Financial Services Law

CFPB Launches New Battle: Proposal to Ban Arbitration Clauses Blocking Group Action

Why it matters

The Consumer Financial Protection Bureau (CFPB) has picked its next battle: a proposal to limit the terms of mandatory pre-dispute arbitration agreements in contracts involving consumer financial products or services. Calling such provisions a "free pass" for companies, the Bureau said they allow entities to "sidestep the legal system, avoid big refunds, and continue to pursue profitable practices that may violate the law and harm countless consumers." The proposal would ban clauses that block class arbitrations in contracts for consumer financial products and services, including agreements for credit cards, checking and deposit accounts, and prepaid cards. In addition, the ban would require covered entities that elect to use arbitration agreements for individual claims to maintain records and submit data to the Bureau on claim filings and written awards, possibly for publication on the CFPB website. After the Bureau released a study earlier this year highlighting negative effects of arbitration on consumers, the proposal did not come as a shock to the industry. But that doesn't mean the proposal will face smooth sailing, already facing criticism from industry and the strong likelihood that any rule promulgated by the CFPB will be challenged in court.

Detailed discussion

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 tasked the Consumer Financial Protection Bureau (CFPB) with taking a look at the use of arbitration provisions in consumer financial agreements. In March, the Bureau released the findings from its study.

The Bureau said that most arbitration agreements prohibit group action (such as class actions or collective actions) and that few consumers individually seek relief. More than 75 percent of the consumers surveyed were unaware of whether they were subject to an arbitration clause in a financial product contract, the CFPB said, while less than 7 percent knew the clause restricted their ability to file a lawsuit.

The CFPB's conclusions left little doubt that the Bureau would crack down on arbitration provisions in consumer contracts, and earlier this month the agency announced its intent to ban the use of arbitration clauses to block consumers from suing in groups to obtain relief. Characterizing such clauses as "free passes," the agency said its proposal "would give consumers their day in court and deter companies from wrongdoing." Banning clauses that prohibit group arbitrations likely will have the effect of eliminating arbitration clauses in these agreements entirely, since arbitration awards generally may not be appealed, and companies will not want to risk a non-appealable class award in an arbitration.

In preparation for convening a Small Business Review Panel to gather feedback, the CFPB published an outline of its proposals. The Bureau noted that the proposals would not ban arbitration altogether but "the clauses would have to say explicitly that they do not apply to cases filed as class actions unless and until the class certification is denied by the court or the class claims are dismissed in court."

The proposals would apply to the bulk of the consumer financial products and services overseen by the CFPB, including checking and deposit accounts, credit cards, prepaid cards, money transfer services, certain auto loans, auto title loans, small-dollar or payday loans, private student loans, and installment loans.

Congress and the courts developed class litigation procedures for a reason, the CFPB said, particularly where the harm to an individual consumer might be too small to make the pursuit of litigation practical. Group lawsuits provide consumers with "opportunities to obtain relief they otherwise might not get," the Bureau added.

The proposals will also incentivize companies to comply with the law and serve as a deterrent, the CFPB argued, as arbitration clauses "enable companies to avoid being held accountable for their conduct" and make them "more likely to engage in conduct that could violate consumer protection laws."

Companies that elect to continue using arbitration on an individual consumer basis would be subject to continuing CFPB oversight. Covered entities would need to submit information to the agency about arbitration claims filed and awards issued. "This will allow the Bureau to monitor consumer finance arbitrations to ensure that the process is fair for consumers," the CFPB said, adding that it is also considering publishing the data on its website.

The Bureau noted that it will seek input from the public, industry, consumer groups, and other stakeholders once proposed regulations are issued.

In response, the industry has asserted that consumers in fact receive greater relief in individual arbitration actions, in which the financial institution typically agrees to pay many of the consumer's costs, than in a class action in the courts, the primary beneficiaries of which are plaintiffs' attorneys.

To read the outline of the CFPB's arbitration proposals, click here.

back to top

California Updates Data Security Laws

Why it matters

The first state to enact data breach notification legislation, California has now updated Civil Code Section 1798.82 with three new bills signed into law by Governor Jerry Brown. Specifically, Senate Bill 570 added requirements to the existing data breach notification bill with rules about the format of a data breach notice, such as mandatory title and headings, a design to call attention to the "nature and significance" of the information contained, and text in at least 10-point type. The legislation included a model form that, if used, will be deemed compliant under the statute. Two other bills made definitional changes impacting the scope of data covered by the notification bill. Under existing law, a breach occurs only if the compromised personal information was not encrypted. Assembly Bill 964 defined "encrypted" while Senate Bill 34 expanded the scope of "personal information" to include the use or operation of an automated license plate recognition system. Businesses should prepare themselves for the new laws, which take effect January 1, 2016.

