Supreme Court Narrowly Interprets “Whistleblower” under Dodd-Frank, Foreclosing Protections for Those Who Fail to Report Issues to SEC

Supreme Court Narrowly Interprets “Whistleblower” under Dodd-Frank, Foreclosing Protections for Those Who Fail to Report Issues to SECThe Supreme Court has resolved a circuit split on whether Dodd-Frank’s whistleblower protections apply only to employees who report their concerns to the Securities and Exchange Commission (SEC). On Wednesday, in Digital Realty Trust, Inc. v. Somers, the Supreme Court ruled 9-0 in favor of limiting the Dodd-Frank Act’s definition of whistleblower to those who report their allegations to the SEC, thus excluding from whistleblower protection individuals who report their complaints internally. The issue before the Supreme Court was the language of Dodd-Frank, which defines “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established . . . by the Commission” (15 U.S.C. § 78u-6(a)(6)).

The refrain of the opinion is that a would-be whistleblower must “tell the SEC” in order to benefit from Dodd-Frank’s anti-retaliation provision. It’s always notable when all nine justices agree, and here the Supreme Court relied on the unambiguous, clear, and conclusive language of the statute to hold that anti-retaliation protection does not apply unless and until the SEC is notified of alleged securities law violations. Despite urging from the Solicitor General to expand the whistleblower definition for anti-retaliation purposes, the Supreme Court held that anti-retaliation protection does not extend to an individual who has not reported a violation of securities law to the SEC. The decision reversed the Ninth Circuit and resolved a circuit split. The Fifth Circuit had previously held that employees are required to provide information to the SEC to take advantage of Dodd-Frank’s anti-retaliation safeguard, while the Second and Ninth Circuits extended Dodd-Frank remedies to employees who reported alleged wrongdoing only to their employers.

The Supreme Court emphasized that the holding is consistent with the purpose of Dodd-Frank, the “core objective” of which is to motivate people to tell the SEC about violations of securities laws. The Supreme Court acknowledged that giving the statute its plain-text reading “shields fewer individuals from retaliation than the alternative,” but again emphasized that Dodd-Frank’s main goal is to incentivize reporting alleged violations to the SEC.

Time will tell whether the Supreme Court’s ruling will affect the number of whistleblower actions. The decision is limited to the Dodd-Frank whistleblower statute involving securities laws and does not affect the numerous other whistleblower protection statutes. As an illustration, the Supreme Court distinguished actions under the Consumer Financial Protection Bureau’s (CFPB) jurisdiction and noted that the CFPB whistleblower-protection statute permits a covered employee to provide information to an employer, the CFPB, or a local, state, or federal government authority or law enforcement agency.  Accordingly, in the CFPB context, whistleblower protection still applies when a covered employee reports alleged misconduct solely to their employer.

Fourth Circuit Asked to Rule on Whether Mortgage Retroactively Incorporates Federal Servicing Requirements

Fourth Circuit Asked to Rule on Whether Mortgage Retroactively Incorporates Federal Servicing RequirementsA recent appeal to the Fourth Circuit may shed light on whether Virginia borrowers can assert federal mortgage servicing requirements as a defense to foreclosure when the mortgage instrument pre-dates the federal requirement. In Stansbury v. Federal National Mortgage Association, borrower Hollie Stansbury argues that a 2011 consent order between her mortgage servicer and the Office of the Comptroller of Currency was incorporated into the mortgage contract as a condition precedent to foreclosure. The lender has contested this claim in part by arguing that because the 2006 deed of trust predates the consent order, the parties to the mortgage could not have intended to incorporate the consent order’s requirements as a limitation to foreclosure. A decision on these competing arguments may bring clarity to the effect of a 2016 decision by the Virginia Supreme Court addressing the potential for incorporation arguments similar to Stansbury’s.

