Federal Reserve Proposes Modifications to Its Supervisory Appeals Process and Ombudsman Policy

On Tuesday, February 27, 2018, the Federal Reserve proposed to modify its guidelines and processes that institutions may rely upon to appeal an adverse material supervisory determination. The proposal also seeks to modify the Federal Reserve’s policy for its Ombudsman. Comments regarding the proposals will be accepted through April 30, 2018.

Federal Reserve Proposes Modifications to Its Supervisory Appeals Process and Ombudsman PolicyAppeals Process

The Federal Reserve’s proposal is “designed to improve and expedite the appeals process.” Specifically, the proposal would remove one of the existing three levels of appeal. The proposed two-tiered framework would require that an initial review panel first consider an entity’s appeal request, and, if the entity continues to have concerns, a final review could be requested.

The initial review panel would be comprised of three Reserve Bank employees and an attorney that would advise the panel on its responsibilities. Those four individuals (1) must not have been substantively involved in any matter at issue in the appeal, (2) cannot report directly or indirectly to anyone who made the initial supervisory determination, (3) must not be employed by the Reserve Bank that made the initial supervisory determination, and (4) must have experience relevant to the issue at hand in the review. The initial review panel would be required to approach the review as if no determination had previously been made, and would be permitted to consider any relevant materials submitted by the institution and the Federal Reserve staff.

The final review panel would be comprised primarily of Federal Reserve Board staff. It would include at least two Federal Reserve Board employees, at least one of whom must be an associate director or hold a higher position. The Federal Reserve Board’s general counsel would also appoint an attorney to advise the panel on its responsibilities. The four individuals (1) must not be employed by the Reserve Bank that made the initial supervisory determination, (2) cannot report directly or indirectly to anyone who made the initial supervisory determination, (3) must not have been members of the initial review panel, and (4) must not have been personally consulted on the issue being appealed or provided guidance on how the issue should be resolved during a prior review. The final review panel would consider whether the initial review panel’s determination was “reasonable and supported by a preponderance of the evidence in the record,” and would not be permitted to review new information that was not in the record. The final review panel’s decision would be made public “[i]n order to maximize transparency.”

The Federal Reserve notes that it welcomes comments on all aspects of the proposal related to the appeals process, but specifically notes that it is seeking comments on:

  • The proposed standards of review for the initial and final review panels;
  • The nature and composition of the initial and final review panels;
  • The record that each of the review panels may consider during an appeal; and
  • The proposed appeal timelines.

Ombudsman Policy

The Federal Reserve’s release notes that the Ombudsman currently “is the initial recipient of all complaints pertaining to the supervisory process, which may include an appeal request.” The proposal would formalize that and would also allow the Ombudsman to attend an appeal hearing or deliberation if requested by the appealing institution or the Federal Reserve staff. The Ombudsman’s role at a hearing or deliberation would be as an observer.

The Federal Reserve is also proposing to make the Ombudsman the decision-maker with respect to claims of retaliation resulting from a supervisory appeal. Finally, the proposal would emphasize within the Ombudsman policy that the Ombudsman is available to facilitate the informal resolution of concerns related to supervisory determinations so as to avoid having to utilize the formal appeals process.

The Federal Reserve is seeking comment on all aspects of the proposed Ombudsman policy modifications.

Five Privacy Practices Every Company Should Address in the Wake of the FTC’s Enforcement Action against PayPal

Five Privacy Practices Every Company Should Address in the Wake of the FTC’s Enforcement Action against PayPalPrivacy is serious business. This was made clear in the Federal Trade Commission’s (FTC) recent announcement that it had settled its complaint against Venmo, PayPal’s peer-to-peer payment service, for misrepresentations to consumers regarding privacy and security settings. Although the terms of the settlement do not become final until approval by the FTC on or about March 29 (after the conclusion of a public comment period), there are at least five important lessons and practices that every company should take stock of now.

