SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018

SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018The SEC announced a self-reporting initiative for investment advisors who admit violations of the federal securities laws relating to certain mutual fund share class election issues while promptly returning money to harmed investors. The initiative is entitled the “Share Class Selection Disclosure Initiative” and is focused on those advisors who have put clients into high-fee mutual fund classes when a less expensive share class for the same fund was available and appropriate. If the advisor self-reports and returns money to the harmed investor, the SEC’s enforcement division will not recommend civil penalties against the advisor.

The initiative highlights the SEC’s focus on the conflict of interest that is created when an advisor receives compensation for selecting a more expensive fund share class when a less expensive share class for the same fund is available. The SEC notes this conflict of interest must be disclosed to the investor. To be eligible for the self-reporting initiative, investment advisors must notify the division of enforcement of their intent to self-report no later than June 12, 2018.

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

On January 18, 2018, the House gave small lenders a late Christmas present when it passed H.R. 2954 known as the Home Mortgage Disclosure Adjustment Act. The act amends the existing Home Mortgage Disclosure Act (HMDA) by easing the regulatory burden on small lenders. By way of background, HMDA imposes additional reporting requirements on regulated entities that became effective this month. More specifically, HMDA requires banks and credit unions to collect 48 additional data fields on any mortgage loan they originate and to report that data to the CFPB. This additional regulatory burden will increase transaction costs and processing time for obtaining a home mortgage and impose unique burdens on small lenders that lack the existing infrastructure and processes to effectively capture and communicate the additional data sets.

The Home Mortgage Disclosure Adjustment Act attempts to ameliorate this disproportionate impact by exempting (a) small lenders, such as community banks and credit unions, which originate less than 500 closed-end mortgage loans in each of the two preceding calendar years, and (b) those that originate less than 500 open-end lines of credit in each of the two preceding calendar years. Bradley will continue to monitor the progress of the act as it moves through the Senate.

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017The Justice Department and a veritable army of whistleblowers’ counsel continue to use the False Claims Act (FCA) to bring suits against banks and mortgage companies. In 2017 alone, the Department of Justice obtained $543 million in FCA settlements and judgments from the financial services industry.

To keep you informed on the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the 2017 FCA Year in Review, our annual review of significant FCA cases, developments, and trends. Longtime readers of our Year in Review will notice that it has a new look and improved functionality, making it an easy-to-read, printable resource, as well as a convenient and searchable digital tool.

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance Industry

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance IndustryIn 2013, the Consumer Financial Protection Bureau (CFPB) issued a bulletin on indirect auto lending that took the industry by storm. As we approach the five-year anniversary of the memo’s issuance, it’s valuable to reflect on how the bulletin was received, how the auto finance industry has changed since the bulletin and subsequent CFPB actions, and how the industry and regulators can learn from the experience to improve their efforts to remove discrimination from the car buying experience.

CFPB Bulletin 2013-02, Indirect Auto Lending and Compliance With the Equal Credit Opportunity Act, was the CFPB’s first public foray into regulating the auto finance industry. In the bulletin, the CFPB articulated the agency’s concerns over dealer markup incentives that could result in auto finance companies participating in discriminatory lending practices that violated ECOA.

The bulletin included allegations of discriminatory practices at the lender and dealership level and suggested a number of potential compliance solutions that auto finance companies could implement to reduce the risk of violating ECOA. Since that time, the CFPB has added nonbank auto finance companies to its list of regulated larger market participants, auto finance companies have reached settlements with the CFPB related to fair lending practices, and the U.S. Government Accountability Office (GAO) has concluded that the bulletin was a rulemaking that should have been subject to the Congressional Review Act.

Below are five takeaways that have emerged since the bulletin was issued.

1. Reaction from the auto industry was swift – many participants were stunned and irate.

The industry felt blindsided when the CFPB issued the bulletin without much warning. Many nonbank auto finance companies had not historically had relationships with federal regulators and thought the auto industry was going to largely get a pass from the CFPB after auto dealers had specifically been exempted from the CFPB’s oversight in the Dodd-Frank Act. Worst of all, many industry participants interpreted the bulletin as the CFPB accusing them of either having race-based lending policies or associating with auto dealers who profit by exploiting borrowers’ race or ethnicity.

