In December 2013, the Consumer Financial Protection Bureau (CFPB) announced its first settlement in the indirect auto lending industry. The target company was Ally Financial Inc. and Ally Bank (Ally). The CFPB alleged that Ally had engaged in discriminatory pricing by charging minority consumers higher dealer markups for their auto loans. Ally was ordered to pay $80 million in damages to 235,000 minority borrowers and $18 million in penalties.

Last week, the Republican Staff of the U.S. House of Representatives Committee on Financial Services released its second report in two months criticizing the CFPB’s handling of the Ally matter. The two congressional reports punctuate the increasing tension regarding whether and the extent to which “dealer discretion” to increase interest rates gives rise to liability for auto finance companies under fair lending law. The following discusses the genesis of this tension and the regulatory landscape after Ally.

CFPB 2013 Auto Finance Bulletin

In March 2013, the CFPB issued a bulletin on indirect auto lenders’ compliance with the Equal Credit Opportunity Act (ECOA) and its implementing regulation, Regulation B. In pertinent part, the bulletin states that an indirect auto lender’s markup and compensation policies may “alone be sufficient to trigger liability” under ECOA under a disparate impact, or “effects test,” theory of liability. It then outlines steps indirect auto lenders may take to reduce their fair lending risk, such as imposing controls on dealer markup and compensation policies. In the alternative, the CFPB suggests that lenders eliminate dealer discretion to mark up buy rates altogether, and instead move to a flat fee per transaction.

The bulletin has proven controversial. Members of the House introduced a bill in April 2015 seeking to nullify the March 2013 bulletin. The bill, entitled the Reforming CFPB Indirect Auto Financing Guidance Act (HR 1737 (F. Guinta, R-NH)), passed the House on November 18, 2015, by a vote of 332-96. Immediately following the bill’s passage in the House, the Republican Staff of the Committee of Financial Services of the U.S. House of Representatives published two related congressional reports.  The reports pose certain threshold legal questions: for example, whether disparate impact claims are cognizable under ECOA jurisprudence. The reports then suggest that even if such claims were cognizable, it would be difficult to make a prima facie disparate impact auto lending claim due to the challenges with accurately predicting the race and ethnicity of borrowers. The reports were critical of the CFPB’s reliance in Ally on a proxy method that uses a consumer’s last name and address to generate probabilities that the consumer belonged to one or more racial or ethnic groups. According to a November 2014 study commissioned by the American Financial Services Association, this proxy method is subject to “significant bias and estimation error.” The congressional reports suggest that, given the complexities surrounding indirect auto financing, only a direct apples-to-apples comparison – by comparing consumers with similar creditworthiness financing a similar amount at the same dealer at around the same time – would enable one to draw a meaningful conclusion about whether a person was “overcharged” for purposes of ECOA liability.

Regulatory Landscape After Ally

Notwithstanding the challenges presented above, the CFPB will continue its aggressive enforcement against indirect auto lenders. In June 2015, the CFPB extended its supervisory authority over “larger participants” of nonbank auto finance companies. The “larger participants” are approximately 34 entities that make, acquire, or refinance 10,000 or more loans or leases in a year. This expansion of authority enables the Bureau to oversee all activity by these companies to ensure compliance with federal consumer financial laws, including ECOA, the Truth in Lending Act, the Consumer Leasing Act, and Dodd-Frank’s prohibition on unfair, deceptive, or abusive acts or practices. Given the heightened and expanded regulatory scrutiny, auto lenders should consider reducing their risk profile by implementing a robust compliance management system (CMS). In particular, a fair lending compliance program to monitor for fair lending risk may be advisable. The adoption by lenders of a strong CMS with written policies and procedures, including a clear and conspicuous fair lending policy statement, would demonstrate the lenders’ commitment to fair lending practices, and may reduce their risk of exposure.

Retailer superstore Meijer Inc. is on the hook for allegedly distributing recalled consumer products. In a press release dated September 17, 2014, the Consumer Product Safety Commission (“CPSC”) announced the hypermarket operating 24-hour stores and gas stations in various Midwestern states has agreed to settle charges that it knowingly sold and distributed recalled consumer products. Meijer has agreed to pay a $2 million civil penalty and to implement an enhanced “reverse logistics” compliance program. This settlement signals heightened scrutiny and new channels of enforcement for retailers.

Between April 2010 and April 2011, Meijer allegedly distributed at least twelve separate recalled consumer products, totaling approximately 1,692 individual units of recalled products. The recalled products consisted of various household items and children’s products, including oscillating ceramic heaters, toddler tricycles, vacuum cleaners, and baby rattles. According to the settlement agreement, Meijer claimed the sale and distribution of the recalled items was inadvertent and occurred without Meijer’s knowledge. Meijer had outsourced the disposition of recalled products to a reverse logistics system operated by a third party, and believed that adequate safeguard had been in place to prevent recalled products from being distributed into commerce.

The CPSC thought otherwise. In addition to the $2 million civil penalty, the CPSC is requiring that Meijer implement an enhanced reverse logistics compliance program with the following components:

  • Written standards, policies, and procedures for the appropriate disposition of recalled goods;
  • Mechanisms to communicate product safety policies and procedures to employees;
  • Management oversight of the program, including a mechanism for confidential reporting to a Meijer official;
  • A policy to retain reverse logistics records related to recalled product collection and disposition for at least 5 years after the recall date; and
  • Availability of such records to the CPSC upon request.

This settlement follows the CPSC’s announcement last July of recalled products that were continuing to be sold or resold by Best Buy and certain affiliated entities. The CPSC did not impose a civil penalty against Best Buy or require an enhanced compliance program. In light of these two announcements, retailers should carefully review their compliance protocols to ensure recalled products are not reentering the stream of commerce.

Yesterday, the Senate unanimously confirmed Joshua D. Wright to replace J. Thomas Rosch as a Republican commissioner of the Federal Trade Commission (FTC). According to various sources, Wright is widely regarded as the top antitrust scholar of his generation. He is the author of more than 50 scholarly articles and book chapters and co-editor of three books on topics ranging from Competition Policy and Intellectual Property Law to the Intellectual History of Law and Economics. He will be only the fourth economist to serve as FTC Commissioner and the first to hold both a JD and PhD. Click here for more information on Wright’s credentials.

Wright faced tough questioning from Democrats at his confirmation hearing last month, which is available via webcast here. The inquiry stemmed from Wright’s industry-funded academic writings that were critical of the FTC and the Consumer Financial Protection Bureau. Committee members also expressed concern that Wright’s academic research was funded in part by Google, and Wright pledged at the hearing to recuse himself from FTC cases involving Google for two years to avoid any perceived conflict of interest.

Wright leaves his tenure as law professor at the George Mason University School of Law for a seven-year term with the FTC.

On October 1, 2012, Washington-based think tank the Future of Privacy Forum (FPF) announced the first privacy seal program for companies processing consumer energy usage data (CEUD) made available through smart meters. The seal will be powered by TRUSTe, a data privacy management company. To create the program, FPF and TRUSTe worked with a number of utilities, utility regulators, and private firms, including AT&T, Comcast, IBM, Motorola, and Verizon. The program will include an advisory committee comprising Edison Electric Institute, the Gridwise Alliance, and consumer advocates.

Given the nascence of grid modernization efforts, the CEUD made available through smart meters does not fall within the scope of existing federal privacy statutes. While a number of states – namely, California and Colorado – are taking an aggressive role in developing privacy policies for smart meter data, many states have not even started to take up the issue. In the absence of comprehensive and consistent state and federal regulation, numerous industry guidelines and best practices have emerged. The FPF’s privacy seal program is a self-regulatory approach that has been hailed by industry members as a “landmark consumer privacy initiative”. It covers two types of CEUD: data collected directly from consumers by smart devices (i.e., smart appliances), and data collected by third parties (i) directly from a smart meter, (ii) provided by the utility, or (c) provided by the consumer. The FPF believes that this program is critical to vet the privacy policies of third parties and to provide assurances to utilities, regulators, and consumers that companies are in compliance with responsible standards. In addition, it will provide consumers with an avenue for complaint resolution and will supplement regulators’ efforts to ensure consumers are protected. Click here for a model short consent form for a hypothetical Smart Water Heater.

Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, applauds the FPF’s new initiative. “The seal is a reflection of Privacy by Design which requires that a proactive approach be taken. FPF recognizes that privacy is best assured when it is strategically interwoven into operational processes and business practices.” This program is the first of likely many self-regulatory programs in the energy context to ensure that participating companies commit to responsible privacy and data security practices.

On August 2, 2012, the Consumer Financial Protection Bureau (CFPB) issued its second Semi-Annual Report to Congress. The report provides an update on the CFPB’s activities since its first report in January 2012 as required under the Dodd-Frank Wall Street Reform and Consumer Protection Act. Many of the agency’s initiatives have been previously discussed, such as the implementation of statutory protections for consumers using financial products and services, and the launch of programs for supervising large banks and other financial companies. However, this report releases new analytics on consumer complaints related to certain financial products and services that provide valuable insight into the CFPB’s likely enforcement strategy.