In Parrish v. Federal National Mortgage Association, the Virginia Supreme Court held that the trial court lacked jurisdiction to hear a post-foreclosure eviction action where the borrower raised a bona fide dispute as to the validity of the foreclosure. The borrowers in Parrish alleged that their deed of trust incorporated federal loss mitigation rules as a condition precedent to foreclosure and asserted that the loan servicer violated those regulations. Without addressing the merits of these allegations, the Supreme Court found that they were sufficient to raise a bona fide question as to the lender’s title to the foreclosed property.

After Parrish, some borrowers have argued that federal servicing standards are incorporated as a condition precedent to foreclosure through provisions in many deeds of trust stating that the parties’ rights are subject to federal law. In Stansbury, the U.S. District Court rejected the borrower’s claim that a 2011 consent order was so incorporated. In its August 31, 2017, ruling, the District Court held that the deed of trust’s governing law provision applied only to laws in existence at the time of the contract and did not incorporate a future consent order. The borrower has appealed the case to the Fourth Circuit.

The Stansbury appeal places the issue of retroactive incorporation before the Fourth Circuit. In her brief, Stansbury argues that the governing law provision must be applied to the law in existence at the time of foreclosure. In contrast, the lender’s brief argues that the provision applies only to the laws contemplated by the parties at the time they entered the mortgage contract. Because a substantial number of foreclosures involve deeds of trust executed prior to Dodd-Frank and other significant regulatory changes, lenders and servicers may be expected to keep a close watch on the outcome.

Two Opportunities for Student Loan Companies to Speak Up

Two Opportunities for Student Loan Companies to Speak UpTwo recent requests from lawmakers have provided student loan servicers and originators the opportunity to comment on hot-button issues for the industry:

  • The CFPB issued a Request for Information last week, seeking comments and information “to assist in assessing the overall efficiency and effectiveness of its supervision program and whether any changes to the program would be appropriate.” The comment period will open when the RFI is published in the Federal Register, expected February 20. In light of the supervision program’s past involvement with the industry, student loan servicers and industry groups should consider taking this opportunity to speak up.

    This RFI is the most recent in a series of RFIs from the Bureau, with more to come in the next couple of months. Stay tuned for RFIs related to complaint reporting, rulemaking processes, consumer inquiries, and more.

  • Also last week, Chairman Lamar Alexander and Ranking Member Patty Murray of the Senate Health, Education, Labor, and Pensions (HELP) Committee requested comments and suggestions on the Committee’s reauthorization of the Higher Education Act (HEA). While it is by no means certain that we will see an HEA reauthorization passed this year, HELP Committee leadership remains focused on the issue. Senator Alexander released a white paper on his vision for the HEA earlier this month, expressing concern about taxpayer exposure to defaults on federal student loans. The HEA reauthorization will have a potentially huge effect on the student loan industry. Comments to the Committee may be submitted to HigherEducation2018@help.senate.gov by Friday, February 23.

SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018

SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018The SEC announced a self-reporting initiative for investment advisors who admit violations of the federal securities laws relating to certain mutual fund share class election issues while promptly returning money to harmed investors. The initiative is entitled the “Share Class Selection Disclosure Initiative” and is focused on those advisors who have put clients into high-fee mutual fund classes when a less expensive share class for the same fund was available and appropriate. If the advisor self-reports and returns money to the harmed investor, the SEC’s enforcement division will not recommend civil penalties against the advisor.

The initiative highlights the SEC’s focus on the conflict of interest that is created when an advisor receives compensation for selecting a more expensive fund share class when a less expensive share class for the same fund is available. The SEC notes this conflict of interest must be disclosed to the investor. To be eligible for the self-reporting initiative, investment advisors must notify the division of enforcement of their intent to self-report no later than June 12, 2018.

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

On January 18, 2018, the House gave small lenders a late Christmas present when it passed H.R. 2954 known as the Home Mortgage Disclosure Adjustment Act. The act amends the existing Home Mortgage Disclosure Act (HMDA) by easing the regulatory burden on small lenders. By way of background, HMDA imposes additional reporting requirements on regulated entities that became effective this month. More specifically, HMDA requires banks and credit unions to collect 48 additional data fields on any mortgage loan they originate and to report that data to the CFPB. This additional regulatory burden will increase transaction costs and processing time for obtaining a home mortgage and impose unique burdens on small lenders that lack the existing infrastructure and processes to effectively capture and communicate the additional data sets.

