) checking, savings, or other consumer asset account held by a financial institution (directly or indirectly), including certain club accounts, established primarily for personal, family or household purposes, and (ii) a prepaid account. An account would not include, among others, escrow accounts for real estate taxes or insurance or an occasional or incidental credit balance in a credit plan. It is also worth noting that, according to the CFPB, checks and ACH transactions are not covered by the rule unless they evolve in a way to be cleared instantaneously.

While the scope of the Proposed Rule is narrow, the Bureau’s interpretation of abusiveness as articulated in the Proposed Rule is not. By way of background, Section 1031 of the Consumer Financial Protection Act (CFPA) prohibits unfair, deceptive, or abusive acts or practices (UDAAPs) under Federal law in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. The Proposed Rule finds that charging an NSF fee in instantaneously or near instantaneously declined transactions violates the “lack of understanding” prong of the abusiveness standard. Under the CFPB’s Policy Statement on Abusive Acts or Practices, the “lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service” concerns gaps in understanding affecting consumer decision making.

The Proposed Rule attempts to fine tune the “lack of understanding” analysis by distinguishing prior comments the Bureau made in its 2020 Payday Lending Rule, by clarifying that:

  • “[L]ack of understanding under the abusiveness standard of UDAAP is not synonymous with reasonable avoidability under the unfairness standard.”
  • Magnitude and risk of harm are distinct and should have no bearing on a “lack of understanding” analysis.
  • A consumer’s lack of understanding should not be characterized as general or specific as such framework is unhelpful in determining whether consumers understand the material risks, costs or conditions of a financial product or service.

Under the Proposed Rule, the Bureau has preliminarily determined that the charging of such fee is abusive under Section 1031(d) of the CFPA as it would take “unreasonable advantage of consumers’ lack [of] understanding of the material risks, costs, or conditions associated with their deposit accounts” and that “covered financial institutions that charge NSF fees on covered transactions would be benefiting from negative consumer outcomes that result from…a consumer’s lack of understanding.”

The Bureau summarily dismissed that such risks could be mitigated, as disclosure would be too costly, too unfeasible, and unlikely to eliminate the risk. Rather, “[d]rawing on its experience and expertise regarding consumer behavior, the CFPB believes that if a transaction entails material risks or costs and consumers derive minimum or no benefit from the transaction, it is generally reasonable to conclude that consumers who nonetheless went ahead with the transaction did not understand the material risks, costs or the conditions to those risks or costs.”

In other words, the CFPB appears to believe that no consumer would initiate a transaction knowing that they have insufficient funds and that a fee could be charged if their transaction is declined, despite the fact that (1) the vast majority of consumers have readily available access to their bank account balances, (2) such fees are generally disclosed to consumers, and (3) consumers contractually agree to pay such fees.

What Do You Need to Do?

While the Proposed Rule has limited application, the Bureau’s interpretation of the abusiveness standard could have far broader implications, as the Bureau could deem as abusive any fee which it determines provides little to no consumer benefit. For example, it is unclear what would stop the Bureau from prohibiting other fees as abusive, based on a determination that such fees provide little to no consumer benefit and that financial institutions are “benefiting from negative consumer outcomes that result from…a consumer’s lack of understanding,” given that the Bureau’s rationale appears to give little regard to consumer disclosures or contract law.

Therefore, given the potential downstream implications of the CFPB’s broad interpretation of abusiveness, companies subject to the CFPB’s jurisdiction should carefully review the Proposed Rule and consider submitting a comment letter, even if the Proposed Rule itself would not directly apply to the company. The Proposed Rule’s comment period expires on March 25, 2024.


CFPB Touts 2023 Greatest Hits and Casts a Line for Enforcement Hires

What Happened?