The bulletin speculated about perceived problems in the industry and, unlike the CFPB’s Supervisory Highlights, did not point to hard examples of fair lending abuses occurring at dealerships or auto finance companies. For this reason, many industry participants felt that the CFPB was denouncing an entire industry without an adequate evidentiary basis.

While the CFPB initially had the authority to investigate nonbank auto finance companies through enforcement, it lacked supervisory authority over nonbank larger market participants until 2015. Thus, the CFPB relied on anecdotes, enforcement investigations and market research as the basis for the bulletin.

The bulletin served as the opening salvo between the CFPB and the auto finance industry. Rather than begin with an olive branch, this bulletin served as a shot across the bow.

2. Incentives that do not align with a consumer’s interest have and will continue to carry a high degree of regulatory risk.

If there is one theme that unifies post-financial crisis regulation, it is that regulators will heavily scrutinize any arrangement that results in a provider’s incentives not being aligned with consumers’ interest. In regulating the markets for retirement account counseling, securities trading, mortgage origination, depository account management and auto finance, regulators have adhered to the principle that companies should not be making greater profits by offering less favorable terms and services to consumers.

While the auto finance bulletin did not ban dealer reserve outright, the bulletin caused auto finance companies to reconsider how they structured dealer compensation programs. Even if future CFPB administrations do not enforce the auto finance bulletin, aggrieved consumers and their attorneys now have a roadmap for identifying discriminatory lending practices and bringing lawsuits to challenge them. Auto finance companies are more cognizant today about how their dealer compensation programs are structured, and that is unlikely to change regardless of the CFPB’s future regulatory direction.

3. Vendor management became a staple of auto finance companies’ compliance management systems.

Prior to the CFPB’s entry into auto finance regulation, auto finance companies were surely careful to consider dealers with whom they partnered based on traditional business metrics like profit margin, sales volume, geographic location and reputation. In the aftermath of the CFPB bulletin, however, auto finance companies added new criteria to evaluate dealers that wanted to join their lending network.

Auto finance companies have more closely scrutinized dealers’ compliance with fair lending laws as well as those dealers’ culture and cohesion with the auto finance company’s own policies and procedures. As a result, auto financiers have cut ties with certain dealers and other dealers have changed their markup practices to fall in line with the heightened expectations of auto finance companies and the CFPB.

While the CFPB bulletin did not result in widespread adoption of a flat fee compensation model for auto dealers, the bulletin’s lasting legacy may be that auto finance companies developed more stringent policies that dealers must follow to receive financing for consumers.

4. Statistical modeling is an imperfect solution to eliminating discrimination in auto financing.

The CFPB’s reliance on statistical modeling to identify discriminatory practices was perhaps the most frequently criticized element of its approach to regulating the auto finance industry. Since auto dealers are prohibited from collecting race and ethnicity data from consumers, the CFPB had to rely on statistical models based largely on surnames to identify occasions where credit decisions appeared to have been made based on illegal race-based criteria.

To the industry statisticians who understood the statistical model’s underpinnings, the model appeared to be flawed. And the many other industry participants who did not understand the underlying algorithms felt it fundamentally unfair to implicate a company for discriminatory lending practices based on a statistical model that the company did not have access to and did not use in underwriting decisions.

As the CFPB reached large settlements with lenders, the industry took note and lenders began to adopt statistical models to identify fair lending risks within their own institutions. While the CFPB may have relied too heavily on a statistical modeling approach, industry participants walked away with a compliance tool that allows them to identify potential fair lending abuses during compliance audits and dealership due diligence reviews.

5. Fair lending is a cause best served by industry and regulators working together.

It was perhaps the CFPB’s delivery, rather than the content itself, that caused the industry to recoil so emphatically against the bulletin. The CFPB did not hold a public forum on auto finance until eight months after issuing the bulletin.

Given the industry’s reaction to the bulletin, the CFPB would likely have been better off reversing the order of those events and gathering feedback from industry participants prior to issuing industry-altering guidance. At the same time, in the aftermath of the bulletin, the industry was best served by those companies and industry advocates that reacted to the bulletin by respectfully articulating to the CFPB the nature of the industry and how the overwhelming number of participants in the industry shared the CFPB’s goal of consumer protection and disdain for discriminatory practices.

