Financial Services Law

California Court Upholds CFPB’s Constitutionality, Request for CID

By Charles E. Washburn Jr., Partner, Financial Services

Taking the opposite approach from recent decisions of the U.S. Court of Appeals for the D.C. Circuit, a California federal court upheld the constitutionality of the Consumer Financial Protection Bureau while also ordering the defendant to comply with a civil investigative demand issued by the Bureau.

What happened

In November 2016, the CFPB served a CID on a company—already the subject of several investigations by state regulators in California, Iowa, Massachusetts, New York, North Carolina and Washington, as well as a lawsuit filed by the city of Los Angeles—that purchases and sells income streams.

The CFPB explained that the purpose of its investigation was “to determine whether financial-services companies or other persons have engaged or are engaging in unlawful acts and practices in connection with offering or providing extensions of credit or financial advisory services related to transactions involving pensions, annuities, settlements, or other future-income streams in violation of Sections 1031 and 1036 of the Consumer Financial Protection Act of 2010 or any other Federal consumer-financial law. The purpose of this investigation is also to determine whether Bureau action to obtain legal or equitable relief would be in the public interest.”

In total, the Bureau subjected the company to nine interrogatories, two requests for written reports, and ten requests for documents seeking information regarding its structure, investors, marketing, business relationships, bank accounts, collection efforts, financial records, involvement in other government investigations and income-stream-advance transactions.

After the company’s petition to set aside the CID was denied by the CFPB, it filed suit in D.C. federal court to enjoin the Bureau from taking any adverse action against it. The CFPB responded with its own action, asking a California federal court to enforce the CID. The company offered three reasons not to enforce the CID: it sought information outside the Bureau’s jurisdiction, it was overbroad and the CFPB is structurally unconstitutional.

U.S. District Court Judge Josephine L. Staton rejected each argument in turn.

First tackling the limits of the Bureau’s jurisdiction, the court said future-income-stream products could fall within its borders. The company contended that future income streams are not a consumer financial product or service, but “this argument really invites a fact-intensive inquiry into whether the company’s products qualify as loans under the Truth in Lending Act,” the court wrote. Because this “challenge concerns the ‘coverage’ of the applicable consumer financial statutes and the company’s compliance with the law, it cannot raise this issue to prevent enforcement of the CFPB’s administrative subpoena.”

The court also noted that “at least six state regulators and the City of Los Angeles” have found that the products at issue “do constitute loans,” which provides “some ‘plausible’ ground for jurisdiction” over the company’s income-stream-advance transactions.

Turning to the scope of the CID, Judge Staton disagreed with the company that it was overbroad or imposed an undue burden. Nor did the Bureau’s request require the company to provide information outside its possession, custody or control, the court said.

While the CID broadly defined “Company,” “you” and “your,” it also contained an instruction stating: “[t]his CID covers materials and information in your possession, custody, or control, including but not limited to documents in the possession, custody, or control of your attorneys, accountants, other agents or consultants, directors, officers and employees.”

This instruction properly limited the CID, the court said, and yet left the definition broad enough to cover the “complex web of legal entities” through which the defendant operates. “The CFPB convincingly argues that, to avoid [the company] potentially evading compliance with the CID through this network of legal entities, the administrative subpoena must sweep broadly to include information held by the persons and entities identified in the CID’s definition of ‘Company,’ ‘you,’ or ‘your,’ insofar as that information is within [the company’s] possession, custody, or control.”

The CID was neither temporally overbroad nor did it seek irrelevant information, the judge determined. Both challenged requests—a written report and an interrogatory requesting financial data relating to income-stream-advance transactions and bank accounts “held in the name of or for the benefit of the Company”—are “highly relevant to whether it or other entities have engaged in illegal practices,” the court wrote.

Any argument that the CID imposed an undue burden failed for lack of evidence, Judge Staton added. Although the company highlighted the CFPB’s request for “all” of certain types of documents, “crucially absent from [the company’s] opposition is any evidence showing that the administrative subpoena imposes an undue burden, such as a declaration specifying the estimated cost of compliance, the effect of compliance on [the company’s] operations, the number of responsive documents, or some other indication of the burden of complying. [The company’s] bald assertions that compliance would result in ‘significant business consequences’ do not establish an undue burden.”

