The CFPB’s Summer 2023 Supervisory Highlights

Financial Services Law

The Consumer Financial Protection Bureau’s (CFPB or Bureau) Summer 2023 Supervisory Highlights, which discusses key examination findings between July 2022 and March 2023, underscores the Bureau’s continuing aggressive interpretations of its authority. In addition to using its “dormant” authority to supervise nonbanks it determines pose “risks to consumers,” the Bureau continues to exercise its ever-expansive unfair, deceptive, or abusive acts and practices (UDAAP) authority to enter areas where it traditionally does not have jurisdiction, most recently including regulation of auto dealers, cybersecurity practices, and Telephone Consumer Protection Act (TCPA) provisions approved by multiple circuit courts of appeals.

Expanded Supervisory Reach Against “Risky” Nonbanks

Last April, the Bureau announced it would begin to use its previously unexercised “dormant” supervisory authority under Dodd-Frank to examine nonbanks that it determined “pose risks to consumers.” In its report, the Bureau noted that several nonbanks, across various markets, had voluntarily consented to the CFPB’s supervisory authority. Companies should take note that refusing to consent to the CFPB’s “voluntary request” risks the Bureau’s publicly releasing its risk determination as part of its process of imposing its supervisory authority.

Auto Lending and Servicing

The Bureau continues to act outside its authority to indirectly regulate the auto dealer market. Its actions follow a January 2023 lawsuit against a large indirect auto lender for, among other things, sales practices undertaken by dealers. In the latest edition of Supervisory Highlights, servicers were cited for unfair and abusive acts and practices for allegedly failing to obtain refunds for vehicle options that were not included when the consumer purchased the vehicle, a practice known as “powerbooking.” When institutions purchase retail installment contracts (RICs) from auto dealers, dealers provide a list of options included with the vehicle. According to the Bureau, in some cases, dealers list options that are not present in the vehicle (e.g., vehicle undercoating), which artificially inflates the car’s price. When consumers identified the discrepancies, servicers obtained refunds from the dealers for overpaying for the RICs, but they failed to reduce the amounts owed by consumers on their loans and continued to charge interest for the allegedly inflated loan amounts.

The Bureau also found that institutions engaged in unfair acts or practices by suspending recurring ACH payments prior to a consumer’s final payment without sufficiently notifying consumers that the final payment must be made manually. The servicers’ ACH enrollment form contained a disclosure that servicers would not automatically withdraw the final payment, but the Bureau found that because the form had been authorized years before, customers should have been notified again, prior to their last payment. Servicers also were cited for unfair and abusive acts and practices in connection with cross-collateralization clauses in vehicle financing contracts. After repossession, servicers accelerated the amount due on the vehicle and on other amounts owed by the debtor on unrelated debts, such as credit cards, and required payment from consumers on all debts before consumers could reclaim their repossessed vehicles.

Finally, the Bureau found that institutions engaged in the deceptive marketing of auto loans when they used advertisements that pictured cars that were significantly larger, more expensive and newer than the vehicles the advertised loan offers were good for.

Payday Lending

The Bureau’s actions in the short-term, small-dollar market show how aggressively it will use its ever-expansive UDAAP authority to attempt to enforce laws it does not have the authority to enforce, and consequently limit the ability of companies to defend against frivolous lawsuits. In the Bureau’s report, payday lenders were cited for abusive and deceptive acts and practices for including in their loan agreements language permitting lenders to contact consumers about their loans, establishing consent that was not unilaterally revocable. The provision stated that consumers “cannot revoke this consent to call, text, or email about your existing loan.” The Bureau’s actions run contrary to the decisions in Reyes v. Lincoln Auto. Fin. Servs., 861 F.3d 51 (2d Cir. 2017), and Medley v. Dish Network, LLC, 958 F.3d 1063 (11th Cir. 2020), which held that such provisions are enforceable and could be a defense in litigation brought under the TCPA, a statute the Bureau has no authority to enforce.

The report also cited lenders for making false collection threats related to litigation, garnishment, and late fees. In addition, the Bureau cited lenders for unfair acts and practices with respect to consumers who signed voluntary wage deduction agreements. The lenders sent demand notices to consumers’ employers incorrectly conveying that the employer was required to remit the full amount of the consumer’s loan balance from the consumer’s wages when, in fact, the consumer had only agreed to a wage deduction in the amount of the individual scheduled payment due.

Lenders were also cited for engaging in deceptive acts and practices by misrepresenting to borrowers the impact that their nonpayment of debts would have on their credit reports.

