Alston & Bird Consumer Finance Blog

#CFPB

CFPB’s SBREFA Outline on Automated Valuation Models Rekindles Debate over Disparate Impact Liability under the ECOA

By ,

Section 1473(q) of the Dodd-Frank Act (now codified at 12 U.S.C. § 3354(q)) amended the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (“FIRREA”) to instruct the CFPB, Fed, OCC, FDIC, NCUA, and FHFA (collectively, the “agencies”) to jointly develop regulations for quality control standards for automated valuation models (“AVMs”), defined as “any computerized model used by mortgage originators and secondary market issuers to determine the collateral worth of a mortgage secured by a consumer’s principal dwelling.” As part of the rulemaking process, the Small Business Regulatory Enforcement Fairness Act of 1996 (“SBREFA”) requires the CFPB to convene a Small Business Review Panel to consider whether the rule could have a significant economic impact on a substantial number of small entities. Accordingly, on February 23, 2022, the CFPB released an outline of proposals and alternatives under consideration by the agencies to seek informed feedback and recommendations from small businesses likely to be subject to the rule.

As amended, subparts (1) – (4) of FIRREA Section 1125(a) mandate that the agencies establish four specific quality control standards for AVMs. FIRREA Section 1125(a)(5) also affords the agencies discretion to adopt standards designed to “account for any other such factor that the agencies…determine to be appropriate.” As such, the CFPB’s SBREFA outline proposes creating a fifth such discretionary quality control standard “designed to protect against unlawful discrimination.”

In support of its proposal, the CFPB asserts that algorithmic systems such as AVMs are subject to Federal nondiscrimination laws, including the Equal Credit Opportunity Act (“ECOA”), because a lender evaluating an applicant’s collateral could use an AVM “in a way that would treat an applicant differently on a prohibited basis or result in unlawful discrimination against an applicant on a prohibited basis.” The CFPB then notes that it recognizes three different methods of proving discrimination under the ECOA and its implementing regulation (“Regulation B”): (1) overt discrimination; (2) disparate treatment; and (3) disparate impact. It is worth mentioning that overt discrimination has been viewed by federal regulators such as DOJ and the FDIC as a blatant type of disparate treatment that does not require an inference or presumption based on circumstantial evidence. However, it appears that the CFPB considers these theories to be distinct from one another.

The third method of proving discrimination articulated by the CFPB, disparate impact, has been a controversial theory of liability because it imposes liability on a creditor even where the creditor had no intent to discriminate against an applicant. Rather, the theory presumes that the creditor has treated applicants fairly and consistently in accordance with some facially neutral policy or procedure of the creditor. Of course, the disparate impact theory gained traction in the subprime lending cases post-2008 and then loomed large in the CFPB’s enforcement actions against indirect auto lenders, the latter of which were scrutinized by Congress in its decision to rescind the CFPB’s indirect auto lending guidance using the Congressional Review Act. In fact, it remains a legal question whether disparate impact claims are cognizable under the ECOA since the United States Supreme Court (“Supreme Court”) has never considered the issue, though civil rights advocates point to the Supreme Court’s willingness in the 2015 Inclusive Communities case to recognize the theory for discrimination claims brought under the Fair Housing Act (“FHA”).

Thus, should the agencies adopt a final rule that relies upon disparate impact under the ECOA as a legal basis to justify imposing a quality control standard on AVMs (or muddies the waters by relying upon both the ECOA and the FHA without distinction), it is possible that the rule could be challenged under the Administrative Procedures Act as not in accordance with the law. Alternatively, if the CFPB were to bring an enforcement action against a creditor for allegedly violating either the final rule’s quality control standard or ECOA itself on the basis of disparate impact, the creditor could defend itself by arguing among other things that disparate impact claims are not cognizable under the ECOA. Indeed, the ECOA lacks any “results-oriented” language like the “otherwise make available” language of the FHA or the “otherwise adversely affect” language of the Age Discrimination in Employment Act, which the Supreme Court, in decisions issued a decade apart, relied on in recognizing disparate impact liability.

Even if the plain language of the ECOA could not support a disparate impact claim, the CFPB might argue that the statute’s anti-discrimination provision is ambiguous (by asserting, for instance, that the word “discriminate” could be interpreted to encompass both intent-based and effects-based actions), in which case the CFPB may expect the reviewing court to grant its interpretation Chevron deference. See Chevron, U.S.A. v. Natural Resources Defense Council, Inc. 476 U.S. 837 (1984). But this argument also might prove difficult because Chevron deference is appropriate only when it appears that Congress has “delegated authority to the agency generally to make rules carrying the force of law, and … the agency interpretation claiming deference was promulgated in the exercise of such authority.” See Public Citizen, Inc. v. U.S. Dept. of Health and Human Services, 332 F.3d 654, 659 (D.C. Cir. 2003) (quoting U.S. v. Mead Corp., 533 U.S. 218 (2001)). In examining Regulation B, which was originally issued by the Fed and subsequently readopted by the CFPB, the only references to the concept of disparate impact appear in 12 C.F.R. § 1002.6(a) and Official Interpretation 6(a)-2. However, these provisions merely summarize the ECOA’s legislative history and Supreme Court precedent under Title VII of the Civil Rights Act, and even then, acknowledge only that the ECOA “may” prohibit acts that are discriminatory in effect. The CFPB has articulated its belief that disparate impact is cognizable under the ECOA elsewhere, including in a compliance bulletin and its examination manual, but those materials carry no force of law under the CFPB’s own recently-adopted rule. Thus, a reviewing court could conclude that the mere recitation of legislative history and of a judicial doctrine developed under an unrelated statute was not an actual exercise of rulemaking authority under the ECOA, and therefore that the agencies’ interpretation of the ECOA as expressed in Regulation B is not entitled to Chevron deference. In that circumstance, the reviewing court would be free to resolve any purported ambiguity in the ECOA according to its own construction, affording respect to the agencies’ position only to the extent it is persuasive. And should either of these issues – disparate impact under the ECOA or the availability of Chevron deference – ultimately be appealed to the Supreme Court, there may well be four justices willing to grant certiorari to consider them.

The uncertain outcome of any challenge to the CFPB’s use of disparate impact in a rulemaking or in enforcing the ECOA, given the stakes involved, suggests that the CFPB may seek to resolve matters via settlement rather than risking litigation in federal court. However, only time will tell whether the CFPB is spoiling for a fight.

Update regarding the BrightSpeed payment processor case

By

On January 18, after approximately fourteen months of settlement negotiations, the CFPB announced that it secured a settlement agreement with BrightSpeed Solutions, Inc., a third-party payment processor that had ceased operations nearly three years ago. As we reported in greater detail in a prior post, the CFPB asserted jurisdiction to bring its complaint against BrightSpeed by alleging that the company was a “covered person.” Under the Dodd-Frank, a covered person must offer or provide a “consumer financial product or service.” In the context of payment processing, the Dodd-Frank Act requires that such services be provided “to a consumer.” BrightSpeed, however, provided payment processing services only to merchants, not to consumers (the merchants were not alleged by the CFPB to be covered persons, meaning BrightSpeed was not a “service provider” for purposes of CFPB jurisdiction). In its answer to the CFPB’s complaint, BrightSpeed argued that the CFPB exceeded its statutory authority, its claims were barred by the statute of limitations, and it was using BrightSpeed’s financial distress as leverage against the company’s position.

If unnamed merchants defrauded consumers into purchasing unnecessary software in tech-support scams, as the CFPB alleged in its complaint, the merchants should be held to account by the FTC or state attorneys general (the CFPB, for instance, instructs consumers to report tech-support scams directly to the FTC). However, the CFPB’s claimed jurisdiction in this case would establish the precedent that it can bring enforcement actions against any payment processor for providing services to merchants, whether or not those merchants are providing financial products or services (its two prior attempts to establish such a precedent in the Intercept and Universal Debt Solutions cases failed). Moreover, such actions could be used to indirectly regulate merchant and retailer activity in a way specifically prohibited by Congress in the Dodd-Frank Act, similar to the way in which the CFPB once used enforcement actions against indirect auto lenders as a means of regulating dealer compensation practices.

The proposed stipulated judgment and order filed jointly by the CFPB and BrightSpeed with U.S. District Court for the Northern District of Illinois specifically requests that Judge John J. Tharp Jr. find that the CFPB’s “[c]omplaint alleges claims upon which relief may be granted” and “[e]ntry of this order is in the public interest.” The parties separately noticed that they will present their proposed order to Judge Tharp on the morning of Thursday, January 20, at 9:00 a.m.

Update Regarding the CFPB’s Buy Now, Pay Later Orders

By

In a prior post, we reported that the language used in orders recently issued by the CFPB to leading Buy Now, Pay Later (“BNPL”) providers suggested that the CFPB intends to use the information it collects to build enforcement cases rather than monitor market developments. We also reported that if this is the case, it is a departure from historic precedent and can be considered an end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act to ensure that due process is afforded to financial institutions that become the target of CFPB enforcement investigations.

