On August 25, the CFPB announced another enforcement action based on the marketing and sales of credit card add-on products. According to this Consent Order, against First National Bank of Omaha, the bank stopped offering these products in the second half of 2012. While it took the CFPB four years to finally issue this Consent Order, this action is simply a continuation of the CFPB’s enforcement actions against banks for practices relating to add-on products that began almost as soon as the CFPB was formed. In fact, the CFPB’s first published enforcement action ever, against Capital One, related to the marketing and sales of credit card add-on products.
Despite these enforcement actions, many banks still market and sell credit card add-on products, including debt cancellation protection and credit monitoring services. There is nothing inherently wrong with that and many of these products provide real consumer benefits. The trick is in doing it in a way that is acceptable to the CFPB. Based on this recent enforcement action and others before it, here are some approaches to consider:
Avoid “stealth” marketing. This is a hard one for a sensible businessman to swallow, but the CFPB really doesn’t like it when companies hide the fact that they are trying to sell a product. In the Bank of Omaha Consent Order the CFPB alleged that the bank misrepresented the nature of the solicitations by stating that the call was to notify the customer of “an important account feature,” or that the offer was the bank’s “way of saying thanks,” when the purpose of the call was really to sell an optional product for a fee. Along the same lines, the CFPB alleged that the bank would “force” customers to listen to a sales pitch by implying that customers had to stay on the phone while their card was being activated, when the activation process was actually nearly instantaneous. It seems to me that any of us can tell very quickly when we are being marketed to, so what’s the point in hiding the ball when the CFPB is objecting?
Be sure consumers get the full benefit of purchased products. In some of the add-on product enforcement actions, the CFPB alleged that consumers were charged for products when the consumers, due to their personal characteristics, were unable to enjoy the full benefit of the product. For example, in some cases consumers without credit files at the major bureaus could not receive full credit monitoring services but were allegedly billed for the services nevertheless. It might be useful to consider more careful application processes to ensure that consumers are actually eligible for the benefits being sold and post-sale processes to ensure that consumers get what they pay for.
Clearly disclose the costs of the product. It should be obvious, but it’s important that consumers understand that they will have to pay for the product or service and what that will cost. CFPB enforcement actions often suggest that consumers thought that the product was free or that they might be able to cancel the purchase without incurring any costs when at least one fee was unavoidable.
Obtain the consumer’s express consent for the product purchase. CFPB enforcement actions relating to add-on products and other products and services frequently allege that consumers really didn’t understand that they were accepting a product for which a fee would be charged. For example, the Bank of Omaha Consent Order alleges that the bank obtained consumers’ consent by telling cardholders that to “verify … approval to enroll” the cardholder needed to provide their city of birth, and that the bank then used the consumers’ confirmation of city of birth as consent to the purchase. Just get the consumer to say, “yes, I want to make the purchase” or “yes, I want to enroll” – after being clear on the costs of the product or service.
Be honest about free options. The CFPB is well aware that some of the products or services offered by banks and other companies for a fee can be obtained by the consumer without charge through other avenues. For example, any consumer can get a free credit report every 12 months from the major bureaus. It should be fine to include credit reports as part of a bigger package of services, or even to sell a service that consists only of one credit report per month, for example, but it might be a good idea to remind consumers that they also can get a free report each year directly from the bureaus. More generally, if all or a portion of your products or services are available to any consumer without charge, make sure the consumer is getting something extra and valuable for the fees.
Be very cautious about success-based compensation programs. In both the Capital One enforcement action and this recent Bank of Omaha action the CFPB alleged that employees were evaluated based on their ability to persuade consumers not to cancel products, referred to as "saves," and received bonuses based on high save percentages. The CFPB considered the resulting aggressive sales practices to be unfair, deceptive or abusive.
Overall, just be careful. We might be nearing the end of the CFPB’s enforcement in this specific area, but their views of what is unfair, deceptive or abusive have a way of creeping into many areas of enforcement.
The CFPB's Monthly Complaint Report for July 2016 focuses on credit card complaints. To the extent these Complaint Reports have any value it is in alerting the industry to consumers’ concerns and the likely focus of the CFPB in future examinations and enforcement actions. This Report is a bit of a mixed bag, but highlights some areas in which credit card issuers might be able to improve customer service and disclosures and thereby reduce consumer complaints and enforcement risks.
“Billing disputes” leads the list for the most frequent category of complaint. Although the CFPB provides no details as to the nature of these complaints, and many of the complaints might only reflect a consumer tendency to complain about bills, the volume of billing dispute complaints suggests that the industry could use improvements in customer service.
