Alston & Bird Consumer Finance Blog

#BigTech

Is the CFPB using its market monitoring orders to build enforcement cases?

By

As we previously noted, on October 21, the CFPB issued orders to six large technology firms seeking information about their payment product business plans (the “October 21 Orders”). According to the Bureau, the purpose of orders was to “shed light on the business practices of the largest technology companies in the world.” The CFPB’s use of its market monitoring authority under Section 1022(c)(4) of the Dodd-Frank Act for this amorphous purpose was a break from established precedent. Historically, the CFPB issued 1022(c)(4) orders to support its efforts to issue specific rulemakings or Congressionally-mandated research reports. (See, e.g., Appendix B of the CFPB’s 2018 Sources and Uses of Data report).

On December 16, the CFPB again broke with historic precedent when it issued a new set of 1022(c)(4) orders, this time to five Buy Now, Pay Later (“BNPL”) providers (the “December 16 Orders”). Much has already been written about the information demanded by the CFPB in the orders, and about the institutions subject to the orders. However, less attention has been paid to what the CFPB might do with the information it receives.

Traditionally, the CFPB has maintained a firewall between its market monitoring function and its enforcement function, in recognition of the distinction established by Congress in the Dodd-Frank Act. Section 1022(c)(4) of the Dodd-Frank Act authorizes the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, including developments in markets for such products or services. Congress specified that information obtained by the CFPB using this general power may only be made public (if at all) through aggregated reports or other formats designed to protect the confidentiality of the information. Accordingly, Congress provided few procedural safeguards to financial institutions subject to such collections. Section 1052 of the Dodd-Frank Act establishes the specific enforcement powers of the CFPB and provides that the CFPB may collect information by means of civil investigative demands (CIDs) for the purpose of ascertaining whether a financial institution has violated Federal consumer financial law. Congress provided several procedural safeguards for the targets of CFPB enforcement investigations, including requirements for the service and contents of CIDs, the collection of oral testimony, and the receipt of petitions to modify or set aside the CIDs.

In announcing its October 21 Orders, the CFPB publicly released a sample order representing the actual orders sent to the six technology firms. The language used in the sample order maintained the firewall between its market monitoring and enforcement activities, stating in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order …, nor is it being issued under section 1052 of the Dodd-Frank Act.

By contrast, the sample order released in connection with CFPB’s announcement of the December 16 Orders to the five BNPL providers lacks the language acknowledging that the order is not being issued under Section 1052, and only states in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order.

Also, the December 16 sample order contains new language not present in the October 21 sample order, stating:

The Bureau reserves the right to use the information for any purpose permitted by law.

Read together, these two changes suggest that the CFPB intends to remove the firewall between its market monitoring and enforcement functions and could use the information collected from the BNPL providers pursuant to the December 16 Orders to build enforcement cases. If so, this development could be considered an attempted end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act. The CFPB can, if it wishes, provide express procedural safeguards within the orders that are equivalent to the types provided in Section 1052 or by agencies like the FTC in similar circumstances, but it has elected not to do so at this time. Recipients of future 1022(c)(4) orders should be mindful of this development in their responses to the CFPB.

Did the CFPB follow PRA requirements in issuing its Big Tech orders?

By

On October 21, the CFPB issued a series of orders to “collect information on the business practices of large technology companies operating payments systems in the United States.”

The CFPB sent the orders to six companies: Amazon, Apple, Facebook, Google, PayPal, and Square. In a statement accompanying the press release announcing the orders, Director Chopra described the CFPB’s action as an “inquiry into big tech payment platforms” and stated that he had ordered “six technology platforms offering payment services” to turn over information about their products, plans and practices. Responses from the companies to the CFPB orders are due by December 15.

The CFPB issued the orders pursuant to Section 1022(c)(4) of the Consumer Financial Protection Act (CFPA), its so-called market monitoring authority. See 12 U.S.C. 5512(c). This authority permits the CFPB to collect information regarding the activities of “covered persons” (a defined term) for the purpose of monitoring markets for risks to consumers in the offering or provision of “consumer financial products or services” (another defined term). This jurisdictional limitation is important – the CFPB cannot issue these orders to any company in the country; the orders may only be sent to companies that are engaged in offering or providing financial services (or that are service providers to those companies). Hence the CFPB’s necessary and intentional focus on large technology companies operating payments systems in the United States, rather than all technology companies.