The CFPB’s intentions were apparently confirmed in a January 5 article in Axios about the BNPL orders, which quotes the CFPB’s small dollar, marketplace and installment lending program manager as saying:

It is certainly possible that we could as a result of the data collection take enforcement action.

Assuming this quote is accurate, recipients of CFPB 1022(c)(4) market monitoring orders should be well aware that any information provided to the agency may be used for enforcement purposes.

Is the CFPB using its market monitoring orders to build enforcement cases?

By

As we previously noted, on October 21, the CFPB issued orders to six large technology firms seeking information about their payment product business plans (the “October 21 Orders”). According to the Bureau, the purpose of orders was to “shed light on the business practices of the largest technology companies in the world.” The CFPB’s use of its market monitoring authority under Section 1022(c)(4) of the Dodd-Frank Act for this amorphous purpose was a break from established precedent. Historically, the CFPB issued 1022(c)(4) orders to support its efforts to issue specific rulemakings or Congressionally-mandated research reports. (See, e.g., Appendix B of the CFPB’s 2018 Sources and Uses of Data report).

On December 16, the CFPB again broke with historic precedent when it issued a new set of 1022(c)(4) orders, this time to five Buy Now, Pay Later (“BNPL”) providers (the “December 16 Orders”). Much has already been written about the information demanded by the CFPB in the orders, and about the institutions subject to the orders. However, less attention has been paid to what the CFPB might do with the information it receives.

Traditionally, the CFPB has maintained a firewall between its market monitoring function and its enforcement function, in recognition of the distinction established by Congress in the Dodd-Frank Act. Section 1022(c)(4) of the Dodd-Frank Act authorizes the CFPB to monitor for risks to consumers in the offering or provision of consumer financial products or services, including developments in markets for such products or services. Congress specified that information obtained by the CFPB using this general power may only be made public (if at all) through aggregated reports or other formats designed to protect the confidentiality of the information. Accordingly, Congress provided few procedural safeguards to financial institutions subject to such collections. Section 1052 of the Dodd-Frank Act establishes the specific enforcement powers of the CFPB and provides that the CFPB may collect information by means of civil investigative demands (CIDs) for the purpose of ascertaining whether a financial institution has violated Federal consumer financial law. Congress provided several procedural safeguards for the targets of CFPB enforcement investigations, including requirements for the service and contents of CIDs, the collection of oral testimony, and the receipt of petitions to modify or set aside the CIDs.

In announcing its October 21 Orders, the CFPB publicly released a sample order representing the actual orders sent to the six technology firms. The language used in the sample order maintained the firewall between its market monitoring and enforcement activities, stating in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order …, nor is it being issued under section 1052 of the Dodd-Frank Act.

By contrast, the sample order released in connection with CFPB’s announcement of the December 16 Orders to the five BNPL providers lacks the language acknowledging that the order is not being issued under Section 1052, and only states in relevant part:

This is a market-monitoring order issued under Section 1022(c)(1) & (4) of the Dodd-Frank Act… It is not a supervisory order.

Also, the December 16 sample order contains new language not present in the October 21 sample order, stating:

The Bureau reserves the right to use the information for any purpose permitted by law.

Read together, these two changes suggest that the CFPB intends to remove the firewall between its market monitoring and enforcement functions and could use the information collected from the BNPL providers pursuant to the December 16 Orders to build enforcement cases. If so, this development could be considered an attempted end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act. The CFPB can, if it wishes, provide express procedural safeguards within the orders that are equivalent to the types provided in Section 1052 or by agencies like the FTC in similar circumstances, but it has elected not to do so at this time. Recipients of future 1022(c)(4) orders should be mindful of this development in their responses to the CFPB.

Did the CFPB follow PRA requirements in issuing its Big Tech orders?

By

On October 21, the CFPB issued a series of orders to “collect information on the business practices of large technology companies operating payments systems in the United States.”

The CFPB sent the orders to six companies: Amazon, Apple, Facebook, Google, PayPal, and Square. In a statement accompanying the press release announcing the orders, Director Chopra described the CFPB’s action as an “inquiry into big tech payment platforms” and stated that he had ordered “six technology platforms offering payment services” to turn over information about their products, plans and practices. Responses from the companies to the CFPB orders are due by December 15.

