Alston & Bird Consumer Finance Blog

UDAAP

UDAAP Update: New York’s FAIR Act Signed Into Law

By

What Happened?

On December 19, 2025, New York Governor Kathy Hochul signed into law Senate Bill 8416, the Fostering Affordability and Integrity through Reasonable (FAIR) Business Practices Act, (the “FAIR Act”), which updates Section 349 of New York’s General Business Law (GBL). In our prior post we explained that following the law’s passage by the legislature, the FAIR Act expands the state’s consumer protection statute beyond just deceptive practices to also prohibit “unfair” and “abusive” business acts or practices, marking a major broadening of the New York Attorney General’s enforcement powers. Notably, the final law clarifies that only the Attorney General (“NYAG”) can bring claims for unfair or abusive practices, while private lawsuits remain limited to deceptive acts. The FAIR Act will take effect 60 days after signing, on February 17, 2026.

Why Does It Matter?

The FAIR Act represents a sweeping update to New York’s consumer protection law. Previously, New York law only prohibited deceptive acts and practices. The FAIR Act amends Section 349 of the GBL to also prohibit “unfair” and “abusive” acts or practices in the conduct of any business, trade, or commerce. In practical terms, this aligns New York with the consumer protection laws of almost every other state (47 of which already outlaw unfair practices) and with federal UDAAP standards. Key elements of the new law include:

Expanded Definitions

The statute now defines an “unfair” act as one that “causes or is likely to cause substantial injury” to consumers which is not reasonably avoidable and not outweighed by countervailing benefits. This definition is modeled on the Federal Trade Commission’s standard (15 U.S.C. § 45(n)). An “abusive” act is defined in line with the federal Consumer Financial Protection Act standard (12 U.S.C. § 5531(d)), i.e., something that materially interferes with a person’s understanding of a product or takes unreasonable advantage of someone’s lack of understanding or inability to protect their interests. These broad definitions mean practices that might not be outright deceptive could still be illegal if they unjustifiably harm consumers or exploit imbalances in knowledge or power.

Attorney General Enforcement & Private Rights

Importantly, the law limits enforcement of the new “unfair” and “abusive” provisions to the NYAG. Private plaintiffs can continue to sue under Section 349 only for “deceptive” acts, just as before – there is no new private right of action for unfair or abusive practices. This was a critical concession to avoid opening floodgates of litigation. However, the AG can now bring enforcement actions against businesses for unfair or abusive conduct, seeking injunctions, restitution, and civil penalties. We can expect the NYAG (which has been actively advocating for this law) to launch investigations and actions under the expanded provisions once the law is effective.

“Consumer-Oriented” Standard Preserved (for Now)

A contentious aspect of the FAIR Act was whether it would eliminate the judicially-created requirement that Section 349 cases be “consumer-oriented” (i.e. directed at the public at large, not private contract disputes). The version initially passed by the legislature removed the consumer-oriented limitation entirely, which would have meant the AG (and possibly private plaintiffs) could pursue claims even for one-off transactions or business-to-business dealings. However, in approving the law, Governor Hochul noted an agreement with legislators to ensure the act “does not override” existing case law on the consumer-oriented standard. In effect, this signals that commercial transactions and purely private disputes will not suddenly all become actionable under Section 349. The statute text still says an act can be unlawful “regardless of whether or not it is consumer-oriented” in an AG enforcement, but this may be revisited by a chapter amendment. For now, compliance should assume that private lawsuits still require a consumer-facing element (as before), while the NYAG might test the boundaries of targeting misconduct affecting small businesses or other non-consumer victims in the public interest.

What Do You Need to Do?

For banks, lenders, and other financial services companies operating in New York, the FAIR Act demands a thorough compliance review beyond the traditional focus on deception/fraud. Even though private litigation risk remains mostly unchanged (as it remains limited to deception claims), the NYAG can now act as a mini-CFPB, bringing the full range of UDAAP claims at the state level. Financial services companies must proactively ensure their products and practices meet these standards and should stay aware of any further regulatory guidance issued by the NYAG.

CFPB’s War on Mortgage Fees Continues

By ,

What Happened?