Consumers also complained of difficulties in receiving the promised benefits of rewards programs, and the benefits of travel insurance, warranty extensions, price protection and similar products provided through card programs. Again, improvements in customer service might reduce complaints and risks in this area.
The CFPB also cites consumer complaints about misleading or unclear offers and terms for rewards programs, and unclear terms for deferred interest programs. The industry might be able to reduce these complaints – and the risks of CFPB enforcement – by reviewing and editing their advertisements and program agreements. While maybe counter-intuitive, it can be useful to have these materials reviewed by someone with no prior knowledge of the product. Those persons are less likely to mentally fill in disclosure gaps based on an existing understanding of product terms and can be more likely to identify ambiguities or unfair terms.
One of the more dubious complaints cited in the Report was about the imposition of late charges when an automatic payment failed or the billing statement did not arrive in a timely manner. Automatic payment plans don’t just fail, or very rarely do. It’s much more likely that the consumer simply had insufficient deposited funds to make the payment. Mailed billing statements can be lost or delayed, but I believe that also to be a very rare occurrence. If the consumer does not receive the statement on time, it seems more likely that the consumer was traveling or had moved without notifying the bank. In neither of these cases is it reasonable to expect the bank to waive late charges.
Finally, in the give-me-a-break category, consumers complained about how payments were applied to promotional or deferred interest balances with limited terms. Presumably these consumers wanted their payments applied to lower-rate promotional or deferred interest balances before being applied to other balances. However, Regulation Z sensibly requires card issuers to apply payments to higher-rate balances before other balances, except during the last two months of the term of a deferred interest program. It’s hardly fair of the CFPB to even mention these complaints when the card issuer is doing exactly what is required by law.
The CFPB proposed extensive regulations governing payday, auto title and certain other higher cost loans on June 2, 2016. The first question for every lender, and particularly banks and other main-stream lenders that don’t believe that they make “payday loans,” is which of their current loan products would be subject to the rules. This article outlines the types of loans that would be covered by the rules and the conditions for partial exemptions for otherwise covered loans. This article assumes that you have already read general outlines of what the rules will require for covered loans, but, if you are just beginning to face this issue, a summary of the basic requirements is available at BankBryanCave.com.
Specifically Excluded Products
Regardless of the loan term to maturity, interest rates, fees, or payment mechanisms, the proposal would not apply to the following loans or lines of credit:
- Credit for the sole and express purpose of financing the consumer’s initial purchase of an automobile or other good when the credit is secured by that property. The amount financed cannot exceed the cost of acquiring the goods to qualify for this exemption.
- Credit secured by real property or by personal property expected to be used as a dwelling. This exclusion would apply to home equity lines of credit, closed-end mortgages, and mobile home loans so long as the mobile home is expected to be used as a dwelling, provided that the lender takes a security interest in the real property or dwelling.
- Credit card accounts as defined by Regulation Z.
- Student loans pursuant to a program authorized by subchapter IV of the Higher Education Act, or private education loans as defined in Regulation Z.
- Non-recourse pawn loans where the lender has sole physical possession of the pawned property for the loan term, so long as the lender’s sole recourse for nonpayment is retention of the property. (While these loan would not be subject to the rules, they would need to be considered for purposes of certain limits on the frequency of covered loans.)
- Overdraft services as defined in Regulation E and overdraft lines of credit governed by Regulation Z.
Covered Short-Term Loans
These are either closed-end, single advance loans that require the consumer to repay substantially the entire amount of the loan within 45 days of consummation, or all other loans (open or closed-end) that require the consumer to repay substantially the entire amount of the advance within 45 days of the advance. Multiple advance loans can be closed-end or open-end, the key difference being that, for open-end credit, the consumer may use the plan, repay, and then reuse the plan.
The Partial Exemption for Short-Term Loans
For short-term loans, interest rates and fees do not determine whether the product is covered by the rules.
The only exemption specific to covered short-term loans is that the ability-to-repay (ATR) requirements, the limits on making loans that are presumed to be unaffordable, and the cooling-off rules do not apply to loans that satisfy specified principal amount limitations and other conditions. The principal amount limits depend on whether the loan is the first, second, or third such loan in the “loan sequence.” The first loan in the sequence can be for no more than $500, and the principal amount of the second and third loans in the sequence cannot exceed a specified percentage of the first loan.
There also are limits on the number of outstanding and recent covered loans, the new loan cannot be structured as open-end credit, the lender would be required to deliver specified disclosures, and the lender could not take an interest in the consumer’s motor vehicle.