The Next Five Years

Moving forward, auto finance companies that are directly or indirectly regulated by the CFPB will have the opportunity to engage with the Bureau to explain their business models and how compliance and fair lending are essential parts of their companies’ culture. The CFPB recently announced it will be issuing requests for information regarding numerous aspects of the agency’s approach to regulation. In light of this announcement, the time is right for the auto finance industry to collect its thoughts on the CFPB’s past five years of regulation and on how the industry wants this relationship to evolve.

The fate of the bulletin itself is not clear in the aftermath of the GAO’s conclusion that the bulletin constituted a rulemaking subject to the CRA. Whether the new CFPB administration or Congress will take action to amend or rescind the bulletin remains to be seen.

What is clear is that there is still a concern that fair lending abuses remain in the auto industry. A consumer advocacy group recently released a study that highlighted incidents of discrimination at the dealership level.

Whether the CFPB, emerging state-level actors or private practitioners are holding the handle, there will continue to be a magnifying glass on fair lending practices in the auto industry. Industry participants should continue to develop strong policies and procedures related to fair lending compliance, dealer incentives and service provider oversight to avoid becoming the subject of an enforcement action or consumer litigation and to ensure that all consumers are treated fairly when attempting to finance automobile purchases.

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance Industry

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance IndustryAuto lenders, like many private citizens, began 2017 curious as to what change the impending Trump administration would bring. In the landscape of government enforcement, however, the consensus amongst industry participants was that the Trump administration would bring loosened regulation for the consumer finance industry. Many industry insiders mused about the potential sea change that would result if CFPB Director Richard Cordray was terminated, with or without cause, by the incoming administration.

While the Trump administration’s first year has certainly changed the nature and extent of federal industry oversight, arguably even greater change took place at the state enforcement level for auto lenders in 2017. The industry saw state attorneys general begin to fill the void they anticipated would be left by an altered CFPB mission. The auto finance industry also saw the genesis of a new state UDAP theory based upon the need to account for a consumer’s ability to repay an installment contract at origination. In review, three trends have emerged from 2017 that portend an active 2018 for state enforcement actions directed towards the auto finance industry.

Filling the Perceived Void

Even before the start of 2017, leading state attorneys general reacted to the impending Trump administration by proclaiming their intent to protect consumers if the federal government failed to do so. New York Superintendent of Financial Services Maria T. Vullo reacted to the election results by declaring that her agency would not shirk from its responsibility of protecting its citizens. Likewise, New Mexico Attorney General Hector Balderas requested that his associates identify areas where prospective Trump administration policies could harm his state’s citizens.

Plans for an enforcement ramp-up did not end at state borders. Instead, much like after the mortgage crisis, state attorneys general networked together and openly discussed a desire to form a multistate task force to focus on the auto finance industry and, more specifically, the industry’s subprime segment. The cooperation between state attorneys general was seen throughout 2017 in various segments of the financial services industry. In the auto finance space, the most notable cooperative investigation resulted in one lender’s settlements with Massachusetts and Delaware for indirect origination practices underlying its subprime installment contracts.

A New Enforcement Theory

The collaboration between Massachusetts and Delaware brought a novel UDAP theory to the forefront of the auto finance industry. For the first time in 2017, state attorneys general successfully prosecuted claims that an indirect lender’s subprime installment contracts were unfair and deceptive because the lender failed to consider the borrowers’ ability to repay.

It was common belief, prior to 2017, that state regulatory regimes did not expressly require prospective indirect lenders to analyze a borrower’s ability to repay. Courts in a small number of jurisdictions (including the District of Columbia, New Jersey, and Massachusetts) had previously allowed UDAP or consumer protection claims to proceed based upon conduct resulting in a high likelihood of consumers being unable to repay their credit obligations. These cases, however, concerned other areas of consumer finance outside of the context of auto loans and were few and far between.

The Massachusetts and Delaware settlements represented the first time an indirect auto lender was penalized for its failure to analyze the borrowers’ ability to repay. Other states have indicated that they will now seek to expand application of this theory. For instance, Mississippi’s attorney general engaged outside counsel in 2017 to investigate an indirect subprime lender under this same UDAP theory.