Immediately following President Biden’s State of the Union Address announcing plans to lower homebuyer and refinancing costs, the CFPB issued a blog post seeking public input on how mortgage closing costs impact consumers. The CFPB also announced that it will work to monitor closing costs and, “as necessary, issue rules and guidance to improve competition, choice and affordability.” Significantly, the CFPB also signaled that it will continue to use its supervision and enforcement tools for companies that fail to comply with the law.

Why Is It Important?

The CFPB is putting companies on notice that the Bureau will be taking a close look at the total loans costs for originating a residential mortgage loan, including origination fees, appraisal fees, credit report fees, title insurance, discount points, and other fees. In particular, the CFPB is paying “significant attention to the recent rise in discount points,” and seems concerned with the lack of competition in connection with certain fees, such as lender’s title insurance and credit reports. The CFPB also has expressed concerns with how companies may charge lender credits and fees that are financed into the loan amount (through higher interest rates or mortgage insurance payments).

While the CFPB’s blog post does not identify any specific laws, it does provide some clues. First, the Bureau is concerned that some closing costs are high and increasing due to lack of competition. According to the Bureau, “[b]orrowers are required to pay for many of the costs associated with closing a home loan but cannot pick the provider and do not benefit from the service.” Taking unreasonable advantage of the inability of a consumer to protect their interests in selecting or using a consumer financial product or service could be construed as abusive under the Dodd-Frank Act’s UDAAP statute.

Because certain fees are fixed and don’t fluctuate with the loan size or interest rate, the Bureau is concerned that such fees could disproportionately impact borrowers with smaller loans, such as low-income borrowers, first-time borrowers, or Black or Hispanic borrowers.  This could present a fair lending problem under the Equal Credit Opportunity Act. Indeed, the CFPB already has announced that, pursuant to its authority to prevent unfair, deceptive, and abusive acts or practices (“UDAAPs”), the Bureau will begin examining institutions for alleged discriminatory conduct that the Bureau deems to be unfair.

Of course, Congress passed the Dodd-Frank Act to address many of the above concerns, and the TRID Rule already attempts to ensure that consumers are provided with greater and more timely information on the nature and costs of the residential real estate settlement process and are protected from unnecessarily high settlement charges.

What Do I Need to Do?

The CFPB is sending a strong message to the industry that closing fees will be receiving scrutiny from the CFPB.  And knowing that the CFPB has been on a hiring spree in its enforcement division, now is a good time to take a close look at the fees being charged from both a UDAAP and fair lending perspective.  The team at Alston & Bird has deep knowledge on mortgage fees and is happy to assist with such a review.

A Friendly Reminder of the Importance of Robust Consumer Complaint Handling Processes

By ,

What Happened?

On February 27, 2024, the California Department of Financial Protection and Innovation (the Department) entered into a public consent order with a company that provides consumer financial services to California residents. The consent order alleges that between January 2020 and September 2022, the Department received complaints from consumers raising concerns about their accounts and customer service interactions with the company, which the Department forwarded to the company for investigation and response. The Department also investigated the company’s handling of those consumer complaints.

The Department found that the company’s complaint handling was deficient in that “occasional mistakes” that occurred in the Company’s responsiveness to consumer complaints were substantial enough to have violated the California Consumer Financial Protection Law (CCFPL). The Department alleged that as between the company and the consumer, the company was in the better position to accurately evaluate the available information in most cases and to respond to consumers’ complaints in a timely manner and while the number of mistakes during the Department’s investigation period was relatively small in comparison to the overall number of consumer complaints received, the Department concluded that the mistakes were important to the affected consumers.

To resolve these allegations, the company agreed to (1) desist and refrain from violating the CCFPL through its complaint handling processes, (2) pay a penalty of $ 2.5 million, (3) enhance existing customer service procedures or processes, (4) establish, implement, enhance, and maintain testing policies, procedures, and standards reasonably designed to, at a minimum, ensure compliance with the law, and (5) report to the Department annually for two years on these standards. These standards require the company to:

  • Ensure customer service support 24 hours a day, seven days a week;
  • Ensure sufficient customer service support staffing;
  • Ensure sufficient customer service support training; and
  • Investigate and implement policies and procedures to maintain the accurate, prompt and proper handling of consumer complaints.

Why is it Important?