Earlier this week, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released a blog post touting its 2023 successes in safeguarding “household financial stability” through the levying of fines and filing of lawsuits. The Bureau highlighted seven enforcement cases:

  • Protecting Servicemembers from Illegal High-Interest Loans and False Advertising: In February 2023, the CFPB ordered an auto title loan lender and several affiliated entities to pay a total of $15 million in penalties and consumer redress to resolve allegations that the entities violated the Military Lending Act. That same month, the CFPB permanently banned a California-based mortgage lender from the mortgage lending industry and imposed a $1 million penalty on the lender for repeatedly violating a 2015 consent order by, among other things, allegedly continuing to send advertisements to military families that led recipients to believe the company was affiliated with the U.S. government.
  • Taking Action for Illegally Charging Junk Fees, Withholding Credit Card Rewards, and Operating Fake Bank Accounts: In July 2023, the CFPB ordered a national bank to pay a more than $190 million in penalties and consumer redress to resolve allegations that the bank double dipped on insufficient funds fees imposed on customers, withheld reward bonuses promised to credit card customers, and misappropriated sensitive personal information to open accounts without customer knowledge or authorization. The Office of the Comptroller of the Currency (“OCC”) also found that the bank’s double-dipping on insufficient funds fees was illegal and ordered the bank to pay $60 million in penalties.
  • Intentional Illegal Discrimination Against Armenian Americans: In November 2023, the CFPB ordered a national bank to pay $25.9 million in fines and consumer redress for allegedly “intentionally and illegally discriminating against credit card applicants the bank identified as Armenian American.” 
  • Taking Action to Stop Loan Churning: In August 2023, the CFPB sued a high-cost installment loan lender and several of its wholly owned, state-licensed subsidiaries, for allegedly violating the Consumer Financial Protection Act by “illegally churning loans to harvest hundreds of millions in loan costs and fees.”
  • Illegal Rental Background Check and Credit Reporting Practices: In October 2023, the CFPB and the Federal Trade Commission (“FTC”) sued a rental screening subsidiary of a national consumer credit reporting agency for allegedly violating the Fair Credit Reporting Act by failing to take steps to ensure the rental background checks that landlords use to decide who gets housing were accurate and withholding from renters the names of third parties that were providing the inaccurate information. The resulting court order required the company to pay $15 million in penalties and make significant improvements to how it reports evictions. Separately, the CFPB ordered the national consumer reporting agency to pay $8 million in consumer redress and penalties for failing to timely place or remove security freezes and locks on consumer credit reports and for falsely telling certain consumers that their requests were processed.
  • Stopping unlawful junk advance fees for credit repair services: In August 2023, the CFPB entered into a settlement with a credit repair service conglomerate that imposed a $2.7 billion judgment and banned the companies from telemarketing credit repair services for 10 years.

The CFPB touted that in 2023 it secured over $3.5 billion in total fines and compensation from financial services “lawbreakers” in 2023.  The CFPB largely attributed these cases to the creation of a “team of technologists” working on emerging technologies to “enforce the law when emerging technologies harm consumers.”

Why is this Important?

The CFPB filed 29 enforcement actions in 2023 but selected the seven highlighted above, possibly signaling that junk fees, fair lending, servicemember protections, and credit reporting, among others, remain on the Bureau’s radar. We do not expect the CFPB to issue any sort of accounting covering enforcement cases which it dropped in 2023.

Interestingly, the CFPB also used this post to recruit new “cross-disciplinary” employees (both attorneys and non-attorneys) for its Office of Enforcement and reiterated that the Bureau is “significantly expanding [its] enforcement capacity in 2024 to build on [its] achievements so far.” The roles are located in the Bureau’s Washington, D.C. headquarters and its regional offices in Atlanta, Chicago, New York and San Francisco.  The last of the associated employment information virtual sessions occurred on January 30, 2024.  Strangely, the CFPB only released this blog post the day before the last of these three sessions and it is not known how that late notice may impact application numbers.

What Do You Need to Do?

Given that the CFPB is telegraphing those issues that are top of mind for the Bureau as well as its emphasis on ramping up enforcement in 2024, now is a good time for companies to review their compliance management programs and make any necessary enhancements to policies, procedures, processes, and systems to ensure compliance with all applicable consumer financial laws and regulations. In particular, institutions should revisit their compliance monitoring programs to determine whether any updates are needed to minimize enforcement risk.