One other enforcement theory also became more prevalent in 2017. Multiple state attorneys general consummated settlements with auto dealer groups based upon the deceptive practice of bundling aftermarket options into installment contracts. For instance, New Jersey entered into an August settlement and consent order based upon a dealership’s “jamming” of certain aftermarket options into installment contracts for subprime borrowers. Massachusetts entered into a similar settlement in September based upon a dealership’s sale of defective vehicles with high-cost subprime loans and bundled packages included in the amount financed. New York also entered into settlements and consent orders with two dealerships based upon illegal bundling of credit repair and identity theft protection services into installment contracts.

The Rise of the “Mini-CFPB”

Sensing the potential for an enforcement void in a Trump-influenced CFPB, some state attorneys general took even greater measures in 2017 in an effort to protect consumers. State attorneys general have been empowered since 2012, through Dodd-Frank Section 1042 (12 U.S.C. § 5552), to bring civil actions to enforce the Dodd-Frank Act and regulations promulgated under the act’s authority against entities within their jurisdiction. From a practical perspective, this power allows states to bring certain actions to enforce CFPB rulemaking if the CFPB fails to do so. States also have the authority to bring enforcement actions under specific federal consumer protection statutes, including TILA, RESPA, and the FCRA. State attorneys general, of course, also may enforce state laws – including state UDAP provisions.

The most novel related development in 2017 has been the emerging willingness of state attorneys general to explicitly seek a greater role in enforcement. Notably, Virginia’s attorney general created a Predatory Lending Unit in March. Pennsylvania created a Consumer Financial Protection Unit (labeled by some observers as a “mini-CFPB”) in July. Maryland followed suit by creating a Financial Consumer Protection Commission. Even where explicit structural changes were not made, other states ramped up their presence. For instance, Washington’s attorney general has increased staff from 11 attorneys to 27 attorneys over the past four years.

What Will 2018 Bring?

Building upon the trends set in 2017, we expect even more state attorneys general to continue to expand their auto finance enforcement activity in 2018. This trend appears to be even more likely in light of the appointment of Mick Mulvaney as acting director of the CFPB and the departure of Richard Cordray from the bureau. We expect to see more states pursue task forces or other “mini-CFPB” entities to fill any perceived enforcement void. We also expect to see the “ability to repay” UDAP theory gain traction in additional states in 2018.

Additionally, the recent GAO ruling that the CFPB’s 2013 Indirect Auto Lending Bulletin is subject to congressional override under the Congressional Review Act likely means that states take action in its place. It will be interesting to see whether state attorneys general will pursue enforcement of disparate impact assignee liability claims based upon dealer markup practices in 2018. It is very possible that some states will attempt to issue similar rulemakings to replace the CFPB’s Bulletin.

SPEAK UP! The CFPB Wants Your Feedback

SPEAK UP! The CFPB Wants Your FeedbackYesterday, the Consumer Financial Protection Bureau (CFPB) announced that it is seeking “evidence to ensure the Bureau is fulfilling its proper and appropriate functions to best protect consumers.” The CFPB is expected to publish a series of Requests for Information (RFIs) in the Federal Register seeking public comments on the following areas of concern: enforcement, supervision, rulemaking, market monitoring, and education activities.

The first RFI is expected to be published soon, and it will address Civil Investigative Demands (CIDs), which are issued during an enforcement investigation. After receiving and evaluating comments, the CFPB will determine what changes, if any, are warranted.

Although it is difficult to predict how much of an impact this initiative will ultimately have on the CFPB’s current practices, these RFIs should provide a significant opportunity for regulated entities to engage with the CFPB and provide recommendations for improving the current regulatory environment. Accordingly, if you have concerns about any of the CFPB’s current practices or policies, SPEAK UP.

We will add future posts as the CFPB publishes its series of RFIs in the Federal Register.

Will Congress Upend Credit Reporting Agencies’ Cybersecurity Regulation in Light of Recent Data Breach?

Will Congress Upend Credit Reporting Agencies’ Cybersecurity Regulation in Light of Recent Data Breach?Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced the Data Breach Prevention and Compensation Act on January 10, 2018 in an effort to increase accountability of large Credit Reporting Agencies (CRAs) for data breaches involving consumer data. The bill, drafted in response to the September 2017 Equifax data breach revelations, seeks to impose direct administrative supervision over data security at CRAs, mandatory penalties on CRAs for data breaches, and increased compensation to consumers for stolen data.

In a press release issued this morning, Senator Warner explained that “[t]his bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

The major impacts of this proposed bill are three-fold.