Finally, the Bureau cited installment lenders for creating a risk of harm to borrowers protected by the Military Lending Act (MLA) by failing to confirm, prior to engaging in a loan transaction, that the borrowers were not covered persons under the MLA. These risks included potentially originating loans to covered borrowers at rates and terms impermissible under the MLA, not providing required disclosures, including in loan agreements’ prohibited mandatory arbitration clauses, and failing to limit certain types of repeat or extended borrowing. The Bureau’s actions under the MLA follow an enforcement action earlier this year for similar violations.


The Bureau found that financial institutions engaged in unfair acts or practices by assessing both a nonsufficient funds fee and a line of credit transfer fee on the same denied transaction for customers enrolled in a line of credit program designed to cover a customer’s bank account overdraft. The supervised institutions believed they had safeguards in place to prevent this double billing; however, their compliance safeguards were inadequate. The Bureau’s focus on fees is a hallmark of the Chopra administration, and its action against the practice of “double billing” follows an enforcement action it settled against a large national bank earlier this year.

Information Technology

Continuing the theme of using its UDAAP authority to expand its jurisdictional reach, the Bureau cited several institutions for unfair acts and practices by failing to implement adequate information technology security controls for consumer accounts (such as multifactor authentication), leading to cyberattacks and fraudulent withdrawals. This is the first time the Bureau has publicly cited companies for UDAAP violations for failing to implement cybersecurity measures, and its aggressive actions in this arena should put all institutions on notice.

Fair Lending

The report cited violations of the Equal Credit Opportunity Act (ECOA) and Regulation B by some mortgage lenders for discriminating in the granting of pricing exceptions. The Bureau observed that certain lenders permitted the granting of pricing exceptions for competitive offers but that lenders had statistically significant disparities in granting these exceptions, offering different rates for borrowers who were members of a protected class compared with other borrowers. The Bureau cited similar violations in the Fall 2021 issue of Supervisory Highlights.

The Bureau cited additional ECOA violations related to underwriting practices. After reviewing lender underwriting policies, the Bureau found that applicants with criminal records prompted enhanced underwriting review, but the lenders’ policies and procedures did not provide sufficient detail on how to conduct these reviews. Finally, the report cited violations of ECOA for lenders whose underwriting policies improperly excluded or imposed stricter standards on income derived from public assistance programs.

Consumer Reporting

The report noted violations of the Fair Credit Reporting Act (FCRA) and Regulation V by both consumer reporting companies (CRCs) and furnishers of consumer reports. The Bureau found that CRCs failed to maintain proper procedures to limit furnishing reports to only those individuals with permissible purposes, as required by the FCRA, creating a heightened risk of improper consumer disclosures. They also found that furnishers violated Regulation V by not reviewing and updating policies and procedures concerning the accuracy and integrity of furnished information. Finally, the Bureau found that furnishers violated Regulation V upon determining that a direct dispute was frivolous or irrelevant but failing to notify consumers of the reasons for such determination and identifying the information required to investigate the disputed charge.

Debt Collection

Debt collectors were cited for violating the Fair Debt Collection Practices Act by continuing to collect on work-related medical debt after receiving information that the debt was uncollectable under the state’s workers’ compensation law. In addition, the Bureau cited debt collectors for deceptive acts and practices by advising consumers that if they paid their balance in full by a certain date, any interest assessed on the debt would be reversed, when in fact, the collectors failed to credit the consumers’ accounts for the accrued interest.

Mortgage Origination and Servicing

Supervised institutions’ loss mitigation procedures were cited by the Bureau for violations of Regulation X. The Bureau cited servicers for (1) failing to evaluate loss mitigation applications within 30 days of receipt, (2) informing consumers that the institutions would evaluate their loss mitigation applications within 30 days but then moving to foreclosure without completing the evaluation, and (3) failing to include required loss mitigation language on Spanish-language application acknowledgment notices.

In addition, the Bureau found that certain institutions violated Regulation Z by varying the amount of loan originator compensation based on terms of the transaction.


The Bureau found that some remittance transfer providers failed to comply with Regulation E’s Remittance Rule in developing and maintaining written policies and procedures designed to ensure compliance with the error resolution requirements applicable to remittance transfers. Instead, companies used their anti-money-laundering compliance policy in lieu of a Remittance Rule-specific policy.

For more information about any of these topics, please contact any of the authors or the Manatt professional with whom you work.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved