On October 8, 2015, the CFPB announced new “Guidance About Marketing Services Agreements,” publishing a Compliance Bulletin on the subject of RESPA Compliance and Marketing Services Agreements.  The Bulletin is lacking in clear “guidance,” at least in the sense of outlining regulatory standards, but it does provide an unequivocal warning that marketing services agreements (MSAs) in the mortgage industry are much less likely to pass regulatory scrutiny than in the past.

The CFPB expresses “grave concerns” about the use of MSAs to evade the requirements of RESPA, and they note that certain mortgage industry participants have already stopped entering into MSAs given the RESPA compliance burdens.  To ensure that the industry is getting the message, they warn that careful consideration of the legal and compliance risks “would be in order” for all industry participants, especially in light of the increase in whistleblower complaints under RESPA.

Every MSA must comply with the RESPA Section 8 prohibition on the payment or receipt of any fee, kickback or other “thing of value” for the referral of mortgage loan or other “settlement services” business.  However, compensation for goods or facilities actually furnished or services actually performed is permissible under Section 8, at least so long as the compensation reflects the fair market value of the goods, facilities or services.  The industry has long attempted to rely on this exception for the payments for services actually performed as a means to avoid Section 8 violations.  This has usually worked in the past, but it’s going to be much harder to make this work in the future.

The CFPB has issued another enforcement action exceeding the half-billion dollar mark against a large bank for its add-on product offerings. Citibank and its subsidiaries were penalized for alleged deceptive marketing, unfair billing and deceptive debt collection involving its credit card add-on products and services. This marks the tenth public enforcement action that the CFPB has announced for practices associated with marketing or administering add-on products in its four-year history.

As part of the settlement Citi was ordered to pay $700 million in restitution to about 8.8 million consumers who were impacted by the add-on product offerings. The company also must pay the CFPB a $35 million civil penalty. Further, the Bank was required to end alleged unfair billing practices and submit a compliance plan to the CFPB before continuing to market any add-on products by telephone or point of sale, or attempting to retain add-on product customers by telephone.

In the 57-page order the CFPB refers to an add-on product as “any consumer financial product or service…offered to Cardholders as an optional addition to credit card accounts issued by [Citibank].” The CFPB put several of Citibank’s add-ons at issue, which were for consumer services such as such as debt cancellation or deferral products, credit monitoring or credit report retrieval services, and services to notify credit and debit card issuers when a consumer reports cards lost or stolen.

Digging a tunnel for a mile so that El Chapo could slip into the shaft through his shower and disappear from a high security Mexican prison is something you might expect a Hollywood screenwriter to come up with. Is it any more remarkable though than a cyber-criminal reaching all of the way around the world to try and slip into a bank’s or a customer of the bank’s computer system in order to initiate a wire transfer?

We live at a time when individuals and criminal gangs can reach across oceans and national boundaries to try and initiate unauthorized transfers of funds. Bankers understand that this is a hot topic and that the risk of cyber-fraud is what is currently keeping  regulators awake at night. While a great deal of attention is now being focused on how to keep cyber criminals out of the bank, recent attacks on various public and private institutions illustrates the complexity of denying malefactors access.

In such an environment, bankers look to various risk management strategies including insurance coverage in the event a breach occurs. The first question many banks raise is about their existing insurance coverage Are we already covered under any of the myriad of existing policies we are required to maintain? For example, what about our general liability coverage? While there may be some exceptions, the typical general liability insurance policy that banks have traditionally purchased oftentimes contains an exclusion for losses incurred by data breaches or intrusions to bank networks. If your existing policy does not currently contain such an exclusion it is highly likely that on your next renewal the exclusion will be included. Thus, it is important for bankers to not only understand what their existing policy does or does not cover but also where industry trends are headed.

Litigators often talk to clients about the power of judges and juries. The first Decision of Director issued by CFPB’s Richard Cordray should give counselors and clients alike pause. Pause first because of the ultimate outcome ($109 million disgorgement) and interpretations of RESPA offered. And pause second (perhaps more importantly) because of the focused perspectives announced by the Director and their potential to activate others. With all due respect to the Director and the administrative appeal process, the Director clearly is taking advantage of this opportunity to make known his beliefs. Like a jury or a judge he is meting out justice the way he sees fit. What is fascinating, just like polling a jury after the verdict, is looking for the perspectives which drove the result. The Decision presents yet another glimpse of the Director who now shapes not just CFPB supervision and examination, but also may shape going forward the theories asserted by the plaintiffs’ class action bar.

Many are digesting the Decision and Order (2014-CFPB-0002, June 4, 2015). Here, I will not quote chapter and verse, nor will I analyze the overarching regulatory construct of the administrative appeals process which enabled the Decision. Those whose legal work touches financial services institutions should review the Decision themselves. It is the first. It is public. And it has impact. Each of us can draw our own conclusions. Some will see a righteous vision of justice and others may see, at best, the unintended consequences of concentrated partisan power.

Food for thought: We all may want to consider the impact the Decision could have on how financial institutions ought to assess their business operations and how such institutions may be able to justify those operations and defend themselves in court or before an administrative tribunal.

In a recent press release, the CFPB announced a public inquiry into student loan servicing.  The CFPB is seeking information about: “industry practices that create repayment challenges, hurdles for distressed borrowers and economic incentives that may affect the quality of service.”  According to the CFPB, student loans account for the nation’s second largest consumer debt market.  The agency states there are more than 40 million federal and private student loan borrowers and those consumers owe more than $1.2 trillion.  About $240 billion in such loans are either in default or forebearance.