Finally, the loan must completely amortize during its term, and the lender must allocate the consumer’s payment to the principal and interest and fees as they accrue by applying a fixed periodic rate of interest to the outstanding balance of the loan principal every scheduled repayment period.
Covered Longer-Term Loans
Loans with terms longer than 45 days are covered if the “total cost of credit” exceeds 36 percent per annum and either the lender obtains vehicle security or a “leveraged payment mechanism.”
- “Total cost of credit” is broadly defined to include, among other things, all interest and other finance charges, certain credit insurance charges and charges for credit-related ancillary products or services, application fees, and participation fees.
- “Leveraged payment mechanisms” would include the right to initiate a transfer of money through any means from a consumer’s “account” to repay the loan, other than a one-time electronic fund transfer initiated immediately after the consumer authorizes the transfer. It would also include the contractual right to obtain payment directly from the consumer’s employer or other source of income, and any requirement that the consumer repay the loan through payroll deduction or deduction from another source of income.
So there are two ways to avoid making a covered longer-term loan: keep the rates and fees low, or don’t take vehicle security and allow the borrower to retain control of making payments.
If these options will not work for your products, it is still possible to qualify for exemptions from the ATR requirements, the cooling-off rule, the prohibition on making loans that are presumed to be unaffordable, and the requirement to provide advance notice before initiating a payment from the consumer’s account. The standards for these partial exemptions are relatively complicated, however, and depend on the loan term to maturity.
Partial Exemption for Closed-End Loans of Six Months or Less
The first partial exemption applies to closed-end loans of not more than six months. The loan amount must be between $200 and $1,000, and it must be repayable in two or more substantially equal payments that are due no less frequently than monthly. As for the exception applicable to short-term loans, the loan must completely amortize during its term and the lender must allocate the consumer’s payment to the principal and interest and fees as they accrue by applying a fixed periodic rate of interest to the outstanding balance of the loan principal every scheduled repayment period.
In addition, the total cost of credit to qualify for this exemption cannot be more than the cost permissible for Federal credit unions to charge on “payday alternative loans.” The NCUA periodically adjusts this rate cap, but the current cap is an APR of 28 percent.
Remember that it was possible to avoid the rules entirely for longer-term loans by either limiting rates to 36 percent or not taking vehicle security and not providing for a leveraged payment mechanism. If you are making title loans or decide you must have a leveraged payment mechanism, then this rule would further limit your rates to 28 percent if you want the loan to qualify for this partial exemption to the rules.
Additional conditions for the exemption include:
- The borrower can have no more than three outstanding loans made under this exception from the lender or its affiliates within 180 days.
- The lender must maintain policies for documenting proof of the borrower’s recurring income.
- The lender may not impose a prepayment penalty.
- If the lender holds funds on deposit in the consumer’s name, the lender may not, in response to an actual or expected delinquency or default, sweep the account to a negative balance, exercise a right of set-off, place a hold on the account funds, or close the account.
Partial Exemption for Closed-End Loans of 24 Months or Less
The second partial exemption applies to closed-end loans with terms of up to 24 months, and is even more complicated, but there are no specific limits on the loan amount.
The more straight-forward conditions for this exemption are the same as for loans of up to six months:
- The loan must be repayable in two or more substantially equal payments that are due no less frequently than monthly.
- The loan must completely amortize during its term and interest must be calculated by applying a fixed periodic rate of interest to the outstanding balance of the loan principal every scheduled repayment period.
- The borrower can have no more than two outstanding loans made under this exception from the lender or its affiliates within 180 days. This limit is different from the one for loans of up to six months, which allows up to three outstanding loans in 180 days.
- The lender may not impose a prepayment penalty.
- If the lender holds funds on deposit in the consumer’s name, the lender may not, in response to an actual or expected delinquency or default, sweep the account to a negative balance, exercise a right of set-off, place a hold on the account funds, or close the account.
The remaining conditions are more involved. First, the “modified total cost of credit” must be less than or equal to an annual rate of 36 percent. The modified total cost of credit is generally the same as the “total cost of credit” except that the lender may exclude a single origination fee from the calculation so long as that origination fee either does not exceed $50, which is a safe harbor, or the fee represents “a reasonable proportion of the lender’s cost of underwriting loan” made under this exception. Unfortunately, the proposed rules are less than clear on what a “reasonable proportion” would be, other than to state in the proposed Commentary that the origination fee “must reflect costs that the lender incurs as part of the process of underwriting” these loans.
Perhaps the most difficult of the conditions for this exemption is that the lender must maintain policies and procedures for effectuating an underwriting method designed to result in a “portfolio default rate” of less than or equal to 5 percent per year. The lender would be required calculate its portfolio default rate every 12 months and, if the rate exceeds 5 percent in a year, the lender would be required to refund to each borrower any origination fee imposed on the borrower during that year.