The CCFPL was enacted in September 2020 and grants the Department expanded authority over persons engaged in offering or providing a consumer financial product or service in California and their affiliated service providers. Notably, under the CCFPL, it is unlawful for a “covered person” or “service provider,” to do any of the following:

  • Engage, have engaged, or propose to engage in any unlawful, unfair, deceptive, or abusive act or practice (UDAAP) with respect to consumer financial products or services.
  • Offer or provide to a consumer any financial product or service not in conformity with any consumer financial law or otherwise commit any act or omission in violation of a consumer financial law.
  • Fail or refuse, as required by a consumer financial law or any rule or order issued by the Department thereunder, to do any of the following:
    • Permit the Department access to or copying of records.
    • Establish or maintain records.
    • Make reports or provide information to the Department.

The CCFPL defines a “covered person” to mean, to the extent not preempted by federal law, any of the following:

  • Any person that engages in offering or providing a consumer financial product or service to a resident of California.
  • Any affiliate of a person described above if the affiliate acts as a service provider to the person.
  • Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.

A “servicer provider” includes any person that provides a material service to a covered person in connection with the offering or provision by that covered person of a consumer financial product or service, including a person that either:

  • Participates in designing, operating, or maintaining the consumer financial product or service.
  • Processes transactions relating to the consumer financial product or service, other than unknowingly or incidentally transmitting or processing financial data in a manner that the data is undifferentiated from other types of data of the same form as the person transmits or processes.

The term “service provider” does not include a person solely by virtue of that person offering or providing to a covered person either a support service of a type provided to businesses generally or a similar ministerial service, or time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media.

Notwithstanding the broad definition of “covered person,” the CCFPL contains numerous exemptions, including for banks; licensed escrow agents; licensees under the California Financing Law; licensed broker-dealers or investment advisers; licensees under the Residential Mortgage Lending Act; licensed check sellers, bill payers, or proraters; and licensed money transmitters, among others.

The Department is authorized to impose civil money penalties for any violation of the CCFPL, rule or final order, or condition imposed in writing by the Department in an amount not to exceed the greater of $5,000 for each day during which a violation or failure to pay continues, or $2,500 for each act or omission. Reckless violations are subject to increased penalties not to exceed the greater of $25,000 for each day during which the violation continues, or $10,000 for each act or omission. For knowing violations, the Department is authorized to assess penalties not to exceed the lesser of one percent of the person’s total assets, $1 million for each day during which the violation continues, or $25,000 for each act or omission.

What Do You Need to Do?

It is always important to take consumer complaints seriously and to respond timely and accurately. Now is the time to review your company’s complaint management procedures to make sure they are robust. It is always important to mine your consumer complaints so that you can learn from them and correct errors timely to ensure mistakes don’t recur, and the Department’s latest settlement is a reminder that companies subject to the CCFPL also have a legal obligation to do so.

CFPB’s Proposed Insufficient Fund Fee Rule – Narrow in Scope with Potential for Greater Impact

By , ,

What Happened?

On January 24, 2024, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule that would prohibit covered financial institutions from imposing a nonsufficient funds (NSF) fee when consumers initiate transactions that are instantaneously or near instantaneously declined (the Proposed Rule). According to the CFPB, such fees are not based on the transaction amount or processing cost and take unreasonable advantage of a consumer’s lack of understanding of the material risk, costs or conditions of the product or service. In the Preamble to the Proposed Rule, the CFPB recognizes that “currently covered financial institutions rarely charge NSF fees on covered transactions” and, thus, the “CFPB is proposing this rule primarily as a preventive measure.” With that said, the Proposed Rule is significant in that the Bureau also clarifies its approach to assessing abusive practices.

Why is it Important?

Background

In January 2022, the CFPB launched an initiative to reduce certain fees charged by banks and other companies under its jurisdiction, by issuing a Request for Information (Fee RFI) seeking public comment regarding fees that are not “subject to competitive processes that ensure fair pricing.” The CFPB continues to focus on these so-called “junk fees,” which the Bureau described in its Fee RFI, in part, as “fees that far exceed the marginal cost of the service they purport to cover, implying that companies are not just shifting costs to consumers, but rather, taking advantage of a captive relationship with the consumers to drive excess profits.” The Bureau’s attention is now on NSF fees.