1. Review Your Security Safeguards

The FTC focused on representations made by Venmo that it utilized “bank grade security systems and data encryption” to protect transactions and safeguard against unauthorized access to financial information. To highlight how far Venmo’s security was from “bank grade,” the FTC singled out specific safeguards that Venmo did not undertake. For example, the FTC cited Venmo’s failure to provide consumers with security notifications regarding changes to account settings (i.e. changes to password or email address or addition of new device), Venmo’s failure to maintain adequate customer support capabilities, and Venmo’s lack of urgency in responding to reports of unauthorized transactions.

It is clear that the FTC considers notifications to consumers when there is a change to their account settings or potential unauthorized access a basic security measure. As a result, companies would be well suited to review their privacy practices to ensure that these notifications are included as part of their security program safeguards. Additionally, companies should consider reviewing their customer support capabilities and employee training to appropriately respond to consumer inquiries and timely escalate reports of unauthorized transactions or access to information.

2. Fully Compliant Privacy Notices Are Mandatory

The FTC also found that Venmo was in violation of the Gramm-Leach-Bliley Act (GLBA) by failing to implement safeguards to protect consumer data and failing to deliver adequate privacy notices. The FTC focused on Venmo’s failure to adequately disclose the steps required to make a transaction private (rather than publicly available on Venmo’s news feed), failure to notify users of security changes to customer accounts resulting in fraudulent activity being missed as explained above, a failure to have a written information security program prior to August 2014, and failure to implement safeguards to protect the security, confidentiality, and integrity of consumer data until March 2015. In settling with the FTC, PayPal has consented to incurring the cost of biennial third-party assessments of Venmo for the next 10 years to ensure that Venmo is no longer misrepresenting, and is, in fact, affirmatively disclosing its privacy and security settings to consumers.

The FTC expects companies to be privacy compliant and transparent with customers. Even where companies have basic GBLA notices, if the form of the notice is less than clear, the notice is inadequate. For example, the FTC cited Venmo for failing to have a “clear and conspicuous” initial privacy notice because Venmo used “grey text on a light grey background.” Likewise, the FTC alleged that Venmo failed to deliver the initial privacy notice because Venmo did not require customers to acknowledge receipt of an initial privacy notice as a necessary step to obtaining a particular financial product or service. These costly issues could be avoided by a privacy-focused “best practices” review.

3. Privacy and Security Practices Must Address Reasonably Foreseeable Risks

Another takeaway from the Venmo settlement is a recent list of consumer tips issued by the FTC that relates to the overlap between consumer expectation and regulator focus. Consumers expect transactions in the digital age to be both instant and private. As companies jockey to meet these expectations and beat their competitors out for business and market share, regulators are watching closely to make sure companies are not cutting corners. The rise of social network advertising and the development of new ways to provide services can be beneficial to profits and open the market up to new types of consumers and transactions. However, in the race to innovatively meet consumer service expectations, companies should not lose sight of how terms of use and privacy and security settings are portrayed. Consumers truly want it all, and omissions and misrepresentations by companies won’t be tolerated.

Not only did the FTC broadly condemn Venmo for failing to comply with GLBA, but it raised specific examples of non-compliance that make clear that the FTC expects companies to have a thoughtful and well-reasoned privacy notice. The FTC cited Venmo for failing to “assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of consumer information.” It is clear from the FTC’s complaint against, and settlement with, Venmo that companies must thoroughly assess their security practices, strategize reasonably foreseeable risks, implement appropriate security measures, and be transparent with consumers on security practices and processes. As a result, it is prudent that companies conduct an assessment of their privacy and security practices, identify gaps, and create corrective action plans to comply with regulatory obligations and expectations.

4. Privacy Settings and Opt-Out Options Must Be Clearly Disclosed to Consumers

In line with its focus on enforcing consumer expectations, the FTC further targeted Venmo over its confusing opt-out settings. In its complaint, the FTC alleges that Venmo required consumers change not one but two default settings under two different menus in order to keep information private. Even if the consumer set one setting to the highest level of privacy, failure to change both settings would ‘override’ the consumer’s clear request to keep information private, and the dual opt-out requirement was not made clear to consumers. The FTC took issue with Venmo’s failure to clearly inform consumers on the existence of these privacy settings, failure to provide clear instructions on how to use the settings, and Venmo’s policy relating to treatment of private information when the two settings had a discrepancy.