The Home Mortgage Disclosure Adjustment Act attempts to ameliorate this disproportionate impact by exempting (a) small lenders, such as community banks and credit unions, which originate less than 500 closed-end mortgage loans in each of the two preceding calendar years, and (b) those that originate less than 500 open-end lines of credit in each of the two preceding calendar years. Bradley will continue to monitor the progress of the act as it moves through the Senate.

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017The Justice Department and a veritable army of whistleblowers’ counsel continue to use the False Claims Act (FCA) to bring suits against banks and mortgage companies. In 2017 alone, the Department of Justice obtained $543 million in FCA settlements and judgments from the financial services industry.

To keep you informed on the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the 2017 FCA Year in Review, our annual review of significant FCA cases, developments, and trends. Longtime readers of our Year in Review will notice that it has a new look and improved functionality, making it an easy-to-read, printable resource, as well as a convenient and searchable digital tool.

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance Industry

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance IndustryIn 2013, the Consumer Financial Protection Bureau (CFPB) issued a bulletin on indirect auto lending that took the industry by storm. As we approach the five-year anniversary of the memo’s issuance, it’s valuable to reflect on how the bulletin was received, how the auto finance industry has changed since the bulletin and subsequent CFPB actions, and how the industry and regulators can learn from the experience to improve their efforts to remove discrimination from the car buying experience.

CFPB Bulletin 2013-02, Indirect Auto Lending and Compliance With the Equal Credit Opportunity Act, was the CFPB’s first public foray into regulating the auto finance industry. In the bulletin, the CFPB articulated the agency’s concerns over dealer markup incentives that could result in auto finance companies participating in discriminatory lending practices that violated ECOA.

The bulletin included allegations of discriminatory practices at the lender and dealership level and suggested a number of potential compliance solutions that auto finance companies could implement to reduce the risk of violating ECOA. Since that time, the CFPB has added nonbank auto finance companies to its list of regulated larger market participants, auto finance companies have reached settlements with the CFPB related to fair lending practices, and the U.S. Government Accountability Office (GAO) has concluded that the bulletin was a rulemaking that should have been subject to the Congressional Review Act.

Below are five takeaways that have emerged since the bulletin was issued.

1. Reaction from the auto industry was swift – many participants were stunned and irate.

The industry felt blindsided when the CFPB issued the bulletin without much warning. Many nonbank auto finance companies had not historically had relationships with federal regulators and thought the auto industry was going to largely get a pass from the CFPB after auto dealers had specifically been exempted from the CFPB’s oversight in the Dodd-Frank Act. Worst of all, many industry participants interpreted the bulletin as the CFPB accusing them of either having race-based lending policies or associating with auto dealers who profit by exploiting borrowers’ race or ethnicity.

The bulletin speculated about perceived problems in the industry and, unlike the CFPB’s Supervisory Highlights, did not point to hard examples of fair lending abuses occurring at dealerships or auto finance companies. For this reason, many industry participants felt that the CFPB was denouncing an entire industry without an adequate evidentiary basis.

While the CFPB initially had the authority to investigate nonbank auto finance companies through enforcement, it lacked supervisory authority over nonbank larger market participants until 2015. Thus, the CFPB relied on anecdotes, enforcement investigations and market research as the basis for the bulletin.

The bulletin served as the opening salvo between the CFPB and the auto finance industry. Rather than begin with an olive branch, this bulletin served as a shot across the bow.

2. Incentives that do not align with a consumer’s interest have and will continue to carry a high degree of regulatory risk.

If there is one theme that unifies post-financial crisis regulation, it is that regulators will heavily scrutinize any arrangement that results in a provider’s incentives not being aligned with consumers’ interest. In regulating the markets for retirement account counseling, securities trading, mortgage origination, depository account management and auto finance, regulators have adhered to the principle that companies should not be making greater profits by offering less favorable terms and services to consumers.