So a lender relying on this exemption would not have to make the standard ability-to-repay determination, but would have to maintain underwriting procedures designed to minimize default rates and refund origination fees if the lender’s procedures did not result in low default rates. An interesting trade-off that might not be very attractive to some lenders.
As the length of this summary suggests, the proposal is extraordinarily detailed. There are of course fine points that are not addressed here, and I expect that we all will discover new and troubling implications every time we read the proposal again.
On June 2, 2016, the CFPB released its long-awaited regulatory proposal for payday loans, vehicle title and certain high-cost installment loans. This is the CFPB’s most ambitious regulatory proposal so far, and this time they might have over-stepped their authority. For an organization that is constantly threatened by extermination or neutering, one might think that they’d approach at least one issue with some degree of moderation. But it’s full speed ahead for Director Cordray.
Under the proposed rules, lenders would be required to perform an ability-to-repay (ATR) analysis before making a covered loan. Presumptions of unaffordability would arise when the consumer already has an outstanding loan, from any lender, and for 30 days thereafter. For shorter-term loans (45 days or less), a lender could not make the loan if it would be the fourth in a sequence of loans during a period in which the borrower never had more than 30 days without an outstanding covered loan from at least one lender.
Complying with these rules would of course require a mechanism to allow lenders to know about the consumer’s other loans. Because the CFPB recognized that lenders do not consistently report borrower information to the major credit bureaus, their solution was the formation of an entirely new credit reporting system to which all lenders would be required to submit their covered loan data. The CFPB would determine which entities were qualified to be these reporting systems, and would require them to register with the CFPB, and the CFPB would have the authority to suspend or revoke the registration of those entities that failed to perform to regulatory standards.
Given the importance of full credit information to this whole regulatory scheme, one might ask why the CFPB didn’t simply require all lenders to report loan information to the credit agencies under the Fair Credit Reporting Act. That, however, is where the CFPB’s authority falters. The FCRA itself states that lenders are not required to report negative information to the agencies. Lenders that do furnish information to the agencies must comply with certain accuracy and integrity rules, but there is no general requirement in the FCRA for lenders to report information to the credit agencies.
Because only Congress can amend the FCRA, the CFPB apparently decided to use its broad authority under the UDAAP provisions of the Dodd-Frank Act to regulate credit reporting indirectly. Although this new credit reporting system is clearly the centerpiece of the whole regulatory proposal, the CFPB’s press release and fact sheet for the proposed rules refer to it only in passing. It’s almost as if they didn’t want to draw attention to it. No wonder.
A more detailed summary of the proposal is available at BankBryanCave.com.
On May 11, 2016, the CFPB filed a Complaint in federal court against All American Check Cashing and its owner, alleging unfair, deceptive and abusive acts in connection with All American’s check cashing and payday loan business. We all know of a few financial services companies that are less careful than they should be, and we know some companies that get a little close to the regulatory lines. But the alleged actions of All American are simply outrageous.
According to the Complaint, employees were prohibited from disclosing check cashing fees, even when directly asked by the consumer. The company produced training materials, that it unwisely did not burn immediately following each training program, instructing employees to “NEVER TELL THE CUSTOMER THE FEE.” The company instructed employees to count money out over the receipt so as to block the consumer’s view of the fee, to distract consumers from finding out the fee by engaging in small talk, and to provide constant information to consumers (unrelated to the fees) so as to overwhelm the consumer with info. To ensure that all employees strictly adhered to these policies, the company devoted “substantial resources” to conducting regular audits of employee conduct. I don’t think that’s what the CFPB means when they encourage companies to perform compliance audits.
Based on the CFPB's allegations, All American’s payday loan business was equally predatory (I know, it’s an over-used word, but sometimes it’s the right word). For consumers who were paid monthly, instead of offering the consumer a 30-day loan where the payment due date would sensibly coincide with their payday, the company allegedly pressured consumers into taking three or more two-week loans. Each loan would be used to pay off the prior loan, and separate fees would be charged for each loan. The result would be almost 40 percent more in fees for the same total amount borrowed. The company internally referred to this scheme as a “huge income booster.” The company apparently thought this was such a jolly idea that one supervisor sent an email to all stores with a cartoon depicting an employing pressuring a consumer to accept the loan program by gunpoint.
As shown in the Complaint:
While reading these allegations, I’m shocked that this company actually has employees that would participate in the alleged activities. Given their line of business, I imagine their employees are not well paid and I expect that most of them are one pay check away from being in the same miserable position as their customers. How can anyone be this devoid of empathy? It sometimes takes an enforcement action like this to appreciate consumer protection laws.
