Financial Services Law

Industry Groups Respond on Consumer Access to Financial Records

Financial industry groups responded to the Consumer Financial Protection Bureau's (CFPB) request for information on consumer access to their financial records.

What happened

Last November, the Bureau announced its intent to take a closer look at "the challenges consumers face in accessing, using, and securely sharing their financial records," asking for information about how much choice consumers are being given about the use of their records, how secure it is for them to share their records, and to what extent consumers have control over their records, releasing a Request for Information (RFI).

Industry groups have responded. The American Bankers Association (ABA) noted the timeliness of the CFPB's RFI, given that technology "has facilitated the creation of an unprecedented amount of consumer financial data." While the ABA "fully supports the customer's ability to access and share their financial data in a secure, transparent manner that gives them control," the group identified regulatory gaps and suggested steps to facilitate consumer access.

Three core principles should set the framework for how consumer data is treated, the ABA wrote: security (bank-level protection should be consistent for all consumer financial information, whether the data is at a bank or a third party); transparency (consumers should know how their data is being used); and control (consumers should have control over the access and use of their data, including what information is shared).

To effectuate these principles, the ABA recommended that the Bureau use existing regulatory authority and not promulgate new rules. For example, the CFPB should clarify that data aggregators are "financial institutions" subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) and take steps to ensure such entities are subject to the same standards as depository institutions for safeguarding financial data and notifying customers about security breaches. Data aggregators should also be designated as "service providers" under the Electronic Funds Transfer Act (EFTA) and "larger participants" in the market for consumer financial data should be identified and subject to supervision by the CFPB, the ABA recommended.

In its comments, the Financial Services Roundtable (FSR) set forth "five core elements" that should be considered by the Bureau to determine its role in the evolving ecosystem. Security and privacy; data access and use transparency (with the group stating that customers should be required to provide express consent permitting a financial institution to share their account data with a third party); clarity of liability, particularly with regard to data aggregators under Regulation E; customer choice and control; and technology neutrality, the group explained.

The FSR also urged the CFPB to exercise "caution in pursuing any rulemakings that would certainly hamper these consumer-focused agreements, and likely stifle innovation."

While the Independent Community Bankers of America (ICBA) threw its support behind consumer access to financial information, the group expressed "profound concerns" that non-bank entities "do not take the same care in protecting consumer privacy and data that community banks do." Community banks are highly regulated but "protecting consumers' account data at banks is of limited value if it remains under protected or exposed by other users," the group told the Bureau.

"At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer's information to third parties," ICBA wrote.

The group also shared its worries that the Bureau would develop rules dictating how community banks share information with third parties, with the banks shouldering both financial and reputational risks, emphasizing that community banks should not have to bear the cost and risk of ensuring safe third party access.

Finally, Financial Innovation Now (FIN), an alliance of technology leaders, weighed in, similarly taking the position that regulation by the CFPB is unnecessary. "We are concerned that regulation would run the risk of creating a framework that likely would restrict market developments or innovations and not easily adapt to the pace of technological innovation and consumer expectations," the group wrote.

Instead, FIN said that consumers' interest would most effectively be promoted by empowering them to permission access to financial account data "securely and easily, using whatever secure application or technology they wish," according to industry-developed standards that are regularly reviewed and updated and do not mandate a specific type of technology.

To read the ABA's comment, click here.

To read the FSR's comment, click here.

To read the ICBA comment, click here.

To read the FIN comment, click here.

Why it matters

Industry groups were united in their stance that no new regulation is required from the CFPB in order to ensure consumer access to financial records. While the comments provided different suggestions as to how the Bureau should address the safety and security of consumer financial data, the core principles of consumer choice and data security remained consistent for all the groups.

back to top

Home Depot Settles Data Breach Suit for $25M

As a result of a $25 million settlement reached with the remaining banks and credit unions, the litigation against Home Depot stemming from its 2014 data breach will finally end.

What happened

In September 2014, Home Depot announced that its payment data systems had been breached. An investigation revealed that hackers placed malware on the self-checkout kiosks in stores nationwide, allowing the theft of customers' personal financial information, including names, payment card numbers, expiration dates, and security codes. The stolen information—estimated in the range of 56 million credit and debit card numbers—was then sold over the Internet.

As a result, financial institutions cancelled accounts and reissued the compromised payment cards, reimbursed their customers for fraudulent transactions, and incurred other expenses. More than 25 class action lawsuits were filed against Home Depot by financial institutions alleging that the company's failure to institute adequate data security measures caused their losses.

The litigation was consolidated and after some motions and discovery, the parties managed to reach a deal.