1. Strict Liability Penalties

Most notably, the proposed bill seeks to impose strict liability penalties for breaches involving consumer data at CRAs. The current regulatory landscape for CRAs does not mandate penalties for consumer data breaches and, instead, provides for discretionary penalties based upon culpable conduct. In a departure from the status quo, this proposed “strict liability” means a CRA would be subject to automatic penalties for a data breach, even if there is no allegation that the CRA acted negligently or was otherwise culpable for allowing such a breach to occur.

The proposed mandatory strict liability penalties are uniquely heavy-handed as well – starting with a base penalty of $100 per consumer with one piece of personal identifying information compromised. Any additional pieces of personal identifying information compromised per consumer will be subject to a $50 penalty, with a total penalty capped at 50 percent of the CRA’s gross revenue from the prior year.

The bill also proposes to double the automatic per-consumer penalties and increase the maximum penalty to 75 percent of the CRA’s gross revenue in cases where the offending CRA fails to comply with the Federal Trade Commission’s data security standards or fails to timely notify the agency of a breach. This final provision appears to be a direct response to allegations that Equifax delayed notifying consumers and government agencies after its breach occurred.

2. Distribution of Penalty Proceeds

The second major impact of the bill concerns the proposed distribution of penalty proceeds. Current law does not require governmental agencies to distribute penalty proceeds to the affected consumers. The proposed bill seeks to change this status quo, requiring the FTC to use 50 percent of any penalty to compensate consumers. The remainder is allocated to the FTC to conduct cybersecurity research and inspections.

3. Direct Supervision of CRAs’ Cybersecurity by FTC

Speaking of the FTC, the third major impact of the bill is the proposed vesting of the FTC with direct supervision of cybersecurity at CRAs. The FTC currently lacks the authority to oversee the credit reporting industry as a whole, and CRAs in particular.

The bill attempts to fill that perceived regulatory void by creating an Office of Cybersecurity at the FTC to conduct annual inspections and ongoing supervision of cybersecurity at CRAs. Senators Warren and Warner propose that a new career official, to be known as the Director of Cybersecurity, should be appointed and tasked with supervising this office. One additional feature of the bill is that it proposes to authorize this new FTC office to promulgate new regulations outlining effective data security standards for CRAs and require CRAs to implement such standards by seeking injunctive relief in federal courts.

What Should CRAs Expect?

Given these proposals, what should CRAs expect moving forward? For starters, the proposed scope of the bill is limited to CRAs generating more than $7 million in annual revenue from the sales of consumer reports – meaning that only the largest CRAs would be affected. For entities within the bill’s purview, however, a regulatory sea change would be expected if it became law. The strict liability standard, in particular, would entirely upend the current liability landscape for CRAs and would require covered CRAs to essentially act as insurers of the security of the consumer data they possess.

The FTC’s proposed abilities to impose harsh strict liability penalties without a finding of culpable conduct and to seek injunctive relief to require that CRAs implement security measures of its choosing would likely constitute a significant burden to CRAs beyond what is currently required by federal law.

Likelihood of Bill Becoming Law

From a purely political perspective, a treacherous road appears to be ahead for the bill to become law. Democrats, of course, do not currently control either chamber of Congress and would need to build bipartisan support to pass the bill. It appears unlikely that President Trump would sign the bill into law, given his disinclination to enact new regulations and his stated goal to deregulate various related industries.

The financial services industry should not entirely discount the bill, however, as the Equifax breach affected a significant portion of the nation’s population, including lawmakers, and appeared to anger lawmakers from both parties. Thus, if a significant quantum of grassroots and lawmaker anger remains after the Equifax breach, the political will to enact this law may exist after all.

Two Courts Clear the Way for Bankruptcy Trustees to Avoid Tuition Payments Made by Parents on Behalf of Children as Fraudulent Transfers

Two Courts Clear the Way for Bankruptcy Trustees to Avoid Tuition Payments Made by Parents on Behalf of Children as Fraudulent TransfersTwo bankruptcy courts recently cleared the way for bankruptcy trustees to avoid college tuition payments made by debtor-parents on behalf of their children as fraudulent transfers, potentially affecting the college’s ability to keep such tuition payments. Following up on our prior coverage, these decisions set up a split among the bankruptcy courts as to whether a parent receives “reasonably equivalent value” as a result of their child’s college education such that those tuition payments should remain in the creditor university’s hands as opposed to being recovered for the benefit of the parent’s creditors. With these two decisions, a consensus opinion is emerging that such transfers may be recouped by the parent’s bankruptcy estate, absent tangible evidence of benefit to the debtor-parent.