Importantly, CFPB information collections under Section 1022(c)(4) of the CFPA are not exempt from the Paperwork Reduction Act (PRA) of 1995. See 44 U.S.C. 3501 et seq. PRA requires that agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public. See 5 C.F.R. 1320.5(a). As part of the general PRA review process, agencies must seek two rounds of public comment regarding a proposed information collection for a combined minimum of 90 days.

In reviewing an agency’s information collection request, OMB’s Office of Information and Regulatory Affairs (OIRA) will determine among other things whether the request is necessary for the proper performance of the agency’s functions, is not duplicative of information otherwise accessible to the agency, and has practical utility. See 5 C.F.R. 1320.5(d). If OIRA approves the agency’s information collection request, OMB will issue the agency a unique control number. An agency may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. See 5 C.F.R. 1320.5(b).

The PRA and OMB’s implementing regulation each define “collection of information” to mean obtaining answers to identical questions posed to “ten or more persons” within a twelve-month period. See 44 U.S.C. 3502(3) and 5 C.F.R  1320.3(c). This means that PRA requirements generally do not apply to information collected from nine or fewer institutions. However, OMB regulations further specify that “[a]ny collection of information addressed to all or a substantial majority of an industry is presumed to involve ten or more persons.” See 5 CFR 1320.3(c)(4)(ii). OMB guidance provides:

“All such collections require OMB review and approval. Agencies may have evidence showing that this presumption is incorrect in a specific situation. In such a case, the agency may proceed with the collection without seeking OMB approval. Upon OMB request, however, the agency needs to provide that evidence to OMB and needs to abide by OMB’s determination as to whether the collection of information requires OMB approval.” See OIRA, “The PRA of 1995: Implementing Guidance for OMB Review of Agency Information Collection,” Draft, Ch. II.C.3 (August 16, 1999).

The CFPB did not seek public comment on its proposed information collection before issuing its October 21st orders, and does not appear to have obtained OMB approval of its proposed information collection prior to issuing its October 21 orders. The reason it did not do so appears to be because it issued orders to only six companies, which are fewer than the ten institutions necessary for mandatory application of the PRA. However, the question remains whether the six institutions (which the CFPB described as “Tech Giants” in its press release) collectively represent a “substantial majority” of the industry identified by the CFPB (i.e., “large technology companies operating payments systems in the United States”).

While it is not clear from OMB regulations or guidance what proportion of an industry would constitute a “substantial majority” for PRA purposes, it is not inconceivable that the combined size and market share of Amazon, Apple, Facebook, Google, PayPal and Square might constitute a substantial majority of the “big tech payment platforms” industry. If this is the case, OMB rules create a presumption that the CFPB’s October 21st orders are subject to the PRA. Under normal circumstances, when considering a proposed information collection, CFPB staff are expected to consult with the agency’s OIRA desk officer as appropriate and the CFPB’s PRA officer will also offer CFPB leadership an independent opinion regarding the applicability of the PRA. Additionally, the CFPB may have prepared evidence for submission to OMB to rebut the presumption that its proposed information collection is subject to the PRA. However, nothing in the CFPB’s press release, sample order, Director’s statement or November 1 request for comment address the applicability of the PRA to the information sought from the six companies.

Take-Away: If the PRA applies to the CFPB’s October 21st orders, there are two significant consequences. First, without an OMB-approved control number attached to the orders, the recipients are under no legal obligation to respond to the CFPB. Second, contrary to the statutory purposes of the PRA articulated by Congress, the public will have been deprived of the meaningful opportunity to provide comment regarding the proposed orders in advance of their issuance. Such comments would foreseeably focus on important considerations raised by the proposal, including for instance the utility of the information being sought and the logical nexus between demands for internal memoranda relating to potential future business plans and the CFPB’s limited authority to monitor for present risks to consumers in the current offering or provision of consumer financial products and services. Such commentary, if sought and received by the CFPB, could only help it craft its orders in a way that achieves its goals while remaining faithful to the statutory purposes of the PRA. In as much as the CFPB’s novel use of its Section 1022(c)(4) authority creates a precedent for the future, additional transparency from the CFPB regarding the application of the PRA to its October 21st orders may be warranted, and would undoubtedly be welcome before December 15.