Pursuant to the settlement, Home Depot promised to pay $25 million into a non-reversionary fund to be distributed to class members, which included banks and credit unions in the United States that issued any payment card identified as having been at risk as a result of the data breach and that did not release their claims. Class members that file a valid claim will receive a "fixed payment award" estimated to be $2 per compromised card, without having to prove their losses and regardless of the amount of compensation they already have received from another source.

Those class members that submit proof of their losses and the compensation they already received, if any, are eligible for an additional "documented damages award" from the fund of up to 60 percent of their uncompensated losses from the data breach.

Home Depot previously obtained releases from some MasterCard and Visa issuers, paying out $14.5 million in premiums on top of more than $140 million in payments to the larger issuers under the card brand recovery processes.

A separate $2.25 million will be provided by Home Depot to sponsored entities whose claims were released by their sponsor in connection with MasterCard's Account Data Compromise program. Eligible entities will be entitled to $2 per compromised card.

In addition to the monetary payment, Home Depot agreed to implement new data security measures. For a period of at least two years, the company will "design and implement reasonable safeguards to manage the risks identified through its data security risk assessments," tracking and managing its assessments utilizing a risk exception process involving Home Depot leadership and reviewed on a periodic basis.

The company will implement an appropriate industry recognized security control framework and develop and use reasonable steps to select and retain information technology vendors capable of maintaining appropriate security, conducting assessments to ensure that vendors with access to payment card information comply with Home Depot's security practices.

Home Depot also accepted responsibility for the costs of settlement administration and class counsel fees separate from the settlement fund.

Arguing in support of granting preliminary approval of the deal, the plaintiffs said the terms were within reason and compared favorably with settlements in similar data breach cases.

To read the memorandum of law in support of the plaintiffs' unopposed motion for preliminary approval of class action settlement in In re: The Home Depot, Inc., Customer Data Security Breach Litigation, click here.

U.S. District Court Judge Thomas W. Thrash granted preliminary approval to the deal. A final hearing on the settlement is set for September.

Why it matters

Aside from the settlement confirming a consistent level of potential financial recoveries for banks refusing to accept the amounts recoverable through the Card Networks, the obligation to implement new security measures—while not unexpected after a breach—also establishes a precedent as to commitments that may be expected of merchants in future cases.

back to top

CFPB Proposes Delay for Prepaid Rule

In Consumer Financial Protection Bureau (CFPB) news that even opponents praised, the Bureau proposed a six-month delay in the effective date of the final prepaid accounts rule.

What happened

In October 2016, the CFPB finalized the Prepaid Rule, which imposed significant new requirements for prepaid accounts under Regulation E issued under the Electronic Fund Transfer Act as well as Regulation Z implementing the Truth in Lending Act. Initially proposed in November 2014, the Prepaid Rule was intended to "fill key gaps" for consumers with regard to prepaid products.

Pursuant to the Rule, providers of prepaid products—broadly defined to include payroll card accounts, government benefit accounts, student financial aid disbursement cards and tax refund cards, among others—must protect consumers against fraud and theft, with liability limited to $50 where a consumer promptly notifies the institution of theft.

In addition, consumers must be given free and easy access to product information (by phone, online, or in writing upon request), work with consumers to investigate any errors on covered products (with provisional credit for the dispute during the course of the investigation), and add "Know Before You Owe" prepaid disclosures to highlight key costs associated with the product prior to use, including periodic fees, balance inquiry fees, or fees for inactivity.

Prepaid cards must also adopt certain protections provided to credit cards such as monthly account statements, consideration of whether a consumer has the ability to repay the debt before offering credit, and limits on late fees, to achieve compliance with the new Rule.

As it currently stands, the Prepaid Rule is set to take effect on October 1, 2017. While the CFPB has taken steps toward enforcement—releasing guidance for participants in the prepaid card space—the Rule has also been the subject of challenges by critics, with legislators filing joint resolutions to initiate the process to nullify the Prepaid Rule via the Congressional Review Act.

With the joint resolutions pending, the CFPB proposed a six-month delay of the effective date for the Rule until April 1, 2018. Some industry participants have expressed concern about difficulties complying with certain provisions of the Prepaid Rule in time for the original date, the Bureau said, seeking comment on the proposed extension.

Through efforts to support industry implementation, the Bureau said it learned that some industry participants feel the need to pull and replace non-compliant packaging to ensure compliance at both the state and federal level and are uncertain about the production capacity of packaging manufacturers and other supply chain limitations due to increased demand leading up to October 1.

Other industry members have shared with the CFPB "unanticipated complexities arising from the interaction of certain aspects of the Rule with certain business models and practices" that were not fully addressed during the comment period.

In response to the industry's concerns, the CFPB proposed to extend the effective date for an additional six months. "In particular, a six-month extension would both allow more time for package printing and allow pull-and-replace processes at retail locations to occur after the winter holiday season, which is a particularly busy time for retailers," the Bureau noted.