The CFPB is acting because of numerous borrower complaints about their loan servicers.  Complaints include billing problems associated with payment posting, prepayments and partial payments.  Borrowers have stated that payments have been processed in ways that make their borrowing more expensive.  Servicers are also accused of losing records and slow response times to fix errors.  The CFPB thinks student loan servicers fail to provide adequate customer service because they are typically paid a flat fee for each loan so they have no incentive to maintain high standards of serving.

Unlike credit card and mortgage servicers, no comprehensive system for overseeing the student loan servicing industry currently exists, according to the CFPB.  Given the CFPB’s penchant for promulgating more and more regulations, we believe this heightened scrutiny by the CFPB will lead to numerous new regulations affecting the student loan servicing industry.

In two recent posts on BryanCavePayments.com, Bryan Cave attorneys have addressed new developments related to the CFPB’s efforts to regulate payday lenders through their banking relationships as well as statements from New York’s top banking regulators suggesting that bank executives should be held personally liable for anti-money laundering violations.

On April 1st (but unfortunately not part of any April Fools joke), John Reveal published a post on the CFPB’s efforts against payday lenders.

In May 2014, the Department of Justice (DOJ) and the FDIC were criticized by the U.S. House of Representatives’ Committee on Oversight and Government Reform in May 2014 Report for using the DOJ’s “Operation Choke Point” to force banks out of providing services to payday lenders and other “lawful and legitimate merchants”. The Committee’s report noted, among other things, that the DOJ was inappropriately demanding, without legal authority, that “bankers act as the moral arbiters and policemen of the commercial world”.

Now the CFPB has announced that it is considering rules that would end “payday debt traps”.  At least the CFPB is following standard regulatory processes in doing so rather than trying to regulate payday lenders by punishing their bankers.  The CFPB’s announcement, published March 26, 2015 (available here), outlines its proposals in preparation for convening a Small Business Review Panel to gather feedback from small lenders, which the CFPB refers to as “the next step in the rulemaking process”.

The CFPB’s proposal considers payday loans, deposit advance products, vehicle title loans, and certain other loans, and includes separate proposals for loans with maturities of 45 days or less, and for longer-term loans.  Broadly speaking, the CFPB is considering two different approaches – prevention and protection – that lenders could choose from.

You can read the rest of John’s post here.

You might have seen it this March in the New York Times: an article about American troops having their vehicles repossessed by auto lenders while on active duty, and the troops being unable to fight repossession in court because of mandatory arbitration clauses  in their lending contracts.

The poignant story on vets and car repossession is just one piece in the ongoing discussion about what actions the CFPB will take regarding provisions in consumer contracts limiting the consumer to arbitration in the event of a future dispute, referred to as “pre-dispute arbitration clauses.” Under Section 1028 of Dodd-Frank, the CFPB was required to conduct a study on use of arbitration clauses in connection with offering consumer financial products and services. If, through study, the CFPB finds that prohibiting or limiting the clauses in agreements between market participants it regulates and consumers “is in the public interest and for the protection of consumers,” it can impose regulations to that effect. Further, Section 1414 of Dodd-Frank already prohibits pre-dispute arbitration clauses in mortgage contracts.

With the CFPB recently releasing its final, 728-page arbitration study finding that arbitration agreements “limit relief for consumers,” indications are that the CFPB will conduct some rulemaking to curtail, or at least significantly limit, them in the consumer financial product market, and likely over industry objections. The study, which began in April 2012 and was followed by a preliminary report released in December 2013 before the final report was published, involved analysis of data from consumer contracts and the courts regarding the resolution of consumer disputes.

On January 27, 2015, the Consumer Financial Protection Bureau (“CFPB”) issued Compliance Bulletin 2015-01 as a “reminder” of certain confidentiality and disclosure requirements related to CFPB examinations and investigations.  Though the CFPB’s Bulletin did not cite examples of historic violations, those subject to the CFPB’s authority should assess their practices, particularly in litigation, with respect to the disclosure of information and be sensitive to the Bulletin’s message in doing so.

The Bulletin provides warnings of two types of potential violations.  One type arises out of a financial institution’s obligations with respect to “confidential supervisory information (CSI).” Examples of CSI include but are not limited to:

• CFPB examination reports and supervisory letters;
• All information contained in, derived from, or related to those documents, including an institution’s supervisory Compliance rating;
• Communications between the CFPB and the supervised financial institution related to the CFPB’s examination of the institution or other supervisory activities; and
• Other information created by the CFPB in the exercise of its supervisory authority.

Specifically, according to the Bulletin, a supervised entity may commit a violation if it discloses CSI or other “confidential information”  to a third party without CFPB consent.  This is true even if the supervised entity enters into a non-disclosure agreement with a third party.

On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year.  Some institutions are already taking advantage of this alternate delivery method.  There are conditions to this option, however, and some institutions might not be satisfying those conditions.  It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:

1. No Opt Outs.  The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).  This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.
2. Satisfy the FCRA Affiliate Sharing Rules.  You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice.  This provision seems to cause some confusion.  Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out.  The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice.  Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.
3. No Changes to the Notice.  The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information.  So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing.  This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.
4. Model Notice.  You must use the model form of privacy notice included in Regulation P.
5. Notify Consumers of the Posting.  You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone.  This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.
6. Post the Notice Continuously in a Public Location.  Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.
7. Mail Upon Request.  If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.

This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.

On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).  In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome.  The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:

1. The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
2. The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
3. The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
4. The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
5. The financial institution uses the model form provided in Regulation P as its annual privacy notice;
6. The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version.  The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law.  The statement must include a specific URL that can be used to access the website;
7. The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
8. The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.

Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).