In Boscarino v. Bd. of Trs. of Conn. State Univ. System (In re Knight), the bankruptcy court denied a motion for summary judgment filed by Central Connecticut State University. The Chapter 7 trustee sought to recover approximately $21,000 of tuition payments made by the debtor on behalf of her son. The facts of the case were undisputed, and the parties agreed that the tuition payments would qualify as constructively fraudulent transfers if the trustee could establish that the debtor received less than reasonably equivalent value in exchange.

To determine whether reasonably equivalent value was received, courts must first determine whether the debtor received any “value” at all in exchange for the transfer and then whether the value received was reasonably equivalent to the value the debtor gave up. The debtor offered testimony that she made the tuition payments because she wanted to reduce the amount of debt her son had at graduation and to fulfill her Expected Family Contribution, as calculated in federal determinations of financial aid. The debtor also believed that subsidizing her son’s college tuition would help him become financially self-sufficient, which would ultimately benefit her because he would be less likely to rely upon her for his living expenses and more likely to someday provide financial support to her, if necessary.

Although other bankruptcy courts have credited such concerns in the reasonably equivalent value analysis, the Knight court took a harder line, reasoning that moral or family obligations cannot be considered in the reasonably equivalent value analysis “for the obvious reason that the depletion of resources available to creditors cannot be offset by the satisfaction of moral obligations.” The court noted that to the extent courts have held otherwise, the benefit received by the parent-debtor has not been economic, concrete or quantifiable – the parent has not received “any legally cognizable value, much less reasonably equivalent value” in exchange for tuition payments.

It further opined that contrary rulings violated the separation of powers because the well-founded concerns of the judiciary about the wisdom of allowing trustees to claw back college tuition payments must yield to the clear intent of Congress, as articulated by the Bankruptcy Code’s fraudulent transfer provisions. The court likened the tuition clawbacks to the split in authority over whether tithes and donations to religious institutions were constructively fraudulent transfers, a question that was resolved when Congress passed the Religious Liberty and Charitable Donation Protection Act of 1998, which amended Bankruptcy Code section 548 to expressly shield charitable donations to qualifying institutions from a trustee’s avoidance powers.

The court also rejected arguments that a child’s promise to repay their parent’s tuition outlays could qualify as reasonably equivalent value because the mere expectation of economic benefit was not legitimate and reasonable such that it could confer “value” for purposes of a fraudulent transfer analysis.

Similarly in Slobodian v. Penn. State Univ. (In re Fisher), the Chapter 7 trustee filed an adversary proceeding alleging that within two years of filing for bankruptcy protection, the parent made tuition payments totaling approximately $5,800 on behalf of her son. Penn State moved to dismiss the adversary complaint on the grounds that it did not state a claim upon which relief could be granted. The bankruptcy court issued a report recommending that Penn State University’s motion to dismiss the adversary complaint be denied.

The bankruptcy court reviewed a handful of conflicting prior decisions and ultimately concluded that it lacked sufficient proof to overcome the allegation that the debtor received less than reasonably equivalent value. The bankruptcy court found that the debtor received “at least some intangible value” in exchange for the tuition payments in that she was “less worried about her son’s future economic prospects,” but without evidence of the son’s graduation, employment or financial status, the bankruptcy court could not determine whether the debtor received reasonably equivalent value in exchange for the tuition payments.

As in our prior coverage, the Fisher court distinguished a case where the tuition payments at issue had been made to the university from pre-petition loans the debtor obtained from the Department of Education (e.g., Parent PLUS loans). According to the Fisher court, the fact that the tuition payments were made to the university without passing through either the debtor or his children meant that the loan proceeds were never the debtor’s property and so could not be subject to the trustee’s recovery action.

The Knight and Fisher decisions signal a trend that likely dismays higher education institutions and makes it harder to track and service student loans. As bankruptcy courts increasingly demand tangible proof of reasonably equivalent value, it will be harder for colleges and universities to avoid these lawsuits on procedural grounds. The Knight court is likely correct that a legislative fix is the most efficient solution, but in the meantime, we can expect the unsettled state of the law to result in varied and often contradictory decisions regarding reasonably equivalent value.