Given the FTC’s focus on clear disclosures and consumer education, companies should consider reviewing their practices to ensure that the least sophisticated consumer can (1) easily determine how to protect his personal information and (2) still meaningfully utilize the requisite technology to receive the desired product or service.

5. Technology Can Increase Privacy, but Its Use Comes with an Obligation to Inform the Consumer of the Benefits and Risks of the Technology Used

Increasing privacy protections by incorporating multi-factor authentication, fingerprint recognition, and the ability to opt-out of and modify data sharing is one step in the right direction of increasing privacy. Nonetheless, one of the easiest ways a company can run afoul of regulators is by failing to understand or acknowledge not only the benefits of innovative services and technology, but most importantly, the areas which are still developing. Only by informing themselves can companies adequately inform consumers.

The FTC clearly advises companies: “Customers appreciate choices, but they need to understand what they are choosing. If you provide privacy options, make it straightforward for consumers to select options that best match their privacy preferences—and then honor their choices.”

In seeking to avoid similar regulatory actions, and increasingly common data privacy litigation, companies should take a clear look at these five privacy areas and implement appropriate compliance measures.

Supreme Court Narrowly Interprets “Whistleblower” under Dodd-Frank, Foreclosing Protections for Those Who Fail to Report Issues to SEC

Supreme Court Narrowly Interprets “Whistleblower” under Dodd-Frank, Foreclosing Protections for Those Who Fail to Report Issues to SECThe Supreme Court has resolved a circuit split on whether Dodd-Frank’s whistleblower protections apply only to employees who report their concerns to the Securities and Exchange Commission (SEC). On Wednesday, in Digital Realty Trust, Inc. v. Somers, the Supreme Court ruled 9-0 in favor of limiting the Dodd-Frank Act’s definition of whistleblower to those who report their allegations to the SEC, thus excluding from whistleblower protection individuals who report their complaints internally. The issue before the Supreme Court was the language of Dodd-Frank, which defines “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established . . . by the Commission” (15 U.S.C. § 78u-6(a)(6)).

The refrain of the opinion is that a would-be whistleblower must “tell the SEC” in order to benefit from Dodd-Frank’s anti-retaliation provision. It’s always notable when all nine justices agree, and here the Supreme Court relied on the unambiguous, clear, and conclusive language of the statute to hold that anti-retaliation protection does not apply unless and until the SEC is notified of alleged securities law violations. Despite urging from the Solicitor General to expand the whistleblower definition for anti-retaliation purposes, the Supreme Court held that anti-retaliation protection does not extend to an individual who has not reported a violation of securities law to the SEC. The decision reversed the Ninth Circuit and resolved a circuit split. The Fifth Circuit had previously held that employees are required to provide information to the SEC to take advantage of Dodd-Frank’s anti-retaliation safeguard, while the Second and Ninth Circuits extended Dodd-Frank remedies to employees who reported alleged wrongdoing only to their employers.

The Supreme Court emphasized that the holding is consistent with the purpose of Dodd-Frank, the “core objective” of which is to motivate people to tell the SEC about violations of securities laws. The Supreme Court acknowledged that giving the statute its plain-text reading “shields fewer individuals from retaliation than the alternative,” but again emphasized that Dodd-Frank’s main goal is to incentivize reporting alleged violations to the SEC.

Time will tell whether the Supreme Court’s ruling will affect the number of whistleblower actions. The decision is limited to the Dodd-Frank whistleblower statute involving securities laws and does not affect the numerous other whistleblower protection statutes. As an illustration, the Supreme Court distinguished actions under the Consumer Financial Protection Bureau’s (CFPB) jurisdiction and noted that the CFPB whistleblower-protection statute permits a covered employee to provide information to an employer, the CFPB, or a local, state, or federal government authority or law enforcement agency.  Accordingly, in the CFPB context, whistleblower protection still applies when a covered employee reports alleged misconduct solely to their employer.