The CFPB issued the orders pursuant to Section 1022(c)(4) of the Consumer Financial Protection Act (CFPA), its so-called market monitoring authority. See 12 U.S.C. 5512(c). This authority permits the CFPB to collect information regarding the activities of “covered persons” (a defined term) for the purpose of monitoring markets for risks to consumers in the offering or provision of “consumer financial products or services” (another defined term). This jurisdictional limitation is important – the CFPB cannot issue these orders to any company in the country; the orders may only be sent to companies that are engaged in offering or providing financial services (or that are service providers to those companies). Hence the CFPB’s necessary and intentional focus on large technology companies operating payments systems in the United States, rather than all technology companies.

Importantly, CFPB information collections under Section 1022(c)(4) of the CFPA are not exempt from the Paperwork Reduction Act (PRA) of 1995. See 44 U.S.C. 3501 et seq. PRA requires that agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public. See 5 C.F.R. 1320.5(a). As part of the general PRA review process, agencies must seek two rounds of public comment regarding a proposed information collection for a combined minimum of 90 days.

In reviewing an agency’s information collection request, OMB’s Office of Information and Regulatory Affairs (OIRA) will determine among other things whether the request is necessary for the proper performance of the agency’s functions, is not duplicative of information otherwise accessible to the agency, and has practical utility. See 5 C.F.R. 1320.5(d). If OIRA approves the agency’s information collection request, OMB will issue the agency a unique control number. An agency may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. See 5 C.F.R. 1320.5(b).

The PRA and OMB’s implementing regulation each define “collection of information” to mean obtaining answers to identical questions posed to “ten or more persons” within a twelve-month period. See 44 U.S.C. 3502(3) and 5 C.F.R  1320.3(c). This means that PRA requirements generally do not apply to information collected from nine or fewer institutions. However, OMB regulations further specify that “[a]ny collection of information addressed to all or a substantial majority of an industry is presumed to involve ten or more persons.” See 5 CFR 1320.3(c)(4)(ii). OMB guidance provides:

“All such collections require OMB review and approval. Agencies may have evidence showing that this presumption is incorrect in a specific situation. In such a case, the agency may proceed with the collection without seeking OMB approval. Upon OMB request, however, the agency needs to provide that evidence to OMB and needs to abide by OMB’s determination as to whether the collection of information requires OMB approval.” See OIRA, “The PRA of 1995: Implementing Guidance for OMB Review of Agency Information Collection,” Draft, Ch. II.C.3 (August 16, 1999).

The CFPB did not seek public comment on its proposed information collection before issuing its October 21st orders, and does not appear to have obtained OMB approval of its proposed information collection prior to issuing its October 21 orders. The reason it did not do so appears to be because it issued orders to only six companies, which are fewer than the ten institutions necessary for mandatory application of the PRA. However, the question remains whether the six institutions (which the CFPB described as “Tech Giants” in its press release) collectively represent a “substantial majority” of the industry identified by the CFPB (i.e., “large technology companies operating payments systems in the United States”).

While it is not clear from OMB regulations or guidance what proportion of an industry would constitute a “substantial majority” for PRA purposes, it is not inconceivable that the combined size and market share of Amazon, Apple, Facebook, Google, PayPal and Square might constitute a substantial majority of the “big tech payment platforms” industry. If this is the case, OMB rules create a presumption that the CFPB’s October 21st orders are subject to the PRA. Under normal circumstances, when considering a proposed information collection, CFPB staff are expected to consult with the agency’s OIRA desk officer as appropriate and the CFPB’s PRA officer will also offer CFPB leadership an independent opinion regarding the applicability of the PRA. Additionally, the CFPB may have prepared evidence for submission to OMB to rebut the presumption that its proposed information collection is subject to the PRA. However, nothing in the CFPB’s press release, sample order, Director’s statement or November 1 request for comment address the applicability of the PRA to the information sought from the six companies.

Take-Away: If the PRA applies to the CFPB’s October 21st orders, there are two significant consequences. First, without an OMB-approved control number attached to the orders, the recipients are under no legal obligation to respond to the CFPB. Second, contrary to the statutory purposes of the PRA articulated by Congress, the public will have been deprived of the meaningful opportunity to provide comment regarding the proposed orders in advance of their issuance. Such comments would foreseeably focus on important considerations raised by the proposal, including for instance the utility of the information being sought and the logical nexus between demands for internal memoranda relating to potential future business plans and the CFPB’s limited authority to monitor for present risks to consumers in the current offering or provision of consumer financial products and services. Such commentary, if sought and received by the CFPB, could only help it craft its orders in a way that achieves its goals while remaining faithful to the statutory purposes of the PRA. In as much as the CFPB’s novel use of its Section 1022(c)(4) authority creates a precedent for the future, additional transparency from the CFPB regarding the application of the PRA to its October 21st orders may be warranted, and would undoubtedly be welcome before December 15.