Well, they’ve done it, though it’s not much of a surprise. On May 5, 2016, the CFPB issued proposed rules to prohibit pre-dispute arbitration agreements in connection with consumer financial products or services if those agreements would prevent class actions. Of all of the CFPB’s actions that the financial services industry has complained about – qualified mortgages, aggressive UDAAP enforcement, proposed rules that could effectively ban short term loans in connection with prepaid cards, this might be the one action that will really harm the industry. But it’s party time for the plaintiffs’ bar.
The proposed rules would apply to virtually any consumer financial product or service, including loans, deposit accounts, funds transfers, check cashing and guaranty services, debt management or settlement, debt collection, and automobile leases. Merchants extending credit for the purchase of their products are exempted in limited circumstances, as are securities broker-dealers if they are already subject to SEC rules prohibiting anti-class action arbitration clauses.
There are really only two meaningful exemptions, and one of those is for a limited time only. First there is a small company exemption. Companies are exempt from the rule if they, together with their affiliates, provide a consumer product or service to no more than 25 consumers in each of the current and preceding year. Apparently the CFPB’s compelling reasons to preserve class actions weren’t so compelling for small groups of consumers (or maybe the CFPB is just throwing a bone to their opponents who complain about regulations killing small businesses).
The short-term exemption is for providers of general-purpose reloadable prepaid cards that sell their cards through retailers. If the consumer acquires the card in person at the retailer, the arbitration agreement was included in the card packaging, and the agreement was packaged prior to the compliance date for the rule, the provider would not be required to pull the packages and amend the arbitration agreement. However, if the provider can contact the consumer in writing, the provider would be required to notify the consumer in writing and amend the arbitration agreement to comply with the proposed rule. It’s not clear if the ability to contact the consumer “in writing” would include by email, but, if that is the CFPB’s intent, they might want to specify that the amended arbitration agreement can be provided electronically without the need to follow the cumbersome E-Sign and related consumer consent rules.
While the proposed rule is distressing on many levels, perhaps the most troubling aspect is the implication that the CFPB will not stop here. For those companies that continue to require arbitration of non-class action claims, the proposal would require the companies to provide the CFPB with detailed records regarding any arbitration that does take place. Those records would include a description of the consumer’s claim and any counterclaim, the arbitrator’s judgment or award, any communication from an arbitrator to the provider regarding the arbitrator’s dismissal of a claim due to the provider’s failure to pay applicable arbitration fees, and any communication from the arbitrator that the arbitration agreement does not comply with the arbitrator’s “fairness principles” or similar requirements.
Director Cordray’s prepared remarks suggest that one purpose of this requirement is so that the CFPB will have sufficient data about individual arbitrations to determine whether they also should be restricting them. If even individual arbitrations offend their sense of fairness, we can expect further restrictions on pre-dispute arbitration agreements.
And worst of all, his comments suggest that they might override an arbitrator’s judgment and impose bigger penalties on the financial services provider. He states that the data would “enable further review of the substantive allegations raised in these arbitration processes to see if they warrant action by the Bureau.” Maybe they’d allow the individual arbitration decision to stand, but it appears that they wouldn’t hesitate to bring their own enforcement action, whether that is to collect civil money penalties or to require restitution to those consumers who haven’t yet sought arbitration.
And in the interest of “transparency,” the CFPB is considering publishing all of these arbitration records on its website. I guess that’s to ensure that every other consumer knows to bring a claim and the class action bar has its bite at the apple.
The CFPB justifies all of the proposed rules based in large part on the idea that consumers who have lost only “small amounts of money” or experienced only “small amounts of harm” have no prospects for meaningful relief if class actions are unavailable to them. In his prepared remarks, Director Cordray stated that certain corporate practices can be “lucrative to businesses” but harm individuals “only on a minor basis,” and that arbitration clauses banning class actions give these companies “less reason to ensure that their conduct complies with law.” I suppose the Director believes that bank executives across the country are calculating how much they can steal from consumers without getting caught. In my experience, consumer over-charges usually are the result of honest errors.
Look, I understand the value of consumer class actions. I’ve seen Erin Brokovich. But enough already. If the CFPB continues down this path, even our dysfunctional Congress will eventually limit class action awards, and then the class actions that really matter will be limited because the CFPB wanted to ensure that consumers could easily recover their small amounts from supposedly unscrupulous bankers.