While the auto finance bulletin did not ban dealer reserve outright, the bulletin caused auto finance companies to reconsider how they structured dealer compensation programs. Even if future CFPB administrations do not enforce the auto finance bulletin, aggrieved consumers and their attorneys now have a roadmap for identifying discriminatory lending practices and bringing lawsuits to challenge them. Auto finance companies are more cognizant today about how their dealer compensation programs are structured, and that is unlikely to change regardless of the CFPB’s future regulatory direction.

3. Vendor management became a staple of auto finance companies’ compliance management systems.

Prior to the CFPB’s entry into auto finance regulation, auto finance companies were surely careful to consider dealers with whom they partnered based on traditional business metrics like profit margin, sales volume, geographic location and reputation. In the aftermath of the CFPB bulletin, however, auto finance companies added new criteria to evaluate dealers that wanted to join their lending network.

Auto finance companies have more closely scrutinized dealers’ compliance with fair lending laws as well as those dealers’ culture and cohesion with the auto finance company’s own policies and procedures. As a result, auto financiers have cut ties with certain dealers and other dealers have changed their markup practices to fall in line with the heightened expectations of auto finance companies and the CFPB.

While the CFPB bulletin did not result in widespread adoption of a flat fee compensation model for auto dealers, the bulletin’s lasting legacy may be that auto finance companies developed more stringent policies that dealers must follow to receive financing for consumers.

4. Statistical modeling is an imperfect solution to eliminating discrimination in auto financing.

The CFPB’s reliance on statistical modeling to identify discriminatory practices was perhaps the most frequently criticized element of its approach to regulating the auto finance industry. Since auto dealers are prohibited from collecting race and ethnicity data from consumers, the CFPB had to rely on statistical models based largely on surnames to identify occasions where credit decisions appeared to have been made based on illegal race-based criteria.

To the industry statisticians who understood the statistical model’s underpinnings, the model appeared to be flawed. And the many other industry participants who did not understand the underlying algorithms felt it fundamentally unfair to implicate a company for discriminatory lending practices based on a statistical model that the company did not have access to and did not use in underwriting decisions.

As the CFPB reached large settlements with lenders, the industry took note and lenders began to adopt statistical models to identify fair lending risks within their own institutions. While the CFPB may have relied too heavily on a statistical modeling approach, industry participants walked away with a compliance tool that allows them to identify potential fair lending abuses during compliance audits and dealership due diligence reviews.

5. Fair lending is a cause best served by industry and regulators working together.

It was perhaps the CFPB’s delivery, rather than the content itself, that caused the industry to recoil so emphatically against the bulletin. The CFPB did not hold a public forum on auto finance until eight months after issuing the bulletin.

Given the industry’s reaction to the bulletin, the CFPB would likely have been better off reversing the order of those events and gathering feedback from industry participants prior to issuing industry-altering guidance. At the same time, in the aftermath of the bulletin, the industry was best served by those companies and industry advocates that reacted to the bulletin by respectfully articulating to the CFPB the nature of the industry and how the overwhelming number of participants in the industry shared the CFPB’s goal of consumer protection and disdain for discriminatory practices.

The Next Five Years

Moving forward, auto finance companies that are directly or indirectly regulated by the CFPB will have the opportunity to engage with the Bureau to explain their business models and how compliance and fair lending are essential parts of their companies’ culture. The CFPB recently announced it will be issuing requests for information regarding numerous aspects of the agency’s approach to regulation. In light of this announcement, the time is right for the auto finance industry to collect its thoughts on the CFPB’s past five years of regulation and on how the industry wants this relationship to evolve.

The fate of the bulletin itself is not clear in the aftermath of the GAO’s conclusion that the bulletin constituted a rulemaking subject to the CRA. Whether the new CFPB administration or Congress will take action to amend or rescind the bulletin remains to be seen.