Fourth Circuit Asked to Rule on Whether Mortgage Retroactively Incorporates Federal Servicing Requirements

Fourth Circuit Asked to Rule on Whether Mortgage Retroactively Incorporates Federal Servicing RequirementsA recent appeal to the Fourth Circuit may shed light on whether Virginia borrowers can assert federal mortgage servicing requirements as a defense to foreclosure when the mortgage instrument pre-dates the federal requirement. In Stansbury v. Federal National Mortgage Association, borrower Hollie Stansbury argues that a 2011 consent order between her mortgage servicer and the Office of the Comptroller of Currency was incorporated into the mortgage contract as a condition precedent to foreclosure. The lender has contested this claim in part by arguing that because the 2006 deed of trust predates the consent order, the parties to the mortgage could not have intended to incorporate the consent order’s requirements as a limitation to foreclosure. A decision on these competing arguments may bring clarity to the effect of a 2016 decision by the Virginia Supreme Court addressing the potential for incorporation arguments similar to Stansbury’s.

In Parrish v. Federal National Mortgage Association, the Virginia Supreme Court held that the trial court lacked jurisdiction to hear a post-foreclosure eviction action where the borrower raised a bona fide dispute as to the validity of the foreclosure. The borrowers in Parrish alleged that their deed of trust incorporated federal loss mitigation rules as a condition precedent to foreclosure and asserted that the loan servicer violated those regulations. Without addressing the merits of these allegations, the Supreme Court found that they were sufficient to raise a bona fide question as to the lender’s title to the foreclosed property.

After Parrish, some borrowers have argued that federal servicing standards are incorporated as a condition precedent to foreclosure through provisions in many deeds of trust stating that the parties’ rights are subject to federal law. In Stansbury, the U.S. District Court rejected the borrower’s claim that a 2011 consent order was so incorporated. In its August 31, 2017, ruling, the District Court held that the deed of trust’s governing law provision applied only to laws in existence at the time of the contract and did not incorporate a future consent order. The borrower has appealed the case to the Fourth Circuit.

The Stansbury appeal places the issue of retroactive incorporation before the Fourth Circuit. In her brief, Stansbury argues that the governing law provision must be applied to the law in existence at the time of foreclosure. In contrast, the lender’s brief argues that the provision applies only to the laws contemplated by the parties at the time they entered the mortgage contract. Because a substantial number of foreclosures involve deeds of trust executed prior to Dodd-Frank and other significant regulatory changes, lenders and servicers may be expected to keep a close watch on the outcome.

Two Opportunities for Student Loan Companies to Speak Up

Two Opportunities for Student Loan Companies to Speak UpTwo recent requests from lawmakers have provided student loan servicers and originators the opportunity to comment on hot-button issues for the industry:

  • The CFPB issued a Request for Information last week, seeking comments and information “to assist in assessing the overall efficiency and effectiveness of its supervision program and whether any changes to the program would be appropriate.” The comment period will open when the RFI is published in the Federal Register, expected February 20. In light of the supervision program’s past involvement with the industry, student loan servicers and industry groups should consider taking this opportunity to speak up.

    This RFI is the most recent in a series of RFIs from the Bureau, with more to come in the next couple of months. Stay tuned for RFIs related to complaint reporting, rulemaking processes, consumer inquiries, and more.

  • Also last week, Chairman Lamar Alexander and Ranking Member Patty Murray of the Senate Health, Education, Labor, and Pensions (HELP) Committee requested comments and suggestions on the Committee’s reauthorization of the Higher Education Act (HEA). While it is by no means certain that we will see an HEA reauthorization passed this year, HELP Committee leadership remains focused on the issue. Senator Alexander released a white paper on his vision for the HEA earlier this month, expressing concern about taxpayer exposure to defaults on federal student loans. The HEA reauthorization will have a potentially huge effect on the student loan industry. Comments to the Committee may be submitted to HigherEducation2018@help.senate.gov by Friday, February 23.

SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018

SEC Encourages Advisors to Self-Report Fiduciary Violations by June 12, 2018The SEC announced a self-reporting initiative for investment advisors who admit violations of the federal securities laws relating to certain mutual fund share class election issues while promptly returning money to harmed investors. The initiative is entitled the “Share Class Selection Disclosure Initiative” and is focused on those advisors who have put clients into high-fee mutual fund classes when a less expensive share class for the same fund was available and appropriate. If the advisor self-reports and returns money to the harmed investor, the SEC’s enforcement division will not recommend civil penalties against the advisor.

The initiative highlights the SEC’s focus on the conflict of interest that is created when an advisor receives compensation for selecting a more expensive fund share class when a less expensive share class for the same fund is available. The SEC notes this conflict of interest must be disclosed to the investor. To be eligible for the self-reporting initiative, investment advisors must notify the division of enforcement of their intent to self-report no later than June 12, 2018.

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

Small Lenders May Get Relief from New Home Mortgage Disclosure Act Reporting Requirements

On January 18, 2018, the House gave small lenders a late Christmas present when it passed H.R. 2954 known as the Home Mortgage Disclosure Adjustment Act. The act amends the existing Home Mortgage Disclosure Act (HMDA) by easing the regulatory burden on small lenders. By way of background, HMDA imposes additional reporting requirements on regulated entities that became effective this month. More specifically, HMDA requires banks and credit unions to collect 48 additional data fields on any mortgage loan they originate and to report that data to the CFPB. This additional regulatory burden will increase transaction costs and processing time for obtaining a home mortgage and impose unique burdens on small lenders that lack the existing infrastructure and processes to effectively capture and communicate the additional data sets.

The Home Mortgage Disclosure Adjustment Act attempts to ameliorate this disproportionate impact by exempting (a) small lenders, such as community banks and credit unions, which originate less than 500 closed-end mortgage loans in each of the two preceding calendar years, and (b) those that originate less than 500 open-end lines of credit in each of the two preceding calendar years. Bradley will continue to monitor the progress of the act as it moves through the Senate.

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017

In Case You Missed It: Justice Department Banks on False Claims Act Enforcement Again in 2017The Justice Department and a veritable army of whistleblowers’ counsel continue to use the False Claims Act (FCA) to bring suits against banks and mortgage companies. In 2017 alone, the Department of Justice obtained $543 million in FCA settlements and judgments from the financial services industry.

To keep you informed on the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the 2017 FCA Year in Review, our annual review of significant FCA cases, developments, and trends. Longtime readers of our Year in Review will notice that it has a new look and improved functionality, making it an easy-to-read, printable resource, as well as a convenient and searchable digital tool.

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance Industry

Five Years Later: Five Takeaways From the Bulletin That Rocked the Auto Finance IndustryIn 2013, the Consumer Financial Protection Bureau (CFPB) issued a bulletin on indirect auto lending that took the industry by storm. As we approach the five-year anniversary of the memo’s issuance, it’s valuable to reflect on how the bulletin was received, how the auto finance industry has changed since the bulletin and subsequent CFPB actions, and how the industry and regulators can learn from the experience to improve their efforts to remove discrimination from the car buying experience.

CFPB Bulletin 2013-02, Indirect Auto Lending and Compliance With the Equal Credit Opportunity Act, was the CFPB’s first public foray into regulating the auto finance industry. In the bulletin, the CFPB articulated the agency’s concerns over dealer markup incentives that could result in auto finance companies participating in discriminatory lending practices that violated ECOA.

The bulletin included allegations of discriminatory practices at the lender and dealership level and suggested a number of potential compliance solutions that auto finance companies could implement to reduce the risk of violating ECOA. Since that time, the CFPB has added nonbank auto finance companies to its list of regulated larger market participants, auto finance companies have reached settlements with the CFPB related to fair lending practices, and the U.S. Government Accountability Office (GAO) has concluded that the bulletin was a rulemaking that should have been subject to the Congressional Review Act.