In addition to providing more time for compliance, delaying the date "will allow the Bureau to more closely evaluate concerns raised by industry participants regarding certain substantive aspects of the Prepaid Accounts Final Rule," the CFPB said. If the Bureau determines that amendments to the substantive portions of the Rule are warranted, it will do so through a separate rulemaking and provide an opportunity for comment.

To access the CFPB's proposal, click here.

Why it matters

"The Bureau continues to believe that the Prepaid Accounts Final Rule will provide significant benefits to consumers and that, therefore, expeditious implementation remains essential to provide comprehensive consumer protections to users of prepaid accounts," the CFPB wrote in its proposal for the extension. Not everyone agrees. While some critics praised the extension (Rep. Scott Tipton (R-Colo.) said he was "pleased" the Bureau considered the concerns raised by industry and legislators), others felt the extra time wasn't enough. "[T]he CFPB should scrap this rule altogether," Sen. David Perdue (R-Ga.), who introduced a joint resolution to nullify the Rule, said in a statement. "From its initial stages, this rule was shortsighted and so sweeping that it would have stifled innovation in a growing marketplace millions of consumers rely on."

back to top

Payday Lenders Can't Halt Operation Choke Point, Court Rules

A federal judge in the District of Columbia denied a request for injunctive relief sought by a group of payday lenders allegedly affected by the Department of Justice's (DOJ) controversial Operation Choke Point.

What happened

A payday lender filed suit against the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC), among others, accusing these defendants of violating its right to due process under the Fifth Amendment of the United States Constitution.

Joined by several other payday lenders, the suit alleged that the financial regulators participated in a campaign to force banks to terminate their business relationships with the plaintiffs. Known as Operation Choke Point, the campaign included regulatory guidance regarding reputation risk promulgated by the defendants, who later relied upon that guidance "as the fulcrum for a campaign of backroom regulatory pressure seeking to coerce banks to terminate longstanding, mutually beneficial relationships with all payday lenders," according to the plaintiffs' complaint.

The plaintiffs filed a motion for preliminary injunction to halt the financial regulators from harming the plaintiffs' reputation, applying informal pressure to banks to encourage them to terminate business relationships with the plaintiffs, seeking to deny the plaintiffs' access to financial services, and attempting to deprive plaintiffs of their ability to pursue their line of business.

Determining that the plaintiffs could not satisfy the necessary elements of their due process claim and thus demonstrate a likelihood of success on the merits, Judge Kessler denied plaintiffs' motion. According to the court, the plaintiffs were required to show that in additional to reputational harm, the government has deprived them of some benefit to which they have a legal right or that the government-imposed stigma is so severe that it "broadly precludes" them from pursuing their chosen trade or business.

"Plaintiffs' submissions do not establish a likelihood of success on the merits—or even a 'serious legal question' on the merits,'" the court said.

First, the court held that plaintiffs could succeed on their claim by showing that the defendants deprived them of their right to hold a bank account. However, it was insufficient for the payday lenders to show that "merely some" bank accounts have been terminated, the court explained, as "in order to demonstrate a change in legal status, each Plaintiff must show that it has had so many bank accounts and banking relationships terminated it has effectively been cut off from the banking system."

According to the court, while the evidence submitted by the plaintiffs demonstrated that their relationships with some banks had been terminated, plaintiffs failed to demonstrate that any of them had been cut off from the banking system by effectively being denied a right to hold a bank account or access the banking system.

Second, the court held that the plaintiffs could succeed on their claims by showing that the continued loss of banking relationships, caused by Operation Choke Point, "may preclude them from pursuing their chosen line of business." However, again according to the court, the evidence submitted did not establish that plaintiffs had been put out of business.

For example, the payday lender told the court that it received termination notices from 21 banks since 2013. But the company did not indicate how many banks it continues to have accounts or business relationships with leaving the court unable to conclude that they have been "cut off" from the system. "In sum, the fairest reading of Plaintiffs' submissions is that, presently, they do have a right to hold bank accounts and otherwise access the banking system," the court wrote.

The payday lender also did not submit financial statements or analyses showing that the terminations have harmed their bottom line and at oral argument, one plaintiff agreed that the company has been profitable in some years since 2013, the court concluded. "Plaintiffs remain in business and therefore cannot show that they have been broadly precluded from the payday lending industry."

Further, in response to plaintiffs' arguments that their due process rights will be violated in the near future if Operation Choke Point continues unabated, Judge Kessler held that plaintiffs' evidence was too "speculative and conclusory" to justify an injunction. "[T]he fact that some discrete number of banks refuse to transact with [the payday lender] tells us almost nothing about how many banks remain willing to transact with payday lenders," she said. What the submissions do make clear is that "there are some banks that are still willing to do business with payday lenders, including Plaintiffs."

