Alston & Bird Consumer Finance Blog


CFPB and FTC Amicus Brief Signals Stance on “Pay-to-Pay” Fees under FDCPA

What Happened?

On February 27, the Consumer Finance Protection Bureau (CFPB) and the Federal Trade Commission (FTC) filed an amicus brief in the 11th Circuit case Glover and Booze v. Ocwen Loan Servicing, LLC arguing that certain convenience fees charged by mortgage servicer debt collectors are prohibited by the Fair Debt Collection Practices Act (FDCPA).  This brief comes on the heels of an amicus brief Alston & Bird LLP filed on behalf of the Mortgage Bankers Association (MBA).  In its brief, the MBA urged the 11th Circuit to uphold the legality of the fees at issue.

While litigation surrounding convenience fees has spiked in recent years, there is no consensus on whether convenience fees violate the FDCPA.  Federal courts split on the issue, as there is little guidance at the circuit court level, and the issue before the 11th Circuit is one of first impression.  Consequently, the 11th Circuit’s ruling could significantly impact what fees a debt collector is permitted to charge, both within that circuit and nationwide.

Why is it Important?

Convenience fees or what the agencies refer to as “pay-to-pay” fees are the fees charged by servicers to borrowers for the use of expedited payment methods like paying online or over the phone.  Borrowers have free alternative payment methods available (e.g., mailing a check) but choose to pay for the convenience of a faster payment method.

Section 1692f(1) of the FDCPA provides that a “debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt,” including the “collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.”  The CFPB and FTC argues that Section 1692f(1)’s prohibition extends to the collection of pay-to-pay fees by debt collectors unless such fees are expressly authorized by the agreement creating the debt or affirmatively authorized by law.

First, the agencies contend that pay-to-pay fees fit squarely with the provision’s prohibition on collecting “any amount” in connection with a debt and that charging this fee constitutes a “collection” under the FDCPA.  Specifically, the agencies attempt to counter Ocwen’s argument that the fees in question are not “amounts” covered by Section 1692f(1) because the provision is limited to amounts “incidental to” the underlying debt. They argue that fees need not be “incidental to” the debt in order to fall within the scope of Section 1692f(1). In making this point, the agencies claim the term “including” as used is the provision’s parenthetical suggests that the list of examples is not an exhaustive list of all the “amounts” covered by the provision.  Further, the agencies attempt to counter Ocwen’s argument that a “collection” under the FDCPA refers only to the demand for payment of an amount owed (i.e., a debt). They argue that Ocwen’s understanding of “collects” is contrary to the plain meaning of the word; rather, the scope of Section 1692f(1) is much broader and encompasses collection of any amount , not just those which are owed.

Next, focusing on the FDCPA’s exception for fees “permitted by law,” the agencies contend that a fee is not permitted by law if it is authorized by a valid contract (that implicitly authorizes the fee as a matter of state common law). The agencies suggest if such fees could be authorized by any valid agreement, the first category of collectable fees defined by Section 1692(f)(1)—those “expressly authorized by the agreement creating the debt”—would be superfluous. Lastly, the Agencies argue neither the Electronic Funds Transfer Act nor the Truth in Lending Act – the two federal laws Ocwen relies on in its argument – affirmatively authorizes pay-to-pay fees.

What Do You Need to Do?

Stay tuned. The 11th Circuit has jurisdiction over federal cases originating in Alabama, Florida, and Georgia. Its ruling is likely to have a significant impact on whether debt collectors may charge convenience fees to borrowers in those states, and it could be cited as persuasive precedent in courts nationwide.

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (, and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

Misrepresentation and Deception: Government Enforcement Agencies Ready to Litigate

A&B ABstract:  The COVID-19 pandemic appears to be drafting the attention to consumer protection regulators to products that were active after the 2008 recession.

In the midst of the global pandemic, with unemployment rates surging to unprecedented levels, consumer protection regulators appear focused on areas where cash-strapped consumers may turn,  such as credit repair, payday loans, and mortgage and other debt relief.

Notably, these are the same areas that consumer protection regulators were active in during the post-2008 recession. For example, on May 22, 2020, the Consumer Financial Protection Bureau (CFPB) and Commonwealth of Massachusetts filed a lawsuit alleging that defendants misrepresented that they can offer solutions that will or likely will substantially increase consumers’ credit scores despite not achieving those results.