DOJ’s FCPA Corporate Enforcement Policy Creates Greater Certainty for Companies

The Foreign Corrupt Practices Act of 1977 (FCPA) makes it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. On November 29, 2017, Deputy Attorney General Rod Rosenstein announced the addition of an FCPA Corporate Enforcement Policy to the U.S. Attorneys’ Manual, providing guidance to companies seeking cooperation credit for voluntarily self-disclosing FCPA-related misconduct, fully cooperating with the government’s investigation, and remediating. Notably, the policy creates a presumption that a self-disclosing company that is not a repeat offender will receive a declination from the Department of Justice (DOJ) “absent aggravating circumstances.” Although, as an internal operating policy, it creates no private rights and is not enforceable in court, the policy promotes consistency and predictability in DOJ’s treatment of corporate FCPA offenders.

This new policy largely mirrors the Pilot Program announced by DOJ on April 5, 2016. By making the Pilot Program permanent and incorporating it into the U.S. Attorney’s Manual, and by modifying it to give even greater certainty to companies self-disclosing misconduct, DOJ has demonstrated its belief that incentivizing voluntary disclosure works. Indeed, Deputy Attorney General Rosenstein noted that during the period the Pilot Program was in effect, DOJ received 30 voluntary disclosures, compared to 18 during the previous 18-month period. Also, of the 17 criminal FCPA resolutions entered by DOJ during the Pilot Program, only two involved defendants who had voluntarily disclosed. Both of those were resolved through non-prosecution agreements that did not impose a compliance monitor. Over that same time period, seven additional matters came to the Department’s attention through voluntary disclosures and were resolved under the Pilot Program through declinations with payment of disgorgement. The new policy broadens and cements the incentives for companies to come forward of their own accord to report findings or suspicions of misconduct.

Most notably, while the Pilot Program provided for the possibility of a declination when a company voluntarily self-discloses misconduct, fully cooperates, and timely and appropriately remediates, the new policy creates a presumption that the company will receive a declination, unless there are aggravating circumstances related to the seriousness of the offense or if the disclosing company is a repeat offender. Even if aggravating circumstances exist, where the company is not a recidivist, DOJ will recommend a 50 percent reduction off the low end of the Sentencing Guidelines range. These modifications to the Pilot Program provide much greater certainty for a company considering making a voluntary disclosure.

Voluntary self-disclosure is evaluated by “assessment of the circumstances of the disclosure.” First, a company must make the disclosure prior to an imminent threat of disclosure or government investigation. Second, the company must demonstrate timeliness of the disclosure and show that it was made “within a reasonably prompt time after becoming aware of the offense.” And, third, the company must disclose all relevant facts known to it, including all relevant facts about all individuals involved in the violation of law.

The DOJ determines whether a company has fully cooperated based upon its Principles of Federal Prosecution of Business Organizations, as well as five other independent factors. These factors are timely disclosure of all relevant facts; proactive rather than reactive disclosure; preservation and collection of relevant documents; de-confliction of investigative steps; and making officers and employees available for interview by the department.

Finally, remediation credit is available when a company has performed a root cause analysis; implemented a compliance and ethics program; disciplined responsible employees; implemented an appropriate document retention policy; and taken any other steps to reduce future risks, accept responsibility, and demonstrate recognition of the seriousness of the misconduct. Although the 2016 Pilot Program indicated that remediation was “difficult to ascertain and highly case specific,” the new policy articulates additional factors to consider when evaluating remediation, such as the requirement of conducting a root cause analysis of the conduct.

It is worth noting that this policy applies only to FCPA matters and has no direct application to voluntary disclosures of wrongdoing in other contexts.

Parallel Universe or Coincidence: The CFPB’s New Data Consumer Protection Principles’ Relationship to GDPR

Parallel Universe or Coincidence: The CFPB’s New Data Consumer Protection Principles’ Relationship to GDPROn October 18, 2017, the Consumer Financial Protection Bureau (CFPB) outlined nine non-binding Consumer Protection Principles (the Principles) for the access and sharing of consumer information between third-party companies. The Principles focus on the consumer experience, specifically consumers’ enhanced control over their financial lives.