Earlier this month I wrote on the CFPB’s recent action against the two co-founders and co-owners of T3 Leads for aiding and abetting in the alleged unfair and abusive practices of T3. The CFPB’s actions were based on the claim that both individuals had substantial control over T3’s business policies, practices and operations and both thereby provided “substantial assistance” in T3’s alleged UDAAP violations. This post provides more detail on T3’s alleged actions.
According to the Complaints brought against the founders, T3 is in the business of receiving consumer-loan applications from lead generators and selling those applications to small-dollar lenders. It was the characteristics of these lead generators and lenders that ultimately led to the CFPB’s claims against T3 and its founders, but at the core it was T3’s alleged failure to “vet and monitor” these parties. The CFPB’s allegations include the following:
- T3 would sell applications to those purchasers that were willing to pay T3 the highest price, “without regard for the practices of lead generators or purchasers.”
- “T3 does not continuously monitor lead generator websites to check for misleading or inaccurate statements to consumers.”
- T3 “regularly” accepts applications from lead generators whose websites includes misrepresentations to consumers.
- T3 accepts applications from lead generators that have incorrectly represented themselves as lenders, and from lead generators that have “falsely suggested” that they would help consumers find the best rates or lowest fees.
- T3 makes no attempt to match consumers with the best loan terms for their needs, as consumers are led to believe by some lead generators.
- T3 has reason to believe or knows that the applications it sells are likely to result in usurious interest rates, and sells to these purchases “based on its own financial interests, without regard to representations to and expectations of consumers.”
The fact that the CFPB brought its actions against the company and its founders in federal court rather than pursuing consent orders might suggest that the CFPB was seeking to make a big splash. CFPB Director Cordray has previously said that it would be “compliance malpractice” for financial institution executives “not to take careful bearings from the contents of [the CFPB’s] orders about how to comply with the law and treat consumers fairly.” These T3 actions illustrate the need for all consumer financial services providers to protect consumers from the misdeeds of their business partners. At least vet and monitor.
On April 21, 2016, the CFPB filed actions in federal court against the co-founders and co-owners of T3 Leads for aiding and abetting in the alleged unfair and abusive practices of T3. These actions follow CFPB’s action against T3 itself, filed in federal court on December 17, 2015.
The Complaints outline in detail T3’s alleged unfair and abusive practices. The basis for the aiding and abetting claims against the individuals is that they both had substantial control over T3’s business policies, practices and operations and both thereby provided “substantial assistance” in T3’s alleged UDAAP violations.
I’ll outline T3’s alleged actions in greater detail in a post later this week, but the allegations are generally that T3 purchased consumer loan applications from dubious lead aggregators, sold those applications to dubious lenders, and made no attempt to “vet or monitor” whether any of these companies were honest or complied with consumer protection laws.
It probably didn't help T3’s case that “many” of T3’s lenders were organized by Indian tribes or operated offshore under the laws of foreign jurisdictions, but I think it would be a mistake for other companies to take much comfort from that fact. While it might be that the CFPB focused on T3 because of its dubious lenders and because it was difficult for the CFPB to bring enforcement actions against those lenders directly, I would suggest that these actions have much broader implications: the CFPB will hold any company accountable if it profits from exposing consumers to third parties that fail to comply with UDAAP or other consumer protection laws.
This is hardly the first example of the CFPB punishing a company for failing to monitor or control its vendors or business partners that marketed and sold products or services to the company’s customers. Major phone companies paid millions in fines when they “allowed third parties to ‘cram’ unauthorized charges on customers’ mobile-phone accounts and ignored complaints about the charges.” Banks have been fined millions of dollars for failing to monitor and control the marketing and sales of credit card add-on products by their vendors. In each of these cases, the company in question benefited financially from the activities of the third parties.
The T3 actions again remind us that the CFPB will judge an organization by the company it keeps. If the organization has the ability to minimize consumer harm, profits from the arrangement, and does not take appropriate steps to protect consumers, the CFPB is quick to bring an enforcement action. The difficult question is what the “appropriate steps” should be, but pretending it is the third party’s problem clearly isn’t enough.
New and existing money services businesses frequently ask when or if the CFPB will “examine” them. All consumer financial services businesses naturally worry about the CFPB’s reach and want to be prepared. This article outlines the factors that could lead to CFPB examination of an MSB.
It's important first to understand the distinction between “supervisory” authority and enforcement authority. The former relates to whether the CFPB can conduct a formal examination of the company, while the latter relates to when the CFPB can bring an enforcement action.
The CFPB’s enforcement authority is extremely broad. The CFPB can bring an enforcement action under any of the "Federal consumer financial laws," including UDAAP and eighteen other enumerated consumer laws. UDAAP alone will give the CFPB very broad authority to bring an enforcement action against an MSB for its acts and practices involving consumers.