The evidence submitted also demonstrated that many of the payday lenders have experienced similar terminations in the past but have still been able to find new banks willing to do business with them, the court noted, which "undercuts Plaintiffs' assertions that they will be unable to replace the accounts that are about to be terminated."

Next, while the court held that to succeed on the merits, plaintiffs must ultimately prove that the defendants made stigmatizing statements about them that "caused banks to terminate their business relationships with Plaintiffs," Plaintiffs had not demonstrated that they are likely to succeed in proving the "wide-ranging campaign of backroom strong-arming" by the defendants. Judge Kessler found that the plaintiffs introduced "only a few scattered statements in which Federal Defendants may have pressured a small number of banks to discontinue their relationships with specific payday lenders," but failed to link these statements to the terminations of bank relationships. Other evidence was hearsay—in some cases, "anonymous double hearsay"—which the court found of little persuasive value, or contradicted by sworn statements of defendants' employees.

Moreover, the one piece of direct, uncontroverted evidence of a regulator seeming to pressure a bank to terminate a relationship with a payday lender did not contain any impermissibly stigmatic statements, rather "appears based on FDIC's permissible concerns regarding a particular payday lender's business practices," the court added.

Although the court held that a violation of plaintiffs' right to due process is irreparable, plaintiffs' failure to carry their burden and demonstrate either a likelihood of success on the merits or that issuance of a preliminary injunction would be in the public interest warranted a denial of the injunction request.

To access the memorandum opinion in, click here.

Why it matters

The Court found the evidence submitted by the payday lenders lacking not just in its sufficiency but in context as well, writing that without information such as a baseline number of how many banks the plaintiffs continue to have a relationship with or financial statements to demonstrate a decrease in profits due to the relationship terminations, the payday lenders failed to carry their burden of proving the likelihood of success on the merits. Undeterred, the plaintiffs have already asked the U.S. Court of Appeals for the D.C. Circuit to review the case.

back to top

Mortgage Lender Hit With Record HMDA Penalty

In the Consumer Financial Protection Bureau's (CFPB) largest Home Mortgage Disclosure Act (HMDA) penalty to date, the Bureau hit a major mortgage servicer with a $1.75 million penalty for allegedly failing to report accurate data about mortgage transactions over a two-year period.

What happened

The mortgage servicer—a nonbank mortgage lender—has almost 3 million customers in the mortgage servicing and origination markets. It earns its fees through servicing, origination, and other real estate-based services.

According to the CFPB allegations, the company "consistently" failed to report accurate data about mortgage transactions from 2012 to 2014, in alleged violation of the HMDA. The 1975 statute requires that mortgage lenders collect and report data about their mortgage lending not only to the appropriate federal agencies but also make it available to the public.

During its supervision process, however, the Bureau claims it found that the servicer's compliance systems were flawed and generated mortgage lending data with "significant, preventable errors." Because the company failed to consistently define data among its various lines of business, it produced discrepancies, the CFPB alleges.

These problems occurred after a history of HMDA non-compliance, the Bureau claimed. The same servicer reached a settlement with the Massachusetts Division of Banks in 2011 to address HMDA compliance deficiencies (a deal that included a $25,000 payment). Despite this, the CFPB claims that samples showed "substantial" error rates in three consecutive reporting years after that settlement, the Bureau alleged: 13 percent in 2012, 33 percent in 2013, and 21 percent in 2014.

To settle the CFPB's charges, the servicer agreed to a consent order requiring the company to pay a $1.75 million penalty—the largest the Bureau has ordered to date for violations of the HMDA—and change its practices.

Although the CFPB acknowledges that the company has already taken steps to further its compliance and increase accuracy since the Bureau's examination, the CFPB has nonetheless directed the servicer to develop and implement an effective HMDA compliance management system, undertaking any necessary improvement to prevent future violations. In addition, the servicer was directed to review, correct, and make available the corrected HMDA data for the applicable time period between 2012 and 2014.

To access the consent order, click here.

Why it matters

Once again, the CFPB is using enforcement actions as a substitute for legitimate rulemaking. Here, in a warning to others that may have more significant operations, the CFPB reached its record-setting HMDA civil penalty based on the servicer's market size, the alleged substantial magnitude of its errors," and the company's alleged history of previous violations, the CFPB said. Despite little evidence that the servicer was a true recidivist, director Cordray insisted that "[f]inancial institutions that violate the law repeatedly and substantially are not making serious enough efforts to report accurate information." The action "send[s] a strong reminder that HMDA serves important purposes for many stakeholders in the mortgage market, and those required to report this information must make more careful efforts to follow the law."

back to top