The Proposed Rule

The Proposed Rule may be narrow in scope, but much broader in potential impact. It would prohibit a “financial institution” from charging an NSF fee to a consumer who attempts to withdraw, debit, pay, or transfer funds from their “account” that is declined instantaneously or near instantaneously by the “financial institution.” For purposes of the Proposed Rule, the term “account” and “financial institution” are defined consistent with Regulation E. Thus, a financial institution includes a bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services. An account is defined equally broad to include: (i) checking, savings, or other consumer asset account held by a financial institution (directly or indirectly), including certain club accounts, established primarily for personal, family or household purposes, and (ii) a prepaid account. An account would not include, among others, escrow accounts for real estate taxes or insurance or an occasional or incidental credit balance in a credit plan. It is also worth noting that, according to the CFPB, checks and ACH transactions are not covered by the rule unless they evolve in a way to be cleared instantaneously.

While the scope of the Proposed Rule is narrow, the Bureau’s interpretation of abusiveness as articulated in the Proposed Rule is not. By way of background, Section 1031 of the Consumer Financial Protection Act (CFPA) prohibits unfair, deceptive, or abusive acts or practices (UDAAPs) under Federal law in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service. The Proposed Rule finds that charging an NSF fee in instantaneously or near instantaneously declined transactions violates the “lack of understanding” prong of the abusiveness standard. Under the CFPB’s Policy Statement on Abusive Acts or Practices, the “lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service” concerns gaps in understanding affecting consumer decision making.

The Proposed Rule attempts to fine tune the “lack of understanding” analysis by distinguishing prior comments the Bureau made in its 2020 Payday Lending Rule, by clarifying that:

  • “[L]ack of understanding under the abusiveness standard of UDAAP is not synonymous with reasonable avoidability under the unfairness standard.”
  • Magnitude and risk of harm are distinct and should have no bearing on a “lack of understanding” analysis.
  • A consumer’s lack of understanding should not be characterized as general or specific as such framework is unhelpful in determining whether consumers understand the material risks, costs or conditions of a financial product or service.

Under the Proposed Rule, the Bureau has preliminarily determined that the charging of such fee is abusive under Section 1031(d) of the CFPA as it would take “unreasonable advantage of consumers’ lack [of] understanding of the material risks, costs, or conditions associated with their deposit accounts” and that “covered financial institutions that charge NSF fees on covered transactions would be benefiting from negative consumer outcomes that result from…a consumer’s lack of understanding.”

The Bureau summarily dismissed that such risks could be mitigated, as disclosure would be too costly, too unfeasible, and unlikely to eliminate the risk. Rather, “[d]rawing on its experience and expertise regarding consumer behavior, the CFPB believes that if a transaction entails material risks or costs and consumers derive minimum or no benefit from the transaction, it is generally reasonable to conclude that consumers who nonetheless went ahead with the transaction did not understand the material risks, costs or the conditions to those risks or costs.”

In other words, the CFPB appears to believe that no consumer would initiate a transaction knowing that they have insufficient funds and that a fee could be charged if their transaction is declined, despite the fact that (1) the vast majority of consumers have readily available access to their bank account balances, (2) such fees are generally disclosed to consumers, and (3) consumers contractually agree to pay such fees.

What Do You Need to Do?

While the Proposed Rule has limited application, the Bureau’s interpretation of the abusiveness standard could have far broader implications, as the Bureau could deem as abusive any fee which it determines provides little to no consumer benefit. For example, it is unclear what would stop the Bureau from prohibiting other fees as abusive, based on a determination that such fees provide little to no consumer benefit and that financial institutions are “benefiting from negative consumer outcomes that result from…a consumer’s lack of understanding,” given that the Bureau’s rationale appears to give little regard to consumer disclosures or contract law.

Therefore, given the potential downstream implications of the CFPB’s broad interpretation of abusiveness, companies subject to the CFPB’s jurisdiction should carefully review the Proposed Rule and consider submitting a comment letter, even if the Proposed Rule itself would not directly apply to the company. The Proposed Rule’s comment period expires on March 25, 2024.

 

CFPB Touts 2023 Greatest Hits and Casts a Line for Enforcement Hires

By , ,

What Happened?