The CFPB envisions a marketplace in which consumers are in the proverbial drivers’ seat with regard to the use of their financial data. To that end, the CFPB announced the Principles in an attempt “to reiterate the importance of consumer interests to all stakeholders in the developing market for services based on the consumer-authorized use of financial data.” The Principles provide general guidance for the following:

  1. Access
  2. Data Scope and Usability
  3. Control and Informed Consent
  4. Authorizing Payments
  5. Security
  6. Access Transparency
  7. Accuracy
  8. Ability to Dispute and Resolve Unauthorized Access
  9. Efficient and Effective Accountability

Shifting the balance of power to consumers

Although each Principle sets forth a unique protection for consumers, when read as a whole, the Principles make it apparent that the CFPB seeks to shift the balance of power into consumers’ hands. For example, a boilerplate notice regarding data access and data sharing may no longer suffice in light of the Control and Informed Consent Principle. This Principle provides that “authorized terms of access, storage, use, and disposal are fully and effectively disclosed to the consumer, understood by the consumer, not overly broad, and consistent with the consumer’s reasonable expectations in light of the product(s) or service(s) selected by the consumer.”

As if to clarify any possible confusion, the CFPB specifies that consumers are not to be “coerced into granting third-party access.” Continuing on this theme of consumer control, the CFPB also pushes for “separate and distinct consumer authorizations” for payment authorization. Put simply, consumer authorization of data access does not equal consumer authorization for the initiation of payments.

Emphasizing security of data and credentials

Of particular importance in the aftermath of the Equifax security breach is the CFPB’s emphasis on the security of consumer data and access credentials. Although the CFPB does not specify a security standard, it nonetheless provides that “all parties that access, store, transmit, or dispose of data use strong protections and effective processes to mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud, and transmit data only to third parties that also have such protections and processes.”

Such practices are not meant to be static, as the CFPB envisions adaptable security practices in response to new and emerging threats. To that end, the Principles could be read as an impetus to encourage cooperation among market participants with regard to data/security standards. Data aggregators are in the best position to determine the scope of these evolving threats and determine criteria to protect consumer interests with minimal CFPB involvement.

Similarities to EU’s GDPR

Keen observers of the data privacy arena may note some resemblance to the rights enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR), specifically the right to data portability. As envisioned, the GDPR’s right to data portability would allow a data subject to request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance.

The GDPR, like the CFPB’s Principles, allow the data owner, or consumer, to remain in control of his or her data. Unlike the GDPR, which will become an enforceable regulation on May 25, 2018, the Principles are, for the time being, aspirational tenets by which the CFPB seeks to enable consumer-friendly innovation in financial services. Under the Principles, financial institutions and third-party service providers will need to coordinate closely, which may require a heavy investment if they choose to fully implement the Principles.

The watchdog role

Even though the Principles do not alter, interpret, or otherwise provide guidance on applicable statutes and regulations, they provide a practicable, if generalized, framework with respect to data security, privacy, and unauthorized access. Through the Principles, the CFPB is further staking out its role as watchdog in the growing aggregation services market.

Exactly how bold the CPFB will be in enforcing consumer rights in this area remains unknown. What is known is that the CFPB will be embedding regulators with the three major credit reporting agencies in the wake of the Equifax data breach, indicating the CFPB’s heightened involvement in the day-to-day security operations of these companies.

What the future may hold

Looking ahead, the CFPB could further clarify existing regulations or take more drastic measures such as engaging in rulemaking under Section 1033 of the Dodd-Frank Act. The CFPB could also use its powers under the Unfair, Deceptive or Abusive Acts or Practices (UDAAP) regulation to bring enforcement actions against companies that refuse to follow the Principles.

On the other hand, in the wake of CFPB Director Richard Cordray’s resignation, the CFPB could simply withdraw its oversight from this area, as a future director may look to reorient the CFPB’s mission. Until such time as the CFPB signals its intent with regard to data-sharing requirements, data aggregators and any financial service entity that collects consumer data should heed the Principles and ensure consumer protections for safe access to and controlled use of consumer financial data.

As data privacy threats continue to loom, so too will the increase in regulation and oversight. General data privacy principles continue to serve as the building blocks for many of the international standards in data privacy. As technology continues to shrink global differences, U.S. companies can expect general and globally accepted data privacy principles to cross borders and influence data privacy laws stateside.