Below are five takeaways that have emerged since the bulletin was issued.

1. Reaction from the auto industry was swift – many participants were stunned and irate.

The industry felt blindsided when the CFPB issued the bulletin without much warning. Many nonbank auto finance companies had not historically had relationships with federal regulators and thought the auto industry was going to largely get a pass from the CFPB after auto dealers had specifically been exempted from the CFPB’s oversight in the Dodd-Frank Act. Worst of all, many industry participants interpreted the bulletin as the CFPB accusing them of either having race-based lending policies or associating with auto dealers who profit by exploiting borrowers’ race or ethnicity.

The bulletin speculated about perceived problems in the industry and, unlike the CFPB’s Supervisory Highlights, did not point to hard examples of fair lending abuses occurring at dealerships or auto finance companies. For this reason, many industry participants felt that the CFPB was denouncing an entire industry without an adequate evidentiary basis.

While the CFPB initially had the authority to investigate nonbank auto finance companies through enforcement, it lacked supervisory authority over nonbank larger market participants until 2015. Thus, the CFPB relied on anecdotes, enforcement investigations and market research as the basis for the bulletin.

The bulletin served as the opening salvo between the CFPB and the auto finance industry. Rather than begin with an olive branch, this bulletin served as a shot across the bow.

2. Incentives that do not align with a consumer’s interest have and will continue to carry a high degree of regulatory risk.

If there is one theme that unifies post-financial crisis regulation, it is that regulators will heavily scrutinize any arrangement that results in a provider’s incentives not being aligned with consumers’ interest. In regulating the markets for retirement account counseling, securities trading, mortgage origination, depository account management and auto finance, regulators have adhered to the principle that companies should not be making greater profits by offering less favorable terms and services to consumers.

While the auto finance bulletin did not ban dealer reserve outright, the bulletin caused auto finance companies to reconsider how they structured dealer compensation programs. Even if future CFPB administrations do not enforce the auto finance bulletin, aggrieved consumers and their attorneys now have a roadmap for identifying discriminatory lending practices and bringing lawsuits to challenge them. Auto finance companies are more cognizant today about how their dealer compensation programs are structured, and that is unlikely to change regardless of the CFPB’s future regulatory direction.

3. Vendor management became a staple of auto finance companies’ compliance management systems.

Prior to the CFPB’s entry into auto finance regulation, auto finance companies were surely careful to consider dealers with whom they partnered based on traditional business metrics like profit margin, sales volume, geographic location and reputation. In the aftermath of the CFPB bulletin, however, auto finance companies added new criteria to evaluate dealers that wanted to join their lending network.

Auto finance companies have more closely scrutinized dealers’ compliance with fair lending laws as well as those dealers’ culture and cohesion with the auto finance company’s own policies and procedures. As a result, auto financiers have cut ties with certain dealers and other dealers have changed their markup practices to fall in line with the heightened expectations of auto finance companies and the CFPB.

While the CFPB bulletin did not result in widespread adoption of a flat fee compensation model for auto dealers, the bulletin’s lasting legacy may be that auto finance companies developed more stringent policies that dealers must follow to receive financing for consumers.

4. Statistical modeling is an imperfect solution to eliminating discrimination in auto financing.

The CFPB’s reliance on statistical modeling to identify discriminatory practices was perhaps the most frequently criticized element of its approach to regulating the auto finance industry. Since auto dealers are prohibited from collecting race and ethnicity data from consumers, the CFPB had to rely on statistical models based largely on surnames to identify occasions where credit decisions appeared to have been made based on illegal race-based criteria.

To the industry statisticians who understood the statistical model’s underpinnings, the model appeared to be flawed. And the many other industry participants who did not understand the underlying algorithms felt it fundamentally unfair to implicate a company for discriminatory lending practices based on a statistical model that the company did not have access to and did not use in underwriting decisions.