Earlier this week, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released a blog post touting its 2023 successes in safeguarding “household financial stability” through the levying of fines and filing of lawsuits. The Bureau highlighted seven enforcement cases:

  • Protecting Servicemembers from Illegal High-Interest Loans and False Advertising: In February 2023, the CFPB ordered an auto title loan lender and several affiliated entities to pay a total of $15 million in penalties and consumer redress to resolve allegations that the entities violated the Military Lending Act. That same month, the CFPB permanently banned a California-based mortgage lender from the mortgage lending industry and imposed a $1 million penalty on the lender for repeatedly violating a 2015 consent order by, among other things, allegedly continuing to send advertisements to military families that led recipients to believe the company was affiliated with the U.S. government.
  • Taking Action for Illegally Charging Junk Fees, Withholding Credit Card Rewards, and Operating Fake Bank Accounts: In July 2023, the CFPB ordered a national bank to pay a more than $190 million in penalties and consumer redress to resolve allegations that the bank double dipped on insufficient funds fees imposed on customers, withheld reward bonuses promised to credit card customers, and misappropriated sensitive personal information to open accounts without customer knowledge or authorization. The Office of the Comptroller of the Currency (“OCC”) also found that the bank’s double-dipping on insufficient funds fees was illegal and ordered the bank to pay $60 million in penalties.
  • Intentional Illegal Discrimination Against Armenian Americans: In November 2023, the CFPB ordered a national bank to pay $25.9 million in fines and consumer redress for allegedly “intentionally and illegally discriminating against credit card applicants the bank identified as Armenian American.” 
  • Taking Action to Stop Loan Churning: In August 2023, the CFPB sued a high-cost installment loan lender and several of its wholly owned, state-licensed subsidiaries, for allegedly violating the Consumer Financial Protection Act by “illegally churning loans to harvest hundreds of millions in loan costs and fees.”
  • Illegal Rental Background Check and Credit Reporting Practices: In October 2023, the CFPB and the Federal Trade Commission (“FTC”) sued a rental screening subsidiary of a national consumer credit reporting agency for allegedly violating the Fair Credit Reporting Act by failing to take steps to ensure the rental background checks that landlords use to decide who gets housing were accurate and withholding from renters the names of third parties that were providing the inaccurate information. The resulting court order required the company to pay $15 million in penalties and make significant improvements to how it reports evictions. Separately, the CFPB ordered the national consumer reporting agency to pay $8 million in consumer redress and penalties for failing to timely place or remove security freezes and locks on consumer credit reports and for falsely telling certain consumers that their requests were processed.
  • Stopping unlawful junk advance fees for credit repair services: In August 2023, the CFPB entered into a settlement with a credit repair service conglomerate that imposed a $2.7 billion judgment and banned the companies from telemarketing credit repair services for 10 years.

The CFPB touted that in 2023 it secured over $3.5 billion in total fines and compensation from financial services “lawbreakers” in 2023.  The CFPB largely attributed these cases to the creation of a “team of technologists” working on emerging technologies to “enforce the law when emerging technologies harm consumers.”

Why is this Important?

The CFPB filed 29 enforcement actions in 2023 but selected the seven highlighted above, possibly signaling that junk fees, fair lending, servicemember protections, and credit reporting, among others, remain on the Bureau’s radar. We do not expect the CFPB to issue any sort of accounting covering enforcement cases which it dropped in 2023.

Interestingly, the CFPB also used this post to recruit new “cross-disciplinary” employees (both attorneys and non-attorneys) for its Office of Enforcement and reiterated that the Bureau is “significantly expanding [its] enforcement capacity in 2024 to build on [its] achievements so far.” The roles are located in the Bureau’s Washington, D.C. headquarters and its regional offices in Atlanta, Chicago, New York and San Francisco.  The last of the associated employment information virtual sessions occurred on January 30, 2024.  Strangely, the CFPB only released this blog post the day before the last of these three sessions and it is not known how that late notice may impact application numbers.

What Do You Need to Do?

Given that the CFPB is telegraphing those issues that are top of mind for the Bureau as well as its emphasis on ramping up enforcement in 2024, now is a good time for companies to review their compliance management programs and make any necessary enhancements to policies, procedures, processes, and systems to ensure compliance with all applicable consumer financial laws and regulations. In particular, institutions should revisit their compliance monitoring programs to determine whether any updates are needed to minimize enforcement risk.