Detailed discussion

In 2002, California became the first state to enact legislation requiring that a company provide notice to affected consumers in the event of a data breach. Since then, 46 other states and the District of Columbia have followed suit, while dozens of bills attempting to establish a national standard have flamed out in Congress.

Continuing its focus on privacy and data security issues, the state has amended its legislation with three new bills signed into law by Governor Jerry Brown on October 6.

Under current law, the state mandates that the "plain language" notice provided to affected consumers include the name and contact information of the notifying entity; a list of the types of personal information subject to the breach; the date of the breach; whether notification was delayed because of a law enforcement investigation; the phone numbers and addresses of the major credit reporting agencies if the breach involved Social Security, driver's license, or California identification card numbers; and in cases where identity theft and mitigation services are being offered by the notifying entity, all necessary information to take advantage of that offer.

Senate Bill 570 added new notice requirements with respect to formatting. The notice must be titled "Notice of Data Breach" and the required content for the notice must be set forth under specific headings: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." If an entity wants to provide additional information, it may do so with a supplement to the notice.

The notice must be designed to call attention to the "nature and significance" of the information contained, with title and headings "clearly and conspicuously" displayed, using at least 10-point text. Entities that use a model security breach notification form included in the legislation will be deemed compliant.

Certain entities are permitted to provide substitute notice under Civil Code Section 1798.82, where the notification cost would exceed $250,000, more than 500,000 individuals are affected, or the business lacks sufficient contact information. S.B. 570 also tweaked the notice requirements in these circumstances.

Notice via a conspicuous website posting must be visible for at least 30 days, with "conspicuous" defined as "providing a link to the notice on the home page or first significant page after entering the web site, in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link."

If the breach affected usernames or e-mail addresses in combination with passwords or security questions and answers—with no other personal information impacted—an electronic notice directing consumers to change their password and security questions and answers will suffice. Notice via e-mail is not permitted, however, where the breach affected usernames or e-mail addresses for login credentials of an e-mail account provided by the entity. Instead, a different format such as written or "clear and conspicuous" notice when the consumer is connected to the online account from an IP address or online location recognized by the entity must be utilized.

A second measure, Assembly Bill 964, established a definition of the term "encrypted." A breach occurs under California law only if the compromised personal information was not encrypted, now defined as "rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security."

Finally, Senate Bill 34 amended the statutory definition of "personal information" to incorporate "information or data collected through the use or operation of an automated license plate recognition system." Operators and end users of an automated license plate recognition (ALPR) system must maintain reasonable security procedures and practices (including operational, administrative, technical, and physical safeguards), per the new law, intended to protect ALPR information. In addition, a usage and privacy policy—addressing the collection, use, maintenance, sharing, and dissemination of information—must be established.

The new law also permits individuals to bring a civil action against ALPR operators and end users for violations of the statute, with actual damages up to $2,500, plus punitive damages, attorneys' fees and costs, and equitable relief.

To read S.B. 570 and view the model form, click here.

To read A.B. 964, click here.

To read S.B. 34, click here.

back to top

Reporting for Duty: HMDA Regs Finalized

Why it matters

Reporting requirements for financial institutions under the Home Mortgage Disclosure Act (HMDA) regulations were finalized by the Consumer Financial Protection Bureau (CFPB), with most provisions of the final rule set to take effect January 1, 2018. Covered entities will be required to report to the Bureau several new data points, such as the term of the loan, the value of the property, and the duration of any teaser or introductory interest rates. In addition, information about loan underwriting and pricing (including the applicant's debt-to-income ratio and the interest rate of the loan) must be supplied to the CFPB. The final rule was tweaked somewhat based on comments received on a proposal issued by the Bureau in 2014, with the agency dropping some of the data points, but overall the new rules require that substantially more information be provided. The CFPB also said it is working with other federal agencies to streamline the reporting process in an attempt to ease the burden on financial institutions. The finalized rule will provide additional information about applications and loans that will be used to keep "a watchful eye" on trends and problem areas in the mortgage market, the CFPB noted, leaving industry concerned that the data could be used as the basis for fair lending enforcement actions as well as an increase in private litigation.