As the CFPB reached large settlements with lenders, the industry took note and lenders began to adopt statistical models to identify fair lending risks within their own institutions. While the CFPB may have relied too heavily on a statistical modeling approach, industry participants walked away with a compliance tool that allows them to identify potential fair lending abuses during compliance audits and dealership due diligence reviews.

5. Fair lending is a cause best served by industry and regulators working together.

It was perhaps the CFPB’s delivery, rather than the content itself, that caused the industry to recoil so emphatically against the bulletin. The CFPB did not hold a public forum on auto finance until eight months after issuing the bulletin.

Given the industry’s reaction to the bulletin, the CFPB would likely have been better off reversing the order of those events and gathering feedback from industry participants prior to issuing industry-altering guidance. At the same time, in the aftermath of the bulletin, the industry was best served by those companies and industry advocates that reacted to the bulletin by respectfully articulating to the CFPB the nature of the industry and how the overwhelming number of participants in the industry shared the CFPB’s goal of consumer protection and disdain for discriminatory practices.

The Next Five Years

Moving forward, auto finance companies that are directly or indirectly regulated by the CFPB will have the opportunity to engage with the Bureau to explain their business models and how compliance and fair lending are essential parts of their companies’ culture. The CFPB recently announced it will be issuing requests for information regarding numerous aspects of the agency’s approach to regulation. In light of this announcement, the time is right for the auto finance industry to collect its thoughts on the CFPB’s past five years of regulation and on how the industry wants this relationship to evolve.

The fate of the bulletin itself is not clear in the aftermath of the GAO’s conclusion that the bulletin constituted a rulemaking subject to the CRA. Whether the new CFPB administration or Congress will take action to amend or rescind the bulletin remains to be seen.

What is clear is that there is still a concern that fair lending abuses remain in the auto industry. A consumer advocacy group recently released a study that highlighted incidents of discrimination at the dealership level.

Whether the CFPB, emerging state-level actors or private practitioners are holding the handle, there will continue to be a magnifying glass on fair lending practices in the auto industry. Industry participants should continue to develop strong policies and procedures related to fair lending compliance, dealer incentives and service provider oversight to avoid becoming the subject of an enforcement action or consumer litigation and to ensure that all consumers are treated fairly when attempting to finance automobile purchases.

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance Industry

2017 in Review: Three State Enforcement Trends Impacting the Auto Finance IndustryAuto lenders, like many private citizens, began 2017 curious as to what change the impending Trump administration would bring. In the landscape of government enforcement, however, the consensus amongst industry participants was that the Trump administration would bring loosened regulation for the consumer finance industry. Many industry insiders mused about the potential sea change that would result if CFPB Director Richard Cordray was terminated, with or without cause, by the incoming administration.

While the Trump administration’s first year has certainly changed the nature and extent of federal industry oversight, arguably even greater change took place at the state enforcement level for auto lenders in 2017. The industry saw state attorneys general begin to fill the void they anticipated would be left by an altered CFPB mission. The auto finance industry also saw the genesis of a new state UDAP theory based upon the need to account for a consumer’s ability to repay an installment contract at origination. In review, three trends have emerged from 2017 that portend an active 2018 for state enforcement actions directed towards the auto finance industry.

Filling the Perceived Void

Even before the start of 2017, leading state attorneys general reacted to the impending Trump administration by proclaiming their intent to protect consumers if the federal government failed to do so. New York Superintendent of Financial Services Maria T. Vullo reacted to the election results by declaring that her agency would not shirk from its responsibility of protecting its citizens. Likewise, New Mexico Attorney General Hector Balderas requested that his associates identify areas where prospective Trump administration policies could harm his state’s citizens.

Plans for an enforcement ramp-up did not end at state borders. Instead, much like after the mortgage crisis, state attorneys general networked together and openly discussed a desire to form a multistate task force to focus on the auto finance industry and, more specifically, the industry’s subprime segment. The cooperation between state attorneys general was seen throughout 2017 in various segments of the financial services industry. In the auto finance space, the most notable cooperative investigation resulted in one lender’s settlements with Massachusetts and Delaware for indirect origination practices underlying its subprime installment contracts.