What is clear is that there is still a concern that fair lending abuses remain in the auto industry. A consumer advocacy group recently released a study that highlighted incidents of discrimination at the dealership level.

Whether the CFPB, emerging state-level actors or private practitioners are holding the handle, there will continue to be a magnifying glass on fair lending practices in the auto industry. Industry participants should continue to develop strong policies and procedures related to fair lending compliance, dealer incentives and service provider oversight to avoid becoming the subject of an enforcement action or consumer litigation and to ensure that all consumers are treated fairly when attempting to finance automobile purchases.

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance Industry

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance IndustryAuto lenders, like many private citizens, began 2017 curious as to what change the impending Trump administration would bring. In the landscape of government enforcement, however, the consensus amongst industry participants was that the Trump administration would bring loosened regulation for the consumer finance industry. Many industry insiders mused about the potential sea change that would result if CFPB Director Richard Cordray was terminated, with or without cause, by the incoming administration.

While the Trump administration’s first year has certainly changed the nature and extent of federal industry oversight, arguably even greater change took place at the state enforcement level for auto lenders in 2017. The industry saw state attorneys general begin to fill the void they anticipated would be left by an altered CFPB mission. The auto finance industry also saw the genesis of a new state UDAP theory based upon the need to account for a consumer’s ability to repay an installment contract at origination. In review, three trends have emerged from 2017 that portend an active 2018 for state enforcement actions directed towards the auto finance industry.

Filling the Perceived Void

Even before the start of 2017, leading state attorneys general reacted to the impending Trump administration by proclaiming their intent to protect consumers if the federal government failed to do so. New York Superintendent of Financial Services Maria T. Vullo reacted to the election results by declaring that her agency would not shirk from its responsibility of protecting its citizens. Likewise, New Mexico Attorney General Hector Balderas requested that his associates identify areas where prospective Trump administration policies could harm his state’s citizens.

Plans for an enforcement ramp-up did not end at state borders. Instead, much like after the mortgage crisis, state attorneys general networked together and openly discussed a desire to form a multistate task force to focus on the auto finance industry and, more specifically, the industry’s subprime segment. The cooperation between state attorneys general was seen throughout 2017 in various segments of the financial services industry. In the auto finance space, the most notable cooperative investigation resulted in one lender’s settlements with Massachusetts and Delaware for indirect origination practices underlying its subprime installment contracts.

A New Enforcement Theory

The collaboration between Massachusetts and Delaware brought a novel UDAP theory to the forefront of the auto finance industry. For the first time in 2017, state attorneys general successfully prosecuted claims that an indirect lender’s subprime installment contracts were unfair and deceptive because the lender failed to consider the borrowers’ ability to repay.

It was common belief, prior to 2017, that state regulatory regimes did not expressly require prospective indirect lenders to analyze a borrower’s ability to repay. Courts in a small number of jurisdictions (including the District of Columbia, New Jersey, and Massachusetts) had previously allowed UDAP or consumer protection claims to proceed based upon conduct resulting in a high likelihood of consumers being unable to repay their credit obligations. These cases, however, concerned other areas of consumer finance outside of the context of auto loans and were few and far between.

The Massachusetts and Delaware settlements represented the first time an indirect auto lender was penalized for its failure to analyze the borrowers’ ability to repay. Other states have indicated that they will now seek to expand application of this theory. For instance, Mississippi’s attorney general engaged outside counsel in 2017 to investigate an indirect subprime lender under this same UDAP theory.

One other enforcement theory also became more prevalent in 2017. Multiple state attorneys general consummated settlements with auto dealer groups based upon the deceptive practice of bundling aftermarket options into installment contracts. For instance, New Jersey entered into an August settlement and consent order based upon a dealership’s “jamming” of certain aftermarket options into installment contracts for subprime borrowers. Massachusetts entered into a similar settlement in September based upon a dealership’s sale of defective vehicles with high-cost subprime loans and bundled packages included in the amount financed. New York also entered into settlements and consent orders with two dealerships based upon illegal bundling of credit repair and identity theft protection services into installment contracts.