In contrast, the CFPB's supervisory and examination authority is comparatively limited. MSBs that engage solely in MSB activities, and that do not provide services to a supervised bank or nonbank, usually will not be subject to CFPB examination. However, all MSBs can become subject to CFPB examination if they experience consumer compliance problems.
General Supervisory Authority
The authority for the CFPB to examine an institution is part of its statutory supervisory authority. The CFPB has this supervisory authority only over the following institutions:
- Banks, savings associations and credit unions with total assets of more than $10 billion.
- Essentially any consumer loan broker, originator, lender or servicer, and companies that provide loan modification or foreclosure relief services in connection with consumer loans.
- A “larger participant of a market for other consumer financial products or services,” as defined through rule-makings (“Larger Participants”).
- Companies that the CFPB has determined are engaging, or have engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services (“Risky Companies”).
- Certain service providers of supervised banks and nonbanks, which would include certain service providers to the first three categories of institution listed above.
Because banks, thrifts and credit unions are not MSBs, there really are 4 ways that the CFPB can reach an MSB for examination.
The CFPB can examine an MSB if it is directly engaged in consumer lending activities, including by providing loan modification or foreclosure relief services. The examination could focus only on those lending activities, but there's no guarantee that the CFPB would limit its examination to those activities once it has its foot in the door.
The CFPB can designate a company as being a Larger Participant and subject to examination only through a formal rule making. At this time, the only MSBs that are deemed to be Larger Participants are those that provided at least $1 million aggregate international money transfers during the preceding calendar year, which includes transfers made by the MSB through an agent.
The CFPB has, however, identified other Larger Participants that should be kept in mind by those MSBs that engage in activities in addition to MSB activities. Those other Larger Participants include, in broad terms:
- Participants in the consumer reporting market, with annual related receipts of more than $7 million.
- Participants in the consumer debt collection market, with annual related receipts of more than $10 million.
- Participants in the student loan servicing market, with an annual account volume of more than one million.
If you’re a Larger Participant you likely know it. In any case, at some point you will receive a written communication from the CFPB that they are initiating a supervisory activity. At that time you’ll have 45 days to respond to the CFPB if you want to dispute that you are a Larger Participant.
The Risky Company and service provider grounds for CFPB examination pose the greatest uncertainties for MSBs.
The Risky Company process begins when the CFPB issues a Notice of Reasonable Cause to the target, stating that the CFPB has reasonable cause to determine that the target is engaging, or has engaged, in conduct that poses risks to consumers relating to the offering or providing of consumer financial products or services. Alternatively, the CFPB can provide a notice and opportunity to respond in a notice of charges pursuant to adjudication proceedings.
The Notice of Reasonable Cause must be based on consumer complaints or “information from other sources.” These other source can include, among other things, court decisions or administrative decisions made by other regulators. Therefore, if your company is frequently named in the CFPB's Consumer Complaint Database, or recently lost an ugly consumer class action based on UDAP or other violations of consumer protection law, the CFPB might soon be knocking.
All of the various procedural requirements for responding or consenting to the CFPB's notice are outlined in 12 CFR Part 1091. If you receive a notice, whether directly or as part of a notice of charges, it will be important to review those rules immediately, and at least consider seeking the assistance of legal counsel.
CFPB Bulletin 2012-03 reminded banks and other supervised financial institutions that they may be held responsible for the actions of their service providers, and that those institutions should maintain an effective process for managing the risks of service providers. Of more importance to this article, the Bulletin states that the CFPB has supervisory and enforcement authority over “supervised service providers,” including the authority to examine the operations of such entities on site. It also notes that the CFPB will exercise “the full extent of its supervision authority” over these companies, including its authority to examine for compliance with UDAAP.
So the important question is who these “supervised service providers” are. They are “service providers” for supervised banks and nonbanks – the first two categories of supervised entity listed above, and service providers to “a substantial number” of small insured depository institutions and credit unions.
“Service providers” then include any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service. This includes companies that design, operate or maintain the product or service, and generally includes companies that process transactions relating to a consumer financial product or service. The term does not include companies providing ministerial services or general mass media advertising space.
It’s unclear where this line is going to be drawn over time. However, an MSB that processes consumer transactions for a bank could well be a service provider and subject to CFPB examination jurisdiction. Likewise, an MSB that provides material marketing services to a bank for consumer financial products could be a service provider and subject to CFPB examination. In at least one instance already, the CFPB’s examination of a bank led to the examination of a service provider that designed and marketed the bank’s car loan program. Although the bank was the actual lender, the service provider’s active role in marketing and selling the loans was enough for the CFPB to examine them for unfair and deceptive practices.