Between July 21, 2011 and June 20, 2012, the CFPB received approximately 55,300 consumer complaints. The largest category of complaints (43%) related to mortgages, of which transactions involving consumers’ inability to pay (i.e., loan modifications, collection, and foreclosure) were among the most common complaints. The report notes that consumer confusion persists around the process and requirements for obtaining loan modifications and refinancing, especially regarding document submission time frames, payment trial periods, allocations of payments, treatment of income in eligibility calculations, and credit bureau reporting during the evaluation period. These widespread consumer concerns were the likely impetus behind the CFPB’s first enforcement action filed on July 18, 2012, against a law firm offering mortgage assistance relief services. According to the complaint, the firm engaged in an ongoing, unlawful mortgage relief scheme that falsely promised financially distressed homeowners a loan modification in exchange for an advance fee. This is likely the first of many enforcement actions involving loan modifications and foreclosure relief services.

Other possible enforcement targets are credit card companies and banking services engaging in unlawful financial practices. The agency reports that the second largest category of complaints (34%) related to credit cards, of which consumer billing disputes was the most common type of complaint (14%). Consumers are confused and frustrated by the process and limits to challenging inaccuracies on their monthly billing statements. The third largest category of complaints addressed bank account and service complaints (15%), of which the most common type of complaint related to the opening, closing, or managing of accounts. These complaints in particular addressed issues such as confusing marketing, denial, fees, statements, and joint accounts.

The CFPB’s enforcement priorities are those violations of law that cause the greatest harm to consumers. It warns that investigations "currently underway span the full breadth of the Bureau’s enforcement jurisdiction." However, companies implicated by consumer complaints are in large part reacting in a timely and sufficient manner. The report indicates that 90% of companies reported having closed 85% of the complaints submitted against them. Consequently, companies seeking to avoid becoming an enforcement target are advised to immediately address consumer complaints directed to them by the CFPB and to look for opportunities to mitigate consumer confusion in the processing and billing of financial products and services.
 

On July 16, 2012, the Consumer Financial Protection Bureau (CFPB) issued a final rule granting it supervisory authority over leading credit reporting agencies. Those firms newly subject to the CFPB’s oversight include the big three consumer reporting agencies, Equifax, Experian, and TransUnion, as well as nonbank entities engaging in consumer reporting activities with more than $7 million in annual revenue. This is the first in a series of rules to be issued by the CFPB to define "larger participants" of certain consumer markets for purposes of establishing the scope of the CFPB’s nonbank supervision program under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

Director Richard Cordray announced the issuance of this final rule at a credit reporting field hearing in Detroit, Michigan. Given the critically important role credit reporting agencies play in ensuring consumers’ financial stability, Director Cordray explained the need for federal supervision of a market that up to this point has been subject to limited regulation. According to various federal reports cited by the CFPB, each of the big three consumer reporting agencies is estimated to maintain credit files on more than 200 million customers. Approximately three billion consumer reports are issued every year, and 36 billion updates are made yearly to consumer files at consumer reporting agencies. In light of this activity, the CFPB believes that supervising this market will further its mission to ensure consumer access to fair, transparent, and competitive markets for financial products and services.

Among the more significant provisions, the final rule defines the "consumer reporting market" to include the following entities: consumer reporting agencies selling consumer reports; consumer report resellers, which are typically those entities that purchase consumer information from agencies and then resell the reports to lenders and other users; analyzers of consumer reports and other account information, for example, those entities that develop and sell credit scoring services and products; and specialty consumer reporting agencies, such as those that focus on payday loans and checking accounts. The final rule establishes the following test to assess whether a nonbank covered person is a "larger participant" of the credit reporting market: more than $7 million in annual receipts resulting from relevant consumer reporting activities. Covered persons meeting the test are accordingly subject to the CFPB’s supervision authority under the Dodd-Frank Act.

This final rule has an effective date of September 20, 2012. All affected entities are strongly encouraged to review their consumer reporting practices in light of the CFPB’s new supervisory authority.
 

The Federal Trade Commission (FTC) recently held a public workshop entitled “In Short: Advertising & Privacy Disclosures in a Digital World” exploring effective advertising and privacy disclosures in social media and on mobile devices. Our full summary of the workshop is covered here. Panelists addressed key challenges in creating effective mobile privacy disclosures, including spatial limitations of small screens, overly technical language, and complex layouts of privacy policies and terms and conditions.

To overcome these challenges, panelists advised that companies consider consumer behavior before creating and implementing mobile privacy disclosures. The following tips, based on the panelists’ viewpoints, are designed to help mobile advertisers convey privacy information and disclosures in a consumer-friendly way.