The Rise of the “Mini-CFPB”

Sensing the potential for an enforcement void in a Trump-influenced CFPB, some state attorneys general took even greater measures in 2017 in an effort to protect consumers. State attorneys general have been empowered since 2012, through Dodd-Frank Section 1042 (12 U.S.C. § 5552), to bring civil actions to enforce the Dodd-Frank Act and regulations promulgated under the act’s authority against entities within their jurisdiction. From a practical perspective, this power allows states to bring certain actions to enforce CFPB rulemaking if the CFPB fails to do so. States also have the authority to bring enforcement actions under specific federal consumer protection statutes, including TILA, RESPA, and the FCRA. State attorneys general, of course, also may enforce state laws – including state UDAP provisions.

The most novel related development in 2017 has been the emerging willingness of state attorneys general to explicitly seek a greater role in enforcement. Notably, Virginia’s attorney general created a Predatory Lending Unit in March. Pennsylvania created a Consumer Financial Protection Unit (labeled by some observers as a “mini-CFPB”) in July. Maryland followed suit by creating a Financial Consumer Protection Commission. Even where explicit structural changes were not made, other states ramped up their presence. For instance, Washington’s attorney general has increased staff from 11 attorneys to 27 attorneys over the past four years.

What Will 2018 Bring?

Building upon the trends set in 2017, we expect even more state attorneys general to continue to expand their auto finance enforcement activity in 2018. This trend appears to be even more likely in light of the appointment of Mick Mulvaney as acting director of the CFPB and the departure of Richard Cordray from the bureau. We expect to see more states pursue task forces or other “mini-CFPB” entities to fill any perceived enforcement void. We also expect to see the “ability to repay” UDAP theory gain traction in additional states in 2018.

Additionally, the recent GAO ruling that the CFPB’s 2013 Indirect Auto Lending Bulletin is subject to congressional override under the Congressional Review Act likely means that states take action in its place. It will be interesting to see whether state attorneys general will pursue enforcement of disparate impact assignee liability claims based upon dealer markup practices in 2018. It is very possible that some states will attempt to issue similar rulemakings to replace the CFPB’s Bulletin.

SPEAK UP! The CFPB Wants Your Feedback

SPEAK UP! The CFPB Wants Your FeedbackYesterday, the Consumer Financial Protection Bureau (CFPB) announced that it is seeking “evidence to ensure the Bureau is fulfilling its proper and appropriate functions to best protect consumers.” The CFPB is expected to publish a series of Requests for Information (RFIs) in the Federal Register seeking public comments on the following areas of concern: enforcement, supervision, rulemaking, market monitoring, and education activities.

The first RFI is expected to be published soon, and it will address Civil Investigative Demands (CIDs), which are issued during an enforcement investigation. After receiving and evaluating comments, the CFPB will determine what changes, if any, are warranted.

Although it is difficult to predict how much of an impact this initiative will ultimately have on the CFPB’s current practices, these RFIs should provide a significant opportunity for regulated entities to engage with the CFPB and provide recommendations for improving the current regulatory environment. Accordingly, if you have concerns about any of the CFPB’s current practices or policies, SPEAK UP.

We will add future posts as the CFPB publishes its series of RFIs in the Federal Register.

Will Congress Upend Credit Reporting Agencies’ Cybersecurity Regulation in Light of Recent Data Breach?

Will Congress Upend Credit Reporting Agencies’ Cybersecurity Regulation in Light of Recent Data Breach?Senators Elizabeth Warren (D-Mass.) and Mark Warner (D-Va.) introduced the Data Breach Prevention and Compensation Act on January 10, 2018 in an effort to increase accountability of large Credit Reporting Agencies (CRAs) for data breaches involving consumer data. The bill, drafted in response to the September 2017 Equifax data breach revelations, seeks to impose direct administrative supervision over data security at CRAs, mandatory penalties on CRAs for data breaches, and increased compensation to consumers for stolen data.