It should be said that whether the CFPB believes it can examine an MSB does not necessarily mean that it will do so tomorrow or this year. This is a risk based question. However, if your MSB engages in a significant number or dollar amount of transactions, has a high number of consumer complaints, or is otherwise actively involved in a bank's consumer financial services program that has attracted the CFPB's displeasure, the CFPB might choose to examine your company.
MSBs have historically focused on their anti-money laundering programs, for good reason. However, given the CFPB's potential examination scope, some MSBs might want to review their consumer compliance programs to reduce the risks of examination, or at least the risks of negative examination results.
On March 24, FinCEN issued a second set of Frequently Asked Questions regarding the prepaid access rule. Three of the five questions focused on the definition of “closed loop prepaid access” for purposes of excluding certain prepaid access from the rule’s coverage. A fourth question elaborated on the policies and procedures that are needed in order to have a program “reasonably adapted” to avoid the sales of more than $10,000 in prepaid access to one person in one day for purposes of another exclusion from the rules. Those questions are summarized in this Bryan Cave Payments article.
The fifth question clarifies that a provider of prepaid access is required to include in its MSB agent list an entity that sells the provider’s prepaid product only if that entity satisfies the definition of “seller of prepaid access.” This FAQ implies that such entities are not “agents” for MSB purposes, though it would have been helpful if FinCEN had stated that expressly.
I suspect FinCEN is simply providing a pragmatic answer. If a provider were to include on its agent list those sellers of the provider’s prepaid product that are not technically “sellers of prepaid access,” those sellers would then be included in the lists of MSBs to be examined by the IRS (the IRS examines non-bank MSBs for AML compliance). Every pharmacy, grocery store and gas station that sells prepaid cards in a capacity other than as a “seller of prepaid access” would be on the provider’s agent list and appear to the IRS as being an entity subject to an AML compliance exam. The IRS then would initiate an examination only to learn that the seller has no AML program at all because it is not a “seller of prepaid access” and therefore not required to maintain any such program. Moreover, because “agent” MSBs are required to maintain an AML program, including those sellers on the prepaid provider’s list might trigger AML program obligations for that seller when none otherwise would have applied, or being included on the agent list might at least leave the examiner uncertain of how to treat the seller.
So the FAQ is useful in that it limits the list of agents to those persons that are truly acting as sellers of prepaid access, avoids implying that such persons are MSB “agents” that are required to maintain AML programs, and clarifies for the IRS who it really should be examining.
There is, however, another similar problem relating to “providers of prepaid access” that FinCEN still needs to address. In a bank-centered program in which the bank exercises principal oversight and control over the prepaid program, no program manager or other participant in the program is required to register with FinCEN as a “provider of prepaid access.” Based on comments made I’ve heard from IRS examiners, this concept does not work out so well in practice.
The problem appears to be that some bank examiners are pressuring their banks to require their program managers to register with FinCEN as providers of prepaid access. When the IRS then tries to examine those persons, they learn that the company is registered as a provider only because its bank required it, and not because the company is actually controlling the prepaid program. IRS examiners then must decide whether to conduct a full exam of the company as a “provider of prepaid access” or if they can appropriately rely on the bank regulator to examine the bank for AML compliance given that the bank is actually exercising principal oversight and control for the program.
I suppose bank regulators are uneasy with the idea that some program managers might not be subject to routine AML examinations. By compelling banks to require their program managers to register as providers of prepaid access the bank regulator pushes the problem to the IRS. The IRS, in turn, probably wonders why it should be examining those companies when FinCEN’s rules clearly contemplate that those companies need not be examined for AML compliance when the bank controls all meaningful aspects of the program. This situation also then leads to potentially inconsistent examination results, with the bank regulator reaching one decision and the IRS concluding differently.
In what might have seemed reasonable at the time, the prepaid access rule provided for a flexible approach to allow the participants in a prepaid program to decide who should serve as the designated provider of prepaid access. No participant is required to register as the provider when a bank exercises principal oversight and control, but any participant other than the bank could voluntarily choose to register. This flexibility in the rule, instead of simplifying the process for examiners and program participants, allows bank examiners to second-guess program participants and establish competing examination regimes despite FinCEN’s better judgment that only one of the parties needs to be examined.
This might not be as big of a problem as I have been led to believe, but the solution seems easy enough. If providers were given an option to register as “bank-centered” providers, the IRS would at least know from the outset that less frequent or less rigorous examinations might be in order.