  • Be concise. Distill privacy policies down to the elements relevant to the consumer. Layer text by providing a summary of key disclosures on top of a full policy. This practice makes disclosures more accessible. Alternatively, explore shortened formats such as the “short form” privacy policy used by Truste.
  • Be consistent. Take into account all elements of the disclosures, including the front-end and back-end layers. Front-end layers include the design, timing, and language of the disclosures. The back-end layers of disclosures should be reflected in the policies consumers read. Review data retention practices to make sure policies accurately reflect whether consumer data is shared, shed, or stored.
  • Be clear. With regard to third party data collections, tell consumers when third party data collections take place and what happens to their data once collected. Allow consumers the ability to choose how much of their data is accessed. Further, privacy disclosures should be clear and conspicuous, not coy. Clearly communicating an advertiser’s practices is not only good business, it helps build trust with consumers.
  • Be considerate. Consider when consumers are most likely to pay attention to privacy disclosures and provide them at the most relevant time. Many mobile applications provide privacy disclosures upon download, when consumers are unfamiliar with the application and may not pay attention. However, consumers may be more likely to pay attention prior to completing a mobile transaction or purchase. Consider how best to convey the information to maximize visibility.

Mobile technology is increasingly integrated into consumers’ lives. While some panelists advocated flexible standards to accommodate new technology and consumer uses, others countered that advertising must conform to the legal standards, not vice versa. All agreed that the basic advertising principles of clear communication of material terms apply regardless of format. The FTC welcomes comments on this and related web and mobile disclosure and privacy issues until July 11, 2012.

Written with assistance by Kristi Wolff.

On May 8, 2012, the Federal Trade Commission (FTC) announced its settlement with social networking service Myspace on charges that it misrepresented its protection of users’ personal information in violation of federal law. Like many of its social media counterparts who were recently the target of FTC enforcement actions, Myspace is charged with espousing strict privacy measures and then failing to do as promised.

The Myspace social network comprises millions of users who create and customize online profiles. Myspace assigns a persistent unique identifier, called a "Friend ID," to each profile created. Though users have the ability to upload extensive personal information to their profile, Myspace designates a subset of personal user data as "basic profile information," which include the user’s profile picture, Friend ID, location, gender, age, display name, and full name. According to the complaint, this basic profile information is publicly displayed by default and is outside the scope of the privacy settings. The only piece of basic information that users can hide from public view – provided that they change the default setting – is their full name. As of July 2010, only 16% of users had actually changed the default setting to hide their full name.

Under its privacy policy, Myspace promised that it would not share users’ personal information or use it in a way that was inconsistent with the purpose for which it was submitted without their consent. In addition, Myspace promised that customized ads would not individually identify users to third parties and would not share non-anonymized browsing activity. According to the complaint, Myspace in fact shared the Friend ID, age, and gender of users with third-party advertisers. Advertisers used the Friend ID to locate the user’s Myspace profiles to obtain personal information, including in most instances the user’s full name. Advertisers could also combine the user’s real name and other personal data with additional information to link broader web-browsing activity to a specific individual. In addition, Myspace certified in its privacy policy that it complied with the U.S.- EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. These statements of compliance were false, according to the FTC.

The proposed settlement order bars Myspace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S -EU Safe Harbor Framework. The order also requires that Myspace establish a comprehensive privacy program designed to protect users’ information, and to obtain biennial assessments of its privacy program by independent, third-party auditors for twenty (20) years. This agreement will be subject to public comment for thirty (30) days through June 8th, after which the FTC will decide whether to make the proposed consent order final. Interested parties are strongly encourage to submit written comments prior to this date.
 

The Consumer Financial Protection Bureau (CFPB) continues to flex its regulatory muscles under the Dodd-Frank Act. Last week the CFPB divested the Federal Trade Commission of its rulemaking authority from various consumer protection laws, as discussed here. Today, the CFPB issued three additional interim final rules transferring “consumer financial protection functions” previously granted to other Federal agencies. Again, these rules duplicate existing regulations, making only technical and non-substantive changes, and do not impose any new substantive obligations on regulated entities.

Continue Reading CFPB Issues Three Interim Final Rules on Consumer Financial Protection Laws

On December 16, 2011, the Consumer Financial Protection Bureau (CFPB) issued three interim final rules modifying three separate consumer protection laws. This is the first of likely many waves of regulation in the exercise of the agency’s rulemaking authority granted at its inception on July 21, 2011, under the Dodd-Frank Act. The interim final rules published today transfer the rulemaking authority originally vested in the Federal Trade Commission to the CFPB and duplicate existing regulations, making only technical, formatting, and stylistic changes. None of the proposed regulations impose any new substantive obligations on regulated entities. The rules are briefly summarized below.

Continue Reading CFPB Issues Three Interim Final Rules on Consumer Protection Laws