Consumer Financial Services Law

The Last of Obama-Era CFPB Enforcement?

Making the most of its enforcement powers before the new administration takes over, and likely concerned that its days as a stand-alone bureau may be coming to an end, the Consumer Financial Protection Bureau (CFPB) took action against entities ranging from Virginia pawnbrokers to national lender Moneytree, Inc. to two of the nation's largest credit bureaus, while still finding time to launch a new tool to monitor developments in consumer lending.

What happened

In December, the CFPB filed four complaints in Virginia federal court against Spotsylvania Gold & Pawn, Inc., Fredericksburg Pawn, Inc., Pawn U.S.A., Inc., and A to Z Pawn, Inc. The CFPB claims that all four defendants violated the Truth in Lending Act as well as the Dodd-Frank Wall Street Reform and Consumer Protection Act's ban on unfair, deceptive, or abusive acts or practices by misstating the charges associated with pawn loans.

The defendants, say the CFPB, disclosed only a low annual percentage rate (APR) that did not reflect a host of other fees added on to the loans, such as "appraisal," "interest," "storage," or "setup," in some cases understating the true annual percentage by half of the actual cost.

Each of the suits requests a halt to the allegedly illegal practices as well as penalties and restitution for the thousands of impacted consumers.

"When consumers take out a loan, they are entitled to know the actual cost," CFPB Director Richard Cordray said in a statement. "We are taking action … against pawnbrokers that deceived consumers about these costs, and we will work to make sure they stop violating the law and provide relief for consumers who were wronged."

In another enforcement action, the CFPB filed an administrative complaint against Moneytree, Inc., a Washington-based financial services company offering payday loans and check cashing, among other services, challenging the company's online advertisements and collection letters as deceptive. Advertisements for the company's check-cashing services tricked consumers about the true cost, the CFPB asserted, with an ad in early 2015 offering to cash consumers' tax refund checks for "1.99." The actual fee was 1.99 percent of the amount of the check cashed, not $1.99, despite what the ad implied, the Bureau said.

The CFPB alleges that consumers were also misled by letters sent from late 2014 through early 2015 indicating that their vehicles could be repossessed if they failed to make past-due payments on their installment loans—even though none of the consumers had loans secured by the vehicles. Moneytree further allegedly violated federal law by making unauthorized electronic transfers from consumers' bank accounts more than 700 times.

The complaint was supposedly triggered by multiple supervisory examinations during which the CFPB identified what it characterized as "significant weaknesses" in the company's compliance-management systems with regard to lending, marketing, and collections activities.

The CFPB ordered Moneytree to pay $255,000 in redress to consumers who allegedly: (1) paid more than the company advertised for its check-cashing service, (2) received one or more of the deceptive collection letters, or (3) were charged fees by financial institutions when Moneytree withdrew electronic fund payments without proper authorization.

In addition, the company must cease its deceptive practices and obtain proper authorization for any electronic fund transfers, as well as pay a $250,000 civil penalty.

A third CFPB action resulted from a three-year investigation into allegations that two of the three major credit bureaus duped consumers about the usefulness and actual cost of credit scores. The CFPB claims that both companies likewise made false promises about credit-related products to enroll consumers in recurring monthly fees. The credit bureaus will pay $23.5 million to settle the charges.

As our readers know, credit reporting agencies collect credit information (including a borrower's debt load, payment history, and maximum credit limits) to generate credit reports and scores. The companies also market, sell, and provide credit-related products directly to consumers, such as credit monitoring.

One of these companies utilized a scoring model from a third party vendor while the other sold consumers scores based on its proprietary model. But, says the CFPB, neither score was typically used for credit decisions even though both companies allegedly marketed them as serving that purpose. The CFPB claims that the two companies ran afoul of Dodd-Frank by falsely representing that the credit scores marketed and sold to consumers were in fact the same scores lenders used to make credit decisions.

In addition, both companies allegedly tricked consumers by claiming that their credit scores and credit-related products were free or nearly free. But while consumers received a free trial lasting seven or 30 days, they were then enrolled, says the CFPB, in a subscription plan that included a recurring monthly fee. The CFPB alleges that the use of the negative option billing structure was not clearly and conspicuously disclosed to consumers.

Pursuant to consent orders, the credit bureaus must pay a total of $17.6 million in restitution to consumers, with one entity contributing $13.9 million and the other on the hook for about $3.8 million. Civil penalties will cost a total of $5.5 million.

Going forward, the CFPB has ordered both companies to represent more accurately the usefulness of the credit scores they sell, obtain the express informed consent of consumers before enrolling them in any credit-related product with a negative option feature, and provide consumers with a simple, easy-to-understand way to cancel the purchase of credit-related products.

Industry Tool—Finally, taking a break from enforcement efforts, the CFPB released a new tool that the agency says will allow both industry and consumers to monitor developments in consumer lending and forecast potential future risks.

The web-based Consumer Credit Trends currently covers the mortgage, credit card, auto loan, and student loan markets and will "help us identify and act on trends that warn of another crisis or show that credit is too constricted," Bureau Director Richard Cordray explained. The CFPB intends to add other consumer credit products and information on credit applications, delinquency rates, and consumer debt levels.

For example, the first release from the tool noted a "sharp uptick" in mortgage originations from August to October (up almost 50 percent over the same period in 2015) as well as growth in credit card lending to lower-income consumers (an increase of about 14.2 percent over the prior year), with a slowdown of new student loans (a reduction of 1.3 percent) and fewer auto loans to borrowers with lower credit scores (a decrease of 0.5 percent).

Information will be updated on a regular basis, the CFPB said, with analyses on "notable findings" as warranted and providing "a starting point for deeper analysis" by the CFPB and others.

To read the complaints against the Virginia pawnbrokers, click here.

To read the consent order in In the Matter of Moneytree, Inc., click here.

To read the consent orders in the actions against the credit bureaus, click here.

To access the Consumer Credit Trends tool, click here.

Why it matters

This could be the last we hear from the CFPB not related to its reinvention by the new administration and Congress. The CFPB wasted no time in the final weeks of the Obama presidency with several enforcement actions and the launch of its new Consumer Credit Trends tool.

back to top

Important Banking Development From California Courts

Courts in California delivered some important banking developments in two recent decisions, with a federal court finding a charge for failing to replenish an overdrawn account constituted interest while the state's highest court dealt a blow to tribal immunity for payday lenders.

What happened

In 2003, the California legislature enacted the California Deferred Deposit Transaction Law regulating payday lending, placing limits on the size of each loan and the fees that payday lenders may charge. In response, some payday lenders sought affiliation with federally recognized Indian tribes which are generally immune from suit on the basis of tribal sovereign immunity.

Three years later, the California Department of Business Oversight (DBO) (at the time known as the Department of Corporations) issued desist and refrain orders to various online deferred deposit lenders, including the Miami Nation Enterprises (MNE) Services and SFS, Inc., arms of two federally recognized tribes, the Miami Tribe of Oklahoma and the Santee Sioux Nation.

The Commissioner directed the recipients to cease "engaging in unlicensed deferred deposit transaction business." When the defendants did not heed the order, the Department filed suit in California state court seeking injunctive relief, restitution, and civil penalties. MNE Services and SFS moved to quash service of the complaints based on lack of jurisdiction, arguing that they were immune from suit.

After conducting discovery regarding the relationship among the tribes, their subsidiary business entities, and the online deferred deposit lenders to determine whether the lenders were sufficiently related to the tribes to benefit from the application of sovereign immunity, the trial court granted the motion to quash. An appellate court affirmed and the Commissioner appealed to the California Supreme Court.

The state's highest court first established the legal standard and burden of proof for determining arm-of-the-tribe immunity. An entity asserting immunity bears the burden of showing by a preponderance of the evidence that it is an "arm of the tribe" entitled to such immunity, the court said, and courts should apply a five-factor test that considers: "(1) the entity's method of creation, (2) whether the tribe intended the entity to share in its immunity, (3) the entity's purpose, (4) the tribe's control over the entity, and (5) the financial relationship between the tribe and the entity."

These factors incorporate the understanding that tribal immunity should extend to arms of the tribe when such immunity would further the federal policy of tribal self-governance as a practical matter, the court emphasized, cautioning that tribal immunity should not become "a doctrine of form over substance," and courts need to "carefully examine how such arrangements function as a practical matter."

Applying the standard to MNE Services and SFS, the court reversed the order to quash, finding the lower courts gave "inordinate weight" to the formal considerations and not enough consideration of the actual relationship between the tribes and the entities.

"The record reveals a nominally close relationship between SFS and the Santee Sioux, and between MNE Services and the Miami Tribe," the unanimous California Supreme Court wrote. "But it contains scant evidence that either tribe actually controls, oversees, or significantly benefits from the underlying business operations of the online lenders. On the record before us … we are unable to conclude that defendants have carried their burden of showing that a denial of immunity would appreciably impair either tribe's economic development, cultural autonomy, or self-governance."

While the tribes' subsidiary entities were created pursuant to tribal law and the tribes expressed their intent to extend tribal immunity to the entities, both companies relied heavily on outsiders to manage their online payday lending businesses since those businesses were founded, the court said.

For example, both SFS and MNE Services contracted with a company investigated by the Federal Trade Commission (FTC). The FTC found that the third party company signed every single check for the payday lending business, more than 10,000, with none signed by members of the tribe. In addition, the bulk of the operations were conducted in Kansas, outside the boundaries of either tribe. And most significant, "neither SFS nor MNE Services has stated with clarity the proportion of profits from the lending operations that flow to the tribes or the proportion of tribal revenue that those profits comprise," the court wrote. "Moreover, there is evidence to suggest that the economic benefit to the tribes of the various lending businesses is minimal."

Reversing the order to quash, the court remanded the case to the trial court.

In a second case, a California federal court judge added to banking law in the state by determining that the fees charged to consumers for failing to replenish an overdrawn account constituted interest.

Joanne Farrell wrote checks against insufficient funds in her checking account. Pursuant to the terms of the Deposit Agreement, the bank charged her a $35 fee for not having sufficient funds. The Agreement also provided the bank with discretion as to whether to honor an overdrawn check and in the event it does so, the deposit account holder is obligated to pay back the bank's advance and any fees incurred.

Failure to do so within five days triggers an extended charge, an amount levied as a percentage of the negative account balance. Farrell claimed that the extended charge exceeded the interest rate permitted by Section 85 of the National Banking Act (NBA) and filed a putative class action in California federal court. Her $35 extended balance charge for the $284.86 overdraft she did not restore for 13 days represented an annualized interest rate between 897 percent and 71,170 percent, she claimed.

The bank moved to dismiss, arguing that the extended charge was not interest but an authorized deposit account service charge.

The court had no trouble finding that the initial $35 charge did not constitute interest, as it involved no extension of credit and was charged by the bank regardless of whether or not it honored an overdraft check. "[T]he Initial Charge seems to be more of a 'fee that the bank charges for its deposit account services' than it is a fee in consideration for the extension of credit," U.S. District Court Judge M. James Lorenz wrote.

But the extended charge should be treated differently, he concluded, for four different reasons. First, substantive differences existed between the initial charge and the extended charge, as "the Bank levies the Extended Fee only if it did in fact advance funds to cover an overdraft," the court said. "This suggests that the Extended Fee, unlike the Initial Fee, is more of a charge in consideration for the time value of money."

Simply because the extended charge was a flat fee did not remove it from the definition of interest, the court added, and neither did the contingent nature of the extended charge. Although the bank argued that customers had "complete control" over whether to pay the overdrawn balance before triggering the extended charge and therefore the bank could not know whether the ultimate rate on any given account would exceed the interest ceiling provided by law, the court did not find this position persuasive.

In Smiley v. Citibank, the U.S. Supreme Court ruled that a $15 fee levied for failure to timely pay a credit card bill constituted interest under Section 85 of the NBA, Judge Lorenz noted, and he saw "no reason to distinguish between the contingent nature of the fee at issue in Smiley and the Extended Charge at issue here."

Finally, the court rejected a contention that a fee arising from a deposit agreement (rather than a more classical credit arrangement) was per se not interest. A transaction governed by a deposit agreement can still be a credit transaction, the judge wrote, because when the depositor's account stands at a negative value as the result of overdraft coverage, the deposit account holder is necessarily a debtor and the bank the creditor.

"As a matter of plain language, 'the provision of money, goods, or services with the expectation of future payment' amounts to an extension of credit," Judge Lorenz wrote, citing the Merriam-Webster Dictionary. "Here, the Bank provided money to cover Plaintiff's bad check and did so with the expectation that [s]he pay them back. It follows that this provision of money amounted to an 'extension of credit.'"

This interpretation found support in Regulation O, the court added, which provides that "an advance by means of an overdraft …" is an extension of credit.

"Plaintiff's complaint alleges that the purpose of the Extended Charges is to compensate the bank for this extension of credit," the court said. "Construing this allegation as true, the Court finds Plaintiff has adequately alleged that the Extended Charge constitutes 'interest' under [Section 85]. The Court therefore denies Defendant's Motion to Dismiss."

To read the decision in People v. Miami National Enterprises, click here.

To read the order in Farrell v. Bank of America, click here.

Why it matters

The California Supreme Court's opinion establishes how arm-of-the-tribe sovereign immunity should be considered by the courts, taking a practical approach to focus on the day-to-day operations of entities affiliated with federally recognized tribes and relying less heavily on formal considerations. The ruling may affect entities attempting the "rent-a-tribe" strategy to circumvent regulatory authority, as noted by DBO Commissioner Jan Lynn Owen. "This ruling is an important win for California's payday loan consumers," she said in a statement about the decision. "It strengthens our ability to enforce laws prohibiting excessive fees and unlicensed activity by denying payday lenders' ability to inappropriately use tribes' sovereign immunity to avoid complying with state law." As for the Farrell case, the decision creates a split among district courts to consider the question. Three other federal courts (in Florida, Oklahoma, and South Carolina) have concluded extended charges do not constitute interest under Section 85, which split ultimately may be resolved at the appellate court level.

back to top

New York's DFS Tweaks Proposed Cybersecurity Regulations

The New York Department of Financial Services (DFS) rang in the New Year by releasing changes to the agency's proposed cybersecurity regulations.

What happened

On December 28, 2016, as the result of extensive feedback from stakeholders, the DFS issued a modified proposal for its first-in-the-nation cybersecurity regulations for banks, insurance companies, and other financial services institutions under its jurisdiction. The updated proposed regulations, titled "Cybersecurity Requirements for Financial Services Companies," is now set to take effect on March 1, 2017 rather than the previously targeted effective date of January 1, 2017.

In September, the DFS had proposed the regulations to address the continuing threats posed by cybercriminals.

The regulations required covered entities to assess their specific risk profile and design a program that is "designed to ensure the confidentiality, integrity and availability" of the entity's information systems and "nonpublic information," including any business-related information, information provided to a covered entity, healthcare information, and personally identifiable information.

Also mandated: a cybersecurity policy covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls and the designation of a Chief Information Security Officer (CISO), with that officer or another member of senior management obligated to file an annual certification with the DFS that confirms compliance with the regulation.

The regulation was due to take effect on January 1, 2017. But after receiving more than 150 comments on the initial proposal and listening to testimony at a hearing before the State Assembly (where witnesses expressed concern about reporting requirements, the cost of compliance, and the one-size-fits-all nature of the regulation), the DFS pushed back the effective date with staggered implementation of compliance requirements.

The regulator also published a modified proposal.

Changes to the initial proposal included the addition of a definition of a "Third-Party Service Provider" and a modification to the definition of "Nonpublic Information" to achieve consistency with the definition of "private information" found in New York's existing data breach notification law.

The regulator explained that several items included in the required cybersecurity policy (such as encryption requirements and the use of multi-factor authentication for employees accessing internal databases) were not black-and-white mandates, but should be based on the institution's risk assessment. The DFS noted that the risk assessment could not be used to justify a cost-benefit analysis of "acceptable losses" to cybersecurity risks, however. The frequency of risk assessment was also tweaked to have them performed periodically rather than annually.

The modified proposal also features clarifications about the CISO position. The officer does not have to be a new hire or an individual dedicated solely to CISO activities, DFS said, and can be employed by an affiliate of the covered entity or by a service provider.

The covered entity's obligation to maintain audit trails is now limited to cybersecurity events "that have a reasonable likelihood of materially harming any material part of the normal operations," and DFS amended the regulation to explain that the requirements placed on third-party service providers should be based on the covered entity's risk assessment, not a separate audit of the third party.

The regulator also attempted to establish limited exemptions. For example, the regulation would not cover "small" covered entities—defined as those with less than 10 employees and independent contractors, less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in year-end total assets—as well as covered entities that do not "control, generate, or receive nonpublic information."

"New Yorkers must be confident that the banks, insurance companies and other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information," DFS Superintendent Maria T. Vullo said in a statement. "This updated proposal allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats."

Stakeholders and interested parties have 30 days to comment on the modified proposal. The regulations will then become final and take effect March 1, 2017. A 180-day period to achieve compliance will occur, with additional periods of 12, 18, or 24 months for compliance attached to specific provisions of the regulation.

Why it matters

The revised DFS regulation reflects the need for flexibility by relaxing some of the more stringent requirements found in the initial proposal, allowing covered entities to adopt a program and policy more attuned to their specific size and risk category. The adjustments remind observers that cybersecurity regulation in the U.S. remains an industry-specific and predominantly self-regulated enterprise. That being said, many covered entities will still need to take significant steps to comply with the new regulation. Cybersecurity should be a top-of-mind concern for financial institutions, as evidenced not only by the forthcoming DFS regulation but the efforts of other regulators as well, such as the $14.4 million in fines recently issued by the Financial Industry Regulatory Authority for data security failures (see story above for more details).

back to top



pursuant to New York DR 2-101(f)

© 2022 Manatt, Phelps & Phillips, LLP.

All rights reserved