Detailed discussion

To "shed more light" on consumers' access to mortgage credit and keep "a watchful eye" on the mortgage industry, the Consumer Financial Protection Bureau (CFPB) has released its final rule under the Home Mortgage Disclosure Act (HMDA).

Originally enacted in 1975, the HMDA mandates that lenders report information about home loans, from applications to origination to purchase data. Regulators rely upon the data to monitor financial institutions for problems or trends. For example, in 2014, the CFPB said 7,062 financial institutions reported information about roughly 11.9 million mortgage applications, preapprovals, and loans. Despite this pile of data, the Bureau said the dataset failed to keep pace with changes in the mortgage market, noting that data was not collected on loan features that figured prominently in the mortgage crisis, such as adjustable-rate mortgages.

The 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act directed the CFPB to expand the HMDA dataset. In response, the Bureau convened a Small Business Panel and issued a proposed rule in July 2014. After making adjustments based on comments about the proposed rule, the CFPB said the final rule "will improve the quality and type of HMDA data."

Both depository and nondepository institutions are covered by the final rule if they originate at least 25 closed-end mortgage loans or at least 100 open-end lines of credit in each of the two preceding calendar years.

To get "better information" about the mortgage market, the final rule requires lenders to report additional data points. New information covers the property itself (including address, construction method, and property value) as well as information about borrowers, such as age, credit score, and debt-to-income ratio—data that can help identify discriminatory lending practices in the marketplace, the CFPB said.

Pursuant to the final rule, financial institutions will also be required to supply information about mortgage loan underwriting and pricing. The term and interest rate of the loan, the duration of any teaser or introductory rates, borrower-paid loan costs and origination charges, any prepayment penalty, and the discount points charged for the loan—as well as information about applications and loans secured by dwellings, such as reverse mortgages and open-end lines of credit—must all be reported to the CFPB so that the Bureau can monitor fair lending compliance and access to credit.

In addition to new requirements, the CFPB provided clarification on existing rules. All lenders must report the reasons for a loan denial and in some circumstances provide a written explanation, the Bureau said, and loan amounts may no longer be rounded to the nearest thousand dollars. Instead, the exact amount must be reported.

The CFPB said it also attempted to make life easier for financial institutions. Small banks and credit unions located outside a metropolitan statistical area are excluded from coverage under the final rule, which also established a new standardized reporting threshold so that small depository institutions with low loan volume will not be required to report HMDA data. "For small lenders with few staff members, this change could make a significant impact in easing compliance costs," the CFPB said. The Bureau estimated that the new threshold will reduce the overall number of financial institutions required to report HMDA data by 22 percent.

For covered lenders above the threshold, the Bureau also tried to streamline the reporting process. Because many of the financial institutions collect the HMDA data for other purposes (the pricing of loans or to facilitate the sale of loans on the secondary market, for example), the CFPB said the new rule aligns with "many well-established industry data standards," which "will mitigate the burden on many lenders, and improve the quality and the value of the information reported."

In addition, the Bureau will continue to work with the Department of Housing and Urban Development as well as other members of the Federal Financial Institutions Examination Council to modernize the reporting process. Industry feedback on a pilot program for a web-based data collection tool was "very positive," the Bureau said, with the hope that implementation of the technology will reduce compliance costs.

Some changes were made from the 2014 proposal. Based on comments, the Bureau removed several data points from collection (the risk-adjusted, pre-discounted interest rate, among others) and elected not to require reporting of all dwelling-secured transactions made for commercial purposes.

Most provisions of the final rule will take effect January 1, 2018, meaning lenders will collect information for that calendar year to report by March 1, 2019.

One issue still undecided: whether the information collected will be made public. The Bureau recognized that HMDA data contains sensitive, personal information and said it will solicit additional public input before determining the extent of disclosure.

Although not immediately effective, the new reporting requirements will require extensive changes to existing systems and additional training. Institutions should begin planning for the changes. Also, the expanded data points likely will feed more allegations of fair lending violations by both regulators and private litigants, and internal fair lending analysis should be enhanced in anticipation of the effective date of the reporting requirements.

To read the CFPB's 797-page final rule, click here.

back to top