In a press release issued this morning, Senator Warner explained that “[t]his bill will ensure that companies like Equifax – which gather vast amounts of information on American consumers, often without their knowledge – are taking appropriate steps to secure data that’s central to Americans’ identity management and access to credit.”

The major impacts of this proposed bill are three-fold.

1. Strict Liability Penalties

Most notably, the proposed bill seeks to impose strict liability penalties for breaches involving consumer data at CRAs. The current regulatory landscape for CRAs does not mandate penalties for consumer data breaches and, instead, provides for discretionary penalties based upon culpable conduct. In a departure from the status quo, this proposed “strict liability” means a CRA would be subject to automatic penalties for a data breach, even if there is no allegation that the CRA acted negligently or was otherwise culpable for allowing such a breach to occur.

The proposed mandatory strict liability penalties are uniquely heavy-handed as well – starting with a base penalty of $100 per consumer with one piece of personal identifying information compromised. Any additional pieces of personal identifying information compromised per consumer will be subject to a $50 penalty, with a total penalty capped at 50 percent of the CRA’s gross revenue from the prior year.

The bill also proposes to double the automatic per-consumer penalties and increase the maximum penalty to 75 percent of the CRA’s gross revenue in cases where the offending CRA fails to comply with the Federal Trade Commission’s data security standards or fails to timely notify the agency of a breach. This final provision appears to be a direct response to allegations that Equifax delayed notifying consumers and government agencies after its breach occurred.

2. Distribution of Penalty Proceeds

The second major impact of the bill concerns the proposed distribution of penalty proceeds. Current law does not require governmental agencies to distribute penalty proceeds to the affected consumers. The proposed bill seeks to change this status quo, requiring the FTC to use 50 percent of any penalty to compensate consumers. The remainder is allocated to the FTC to conduct cybersecurity research and inspections.

3. Direct Supervision of CRAs’ Cybersecurity by FTC

Speaking of the FTC, the third major impact of the bill is the proposed vesting of the FTC with direct supervision of cybersecurity at CRAs. The FTC currently lacks the authority to oversee the credit reporting industry as a whole, and CRAs in particular.

The bill attempts to fill that perceived regulatory void by creating an Office of Cybersecurity at the FTC to conduct annual inspections and ongoing supervision of cybersecurity at CRAs. Senators Warren and Warner propose that a new career official, to be known as the Director of Cybersecurity, should be appointed and tasked with supervising this office. One additional feature of the bill is that it proposes to authorize this new FTC office to promulgate new regulations outlining effective data security standards for CRAs and require CRAs to implement such standards by seeking injunctive relief in federal courts.

What Should CRAs Expect?

Given these proposals, what should CRAs expect moving forward? For starters, the proposed scope of the bill is limited to CRAs generating more than $7 million in annual revenue from the sales of consumer reports – meaning that only the largest CRAs would be affected. For entities within the bill’s purview, however, a regulatory sea change would be expected if it became law. The strict liability standard, in particular, would entirely upend the current liability landscape for CRAs and would require covered CRAs to essentially act as insurers of the security of the consumer data they possess.

The FTC’s proposed abilities to impose harsh strict liability penalties without a finding of culpable conduct and to seek injunctive relief to require that CRAs implement security measures of its choosing would likely constitute a significant burden to CRAs beyond what is currently required by federal law.

Likelihood of Bill Becoming Law

From a purely political perspective, a treacherous road appears to be ahead for the bill to become law. Democrats, of course, do not currently control either chamber of Congress and would need to build bipartisan support to pass the bill. It appears unlikely that President Trump would sign the bill into law, given his disinclination to enact new regulations and his stated goal to deregulate various related industries.

The financial services industry should not entirely discount the bill, however, as the Equifax breach affected a significant portion of the nation’s population, including lawmakers, and appeared to anger lawmakers from both parties. Thus, if a significant quantum of grassroots and lawmaker anger remains after the Equifax breach, the political will to enact this law may exist after all.

LexBlog