In addition, on May 19, 2020, the Federal Trade Commission (FTC) was granted a temporary restraining order and asset freeze against a payday lending operation alleging that it deceptively overcharged consumers millions of dollars and withdrew money repeatedly from consumers’ bank accounts without their permission.

These lawsuits are just two of many efforts that government enforcement agencies have undertaken recently to combat fraud and protect consumers. Businesses should be aware that agencies are actively pursuing litigation as a means to remedy potential consumer harm.

CFPB and Commonwealth of Massachusetts v. Commonwealth Equity Group d/b/a Key Credit Repair and Nikitas Tsoukales

The CFPB and Massachusetts allege that Commonwealth Equity Group d/b/a Key Credit Repair (KCR) and its president, Nikitas Tsoukales violated §§ 1031 and 1036 of the Consumer Financial Protection Act (CFPA), the Telemarketing Sales Rule’s (TSR) prohibition on deceptive and abusive telemarketing acts or practices, and the Massachusetts Credit Services Organization Law. 16 C.F.R. §§ 310.3 & 310.4; M.G.L. c. 93, §§ 68A-E (MA-CSO). KCR markets to consumers a service for supposedly removing harmful information from the consumer’s credit history, credit record, or credit scores or ratings.  Since 2011, KCR has collected at least $23 million in fees from tens of thousands of consumers through its telemarketing services.

The Complaint

According to the complaint, consumers pay KCR a “first work fee” upon enrolling with the company and then charges an additional monthly fee. KCR allegedly collects these fees from consumers before performing any service. KCR markets to consumers that “on average it can raise a person’s credit score by 90 points in 90 days” and that clients start “seeing removals of bad credit history in 45 days.”  However, “consumers did not see credit scores with an average 90-point increase in 90 days,” nor did they see “removals on their credit reports within 45 days” of enrolling with KCR in many instances.

The Complaint alleges that this scheme constitutes an abusive telemarking act because it is an improper advance fee to remove derogatory information from, or improve, a person’s credit history, credit record, or credit rating.

Further, the Complaint alleges that KCR’s conduct violates the CFPA because KCR allegedly misrepresented the material aspects of its services. Therefore, the CFPB and Massachusetts are seeking injunctive and monetary relief as well as civil monetary penalties.

FTC v. Lead Express, Inc., et al.

On May 11, 2020, the FTC filed an ex parte emergency motion for a temporary restraining order and sought other relief including an asset freeze against 11 payday lenders operating as a common enterprise through websites and telemarketing.  The FTC alleged that the entities were engaging in the deceptive, unfair, and unlawful marketing tactics in violation of the FTC Act, the TSR, the Truth in Lending Act (TILA) , and the Electronic Fund Transfer Act (EFTA).

The Complaint

According to the FTC’s complaint, despite claiming that consumers’ loans would be repaid after a fixed number of payments, the defendants typically initiated repeated finance-charge-only withdrawals without crediting the withdrawals to the consumers’ principal balances. Thus, consumers allegedly paid significantly more than what they were told they would pay. These misrepresentations violate Section 5(a) of the FTC Act (15 U.S.C. § 45(a)) as well as the TSR (16 C.F.R. § 310.3(a)(2)(iii)).  Additionally, the defendants allegedly made recurring withdrawals from consumers’ bank accounts without proper authorization which violates Section 907(a) of EFTA (15 U.S.C. § 1693e(a)) and illegally used remotely created checks, which under the TSR (16 C.F.R. § 310.4(a)(9)) are a prohibited form of payment in telemarketing.

The complaint also alleges that the defendants often failed to make required credit transaction disclosures in violation of Section 121 and 128 of TILA (15 U.S.C. §§ 1631 and 1638), and Sections 1026.17 and 1026.18 of Regulation Z (12 C.F.R. §§ 1026.17 and 1026.18).

The Court Order

On May 22, 2020, the District Court of Nevada granted an emergency motion for temporary restraining order against all eleven defendants. The order restrains the defendants from: (1) engaging in prohibited business activities in connection with advertising, marketing, promoting, or offering any loan or extension of credit, (2) releasing or using customer information, and (3) destroying, erasing falsifying documents relating to the business.  Furthermore, the defendants’ assets are frozen pending the show-cause hearing or further court order which will take place via videoconferencing on June 2, 2020.


With these two cases, government enforcement agencies support their statements that as the global pandemic continues, they are watching for deceptive or fraudulent practices in the financial services industry. Businesses should remain vigilant in their compliance with existing and new laws and regulations.