The court then turned to the question of the CFPB’s constitutionality. The CFPB’s for-cause removal protection does not run afoul of the Constitution because it does not interfere with the President’s exercise of the executive power and appointed duty to take care that the laws be faithfully executed, the court said.

Judge Staton was not persuaded that the single-director structure of the Bureau was any less valid than an agency headed by a commission. There are at least three other active government agencies that share the CFPB’s structure (the Social Security Administration, the Office of Special Counsel and the Federal Housing Financial Agency, with the Office of the Comptroller of the Currency a likely fourth) and the distinction between multimember boards and directors is “overly simplistic,” she wrote.

Congress devised many tools to ensure the Bureau remains accountable, the court added, including annual audits by the Government Accountability Office, a capped budget from the Federal Reserve System, and the power of the Financial Stability Oversight Council to stay or override its rules.

“At bottom, whether to structure an independent agency as a multimember or director-led body depends on the proper weighing of the advantages and drawbacks of each structure,” Judge Staton wrote. “But neither the text of the Constitution nor any Supreme Court precedent supports drawing a constitutional distinction between multimember and director-led independent agencies, so the question is properly reserved for the political branches and the democratic process.”

Even if the CFPB director’s for-cause removal protection were unconstitutional, the CID should still be enforced, the court found. Congress has granted every director-run independent agency the power to issue administrative subpoenas, and a “finding that the CFPB cannot exercise the subpoena power would logically preclude these other agencies from exercising their statutory authority as well,” the court said.

Granting the CFPB’s petition to enforce the CID, Judge Staton ordered the defendant to comply within 15 days.

To read the order, click here.

Why it matters

The California court’s order stands in stark contrast to an opinion from the D.C. Circuit decided in April. In that case, the panel refused to enforce a CID issued by the Bureau to a nonprofit organization that accredits for-profit colleges in the United States and reminded the agency of the limits of its enforcement powers. The panel further described the CID’s Notification of Purpose as “perfunctory” at best and said the Bureau failed to provide the defendant with sufficient notice as to the nature of the conduct and the alleged violation under investigation. Given the range of court reactions to enforcement of CFPB CIDs, entities should carefully consider their response.

This decision also differs from that in the October 2016 decision by a three-judge panel of the D.C. Court of Appeals in PHH Corp. v CFPB, D.C. Cir., Case No. 15-cv-01177, which held that the structure of the CFPB was indeed unconstitutional. That decision is now being reconsidered by the D.C. Court of Appeals en banc, and oral arguments were heard on May 24.

back to top

CSBS Looks Forward With Vision 2020

By Craig D. Miller, Partner, Financial Services

Seeking to modernize the state regulation of nonbanks—and perhaps in response to the Office of the Comptroller of the Currency’s decision to grant fintech charters—the Conference of State Bank Supervisors announced its plans for Vision 2020.

What happened

Vision’s 2020’s series of initiatives “to modernize state regulation of non-banks, including financial technology firms,” hopes to yield a more efficient regulatory system that will better support startups and enable national scale, while protecting consumers and the financial system, the group explained.

Describing its efforts, the CSBS approved a policy statement: “CSBS, the states and territories will create consistent and data-driven solutions that support innovation by minimizing friction in the state regulatory system. By 2020, state regulators will adopt an integrated, 50-state licensing and supervisory system, leveraging technology and smart regulatory policy to transform the interaction between industry, regulators and consumers.”

The initial set of actions set forth by the CSBS and state regulators includes an update of the Nationwide Multistate Licensing System. This technological effort will redesign and expand NMLS, using data and analytics to provide a more automated licensing process for new applicants. It will also allow for more streamlined multistate regulation and shift state resources to higher risk cases, the CSBS said, as well as ensure transparency through NMLS Consumer Access.

Vision 2020 also involves the creation of working groups to establish model approaches to key aspects of nonbank supervision. The state regulators hope to harmonize multistate supervision by having the groups enhance uniformity in examinations, facilitate best practices, and capture and report nonbank violations at the national level. As part of the process, CSBS plans to create a common technology platform for state examinations.

To address the fintech industry, an advisory panel will be formed to identify “points of friction” in licensing and multistate regulation with an eye toward providing feedback to state efforts to modernize regulatory regimes. CSBS said the panel will focus on lending and money transmission, with a wide range of solutions on the table for discussion.

Education programs to help states become more effective in supervising both banks and nonbanks will be provided by CSBS as part of Vision 2020, with updated standards and analytics to help states determine where new expertise is most needed, identify and address weaknesses, update supervisory processes, and compare themselves with and learn from other state departments. “These higher standards will be validated through an enhanced CSBS accreditation program,” the group said.

Also on the agenda: making it easier for banks to provide services to nonbanks and supervision more efficient for third parties. CSBS intends to step up its efforts to address derisking “by increasing industry awareness that strong regulatory regimes exist for compliance with laws for money laundering, the Bank Secrecy Act, and cybersecurity.” In addition, the group supports federal legislation that would allow state and federal regulators to better coordinate supervision of bank third-party service providers.

“Together, these and other initiatives will help advance the vision for a more streamlined state regulatory system that supports business innovation, local and national economic growth, and essential protections for consumers and taxpayers,” the CSBS said.

To read the CSBS announcement, click here.

Why it matters

Further efforts by the CSBS to streamline the state licensing and regulatory process are ultimately designed to make state regulation just as attractive, if not more attractive, than OCC regulation for financial technology firms. This follows on the CSBS’ own challenge in D.C. federal court accusing the OCC of going “far beyond” the authority granted to it by Congress. “We are committed to a multi-state experience that is as seamless as possible,” CSBS Chairman and Texas Commissioner of Banking Charles G. Cooper said in a statement. “Through Vision 2020, state regulators will transform the licensing process, harmonize supervision, engage fintech companies, assist state banking departments, make it easier for banks to provide services to non-banks, and make supervision more efficient for third parties.”

back to top

State AGs Again Target Abuses Against Student Borrowers, Military

By Richard E. Gottlieb, Partner, Financial Services

Demonstrating the continuing enforcement activity by state attorneys general with respect to student lending and active servicemembers, the AGs in Massachusetts and New York recently obtained consent orders from, respectively, a student loan debt relief company and a residential leasing company.

What happened

In Massachusetts, Attorney General Maura Healey charged yet another student loan “debt relief” company with misleading consumers, this time with respect to the claim it was affiliated with the federal government as well as for charging illegal upfront fees.

This was the fourth in a series of enforcement actions brought against such companies in the commonwealth. The AG alleged that the company “conveyed a false association” with the U.S. Department of Education and its main loan program, known as the “Direct” loan program, by operating an entity dubbed “U.S. Direct Student Loan Services.”

This particular settlement was small: To settle the charges, the company agreed to refund 18 borrowers a total of $6,500, discontinue providing student loan services to Massachusetts residents, and refrain from selling or disseminating the information of loan customers in the state. That said, the deal brings the AG’s total recovery in her efforts against student loan debt relief companies to more than $260,000. Previous cases involved a company that was required to reform its business practices and refund $160,000 to more than 400 customers in September 2016 as well as a pair of lenders that settled with the AG in November 2015 for $96,000 over allegedly unfair and deceptive practices.

“In the middle of this student loan debt crisis, a host of fly-by-night ‘debt relief’ companies have cropped up to exploit struggling borrowers,” AG Healey said in a statement. “These companies falsely imply that they work for the federal government or that fees are required to enroll in a more affordable repayment plan or get out of default. We want to make sure that federal student loan borrowers realize that they can apply for income-driven repayment plans and get out of default on their own for free. We also hope these cases serve as a warning to this industry that it can no longer take advantage of student loan borrowers in Massachusetts.”

In New York, Attorney General Eric T. Schneiderman announced his enforcement effort, an agreement with a Virginia-based mortgage lender that allegedly violated the Servicemembers Civil Relief Act (SCRA) by charging illegal fees.

The company operates a community of 150 duplex-style townhomes near Fort Drum, NY, that “actively markets” its housing to servicemembers and their families. After an investigation into the company’s business practices, the AG said it charged unlawful fees to servicemembers and used a lease agreement with “numerous” unconscionable provisions in violation of state law.

Pursuant to the SCRA, servicemembers and their families may terminate a residential lease early without penalty when they are deployed, when they receive orders for a permanent change of station or upon honorable termination of military service. But the AG alleged the company “routinely bypassed” this protection by charging servicemembers a “lease processing fee” of $200 to $300 when they exercised their rights and, in some cases, denied early termination rights to servicemembers.

To settle the charges, the military housing facility developer must pay more than $59,000 to over 125 servicemembers, reform its business practices (in addition to compliance with the SCRA, the company must stop engaging in false advertising and maintain all security deposits in a New York bank, among other changes) and pay a $10,000 civil penalty.

“Service to our nation should not lead to victimization by predatory businesses,” AG Schneiderman said in a statement. “New York stands beside our servicemembers, and I will do what it takes to defend their rights as they bravely defend ours.”

To read the Massachusetts AG’s press release, click here.

To read the New York AG’s press release, click here.

Why it matters

Never mind that the CFPB is under attack. State regulation and enforcement will receive greater attention even if Congress unwinds one of Dodd-Frank’s largest enforcement weapons, and the recent actions by the attorneys general of Massachusetts and New York demonstrate the continuing enforcement efforts by state regulators.

back to top

Banks Settle Data Breach Suit for $5.2M

By Richard E. Gottlieb, Partner, Financial Services

In the latest settlement agreement reached in a lawsuit brought by banks following a retailer’s data breach, an Illinois federal court judge signed off on a $5.2 million deal involving a major U.S. retailer.

What happened

In late 2014, hackers allegedly compromised and stole the confidential financial and personal identifying information of a major retailer’s customers, including credit and debit card numbers, card expiration dates, card verification values, and other information belonging to those customers. A group of banks, credit unions and other financial institutions filed suit against the retailer in 2015, seeking payment for the cost of replacing credit and debit cards and reimbursing funds to customers who were allegedly victimized after a breach, which affected 8.1 million cards.

The plaintiffs argued that the company failed to adequately secure its customers’ personal identifying information on its data systems and that the breach could have been prevented if the retailer had heeded warnings about weaknesses in its data systems.

After the retailer filed a motion to dismiss, parties entered mediation and negotiated a settlement. Pursuant to the agreement, the retailer will establish a $5.2 million settlement fund to be distributed to class members as well as pay attorneys’ fees and expenses. The company also agreed to change several practices related to data security.

Among other things, the defendant will appoint and maintain an executive with responsibility for the company’s program(s) to protect the security of cardholder data; obtain an annual independent assessment of its compliance with the Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures; and develop and use reasonable steps to select and engage service providers that are capable of maintaining reasonable safeguards to protect cardholder data (including consideration of using two-factor authentication for all third-party vendors with access to such data).

The company will also develop and implement a program to educate and train appropriate members of its workforce on the importance of information security and the protection of cardholder data as well as undertake some enhanced security measures, including point-to-point encryption, a tokenization vault for retaining cardholder data and Europay, MasterCard and Visa chip card technology.

All eligible class members automatically received assessment payments of nearly $13.4 million. Further, two additional tiers of customers were entitled to file claims. Financial institutions were divided into two tiers, with the first consisting of banks that held Visa-branded cards that weren’t protected under a previous reimbursement agreement between the store and Visa. To date, 256 class members have submitted claims, resulting in a rather modest payout of $2.38 per card.

The second tier comprises the remaining class members, who will be reimbursed about $4.4 million for replacing cards or fraud, with an average recovery of approximately $26,000 per claimant. While the actual amount will vary, about 172 persons will receive this far more substantial award.

After granting preliminary approval of the deal in October, U.S. District Court Judge John Z. Lee gave his final sign-off in May—with a caveat. In a docket entry, the court said it intends to take another look at the final allocation plan for the settlement proceeds and will sign off on attorneys’ fees and costs of roughly $1.8 million as well as incentive fees ($10,000 for each of the five class representatives) after that review.

To read the memorandum in support of final approval of the settlement in Greater Chautauqua Federal Credit Union v. Kmart Corporation, click here.

To read the court’s docket entry of approval, pending review of the final allocation plan, click here.

Why it matters

While banks rarely serve as putative class representatives, this suit offers another great example of how class actions can result in large recoveries to the financial industry. While the deal is a fraction of the size of settlement agreements in other lawsuits filed by banks against retailers over data breaches—such as $25 million in the suit against Home Depot—the settlement demonstrates the potential for reimbursement to banks is particularly strong in the data breach arena.

back to top

manatt-black

ATTORNEY ADVERTISING

pursuant to New York DR 2-101(f)

© 2020 Manatt, Phelps & Phillips, LLP.

All rights reserved