A New Enforcement Theory

The collaboration between Massachusetts and Delaware brought a novel UDAP theory to the forefront of the auto finance industry. For the first time in 2017, state attorneys general successfully prosecuted claims that an indirect lender’s subprime installment contracts were unfair and deceptive because the lender failed to consider the borrowers’ ability to repay.

It was common belief, prior to 2017, that state regulatory regimes did not expressly require prospective indirect lenders to analyze a borrower’s ability to repay. Courts in a small number of jurisdictions (including the District of Columbia, New Jersey, and Massachusetts) had previously allowed UDAP or consumer protection claims to proceed based upon conduct resulting in a high likelihood of consumers being unable to repay their credit obligations. These cases, however, concerned other areas of consumer finance outside of the context of auto loans and were few and far between.

The Massachusetts and Delaware settlements represented the first time an indirect auto lender was penalized for its failure to analyze the borrowers’ ability to repay. Other states have indicated that they will now seek to expand application of this theory. For instance, Mississippi’s attorney general engaged outside counsel in 2017 to investigate an indirect subprime lender under this same UDAP theory.

One other enforcement theory also became more prevalent in 2017. Multiple state attorneys general consummated settlements with auto dealer groups based upon the deceptive practice of bundling aftermarket options into installment contracts. For instance, New Jersey entered into an August settlement and consent order based upon a dealership’s “jamming” of certain aftermarket options into installment contracts for subprime borrowers. Massachusetts entered into a similar settlement in September based upon a dealership’s sale of defective vehicles with high-cost subprime loans and bundled packages included in the amount financed. New York also entered into settlements and consent orders with two dealerships based upon illegal bundling of credit repair and identity theft protection services into installment contracts.

The Rise of the “Mini-CFPB”

Sensing the potential for an enforcement void in a Trump-influenced CFPB, some state attorneys general took even greater measures in 2017 in an effort to protect consumers. State attorneys general have been empowered since 2012, through Dodd-Frank Section 1042 (12 U.S.C. § 5552), to bring civil actions to enforce the Dodd-Frank Act and regulations promulgated under the act’s authority against entities within their jurisdiction. From a practical perspective, this power allows states to bring certain actions to enforce CFPB rulemaking if the CFPB fails to do so. States also have the authority to bring enforcement actions under specific federal consumer protection statutes, including TILA, RESPA, and the FCRA. State attorneys general, of course, also may enforce state laws – including state UDAP provisions.

The most novel related development in 2017 has been the emerging willingness of state attorneys general to explicitly seek a greater role in enforcement. Notably, Virginia’s attorney general created a Predatory Lending Unit in March. Pennsylvania created a Consumer Financial Protection Unit (labeled by some observers as a “mini-CFPB”) in July. Maryland followed suit by creating a Financial Consumer Protection Commission. Even where explicit structural changes were not made, other states ramped up their presence. For instance, Washington’s attorney general has increased staff from 11 attorneys to 27 attorneys over the past four years.

What Will 2018 Bring?

Building upon the trends set in 2017, we expect even more state attorneys general to continue to expand their auto finance enforcement activity in 2018. This trend appears to be even more likely in light of the appointment of Mick Mulvaney as acting director of the CFPB and the departure of Richard Cordray from the bureau. We expect to see more states pursue task forces or other “mini-CFPB” entities to fill any perceived enforcement void. We also expect to see the “ability to repay” UDAP theory gain traction in additional states in 2018.

Additionally, the recent GAO ruling that the CFPB’s 2013 Indirect Auto Lending Bulletin is subject to congressional override under the Congressional Review Act likely means that states take action in its place. It will be interesting to see whether state attorneys general will pursue enforcement of disparate impact assignee liability claims based upon dealer markup practices in 2018. It is very possible that some states will attempt to issue similar rulemakings to replace the CFPB’s Bulletin.