Compliance Counsel Law Group

On May 16, 2024, the U.S. Supreme Court ruled 7-2 that the funding structure of the Consumer Financial Protection Bureau (CFPB) was consistent with the Constitution’s appropriations clause, reversing a decision of the U.S. Court of Appeals for the Fifth Circuit that had called into question the CFPB’s ability to continue operating without Congressional action. The Supreme Court recognized that the CFPB’s funding mechanism was unique because Congress had authorized the CFPB to draw from the Federal Reserve System instead of appropriating funds through the annual appropriations process. The Supreme Court found that the Bureau’s unique funding mechanism was still an “appropriation” made by law.

For years, companies and lobbyists have been attempting to defund the CFPB based on legal theories that challenged the constitutionality of the structure used to fund the CFPB.

U.S. Supreme Court Ruling https://www.supremecourt.gov/opinions/23pdf/22-448_o7jp.pdf

U.S. Federal consumer protection laws apply to rewards programs offered in connection with consumer financial products or services. Rewards programs that promise consumers financial incentives for spending are a central feature of most consumer credit cards and dominate many issuers’ marketing efforts. The Consumer Financial Protection Bureau (CFPB) has taken action against credit card issuers such as American Express and Bank of America for engaging in unfair, deceptive, or abusive acts or practices related to rewards programs. 

The CFPB issued a new report finding consumers encounter numerous problems with credit card rewards programs. The CFPB says they will continue to monitor credit card rewards programs and will take necessary action on these issues as appropriate.

CFPB Report: 

https://www.consumerfinance.gov/about-us/newsroom/cfpb-report-highlights-consumer-frustrations-with-credit-card-rewards-programs/

On August 14, 2024, the Federal Trade Commission (FTC) announced a final rule banning bogus consumer reviews and testimonials. The Rule allows the FTC to strengthen enforcement, seek civil penalties against violators and deter AI-generated fake reviews.

The FTC's new rule has been a long time coming. It aims to tackle the often untrustworthy online review system. Certain merchants, especially on Amazon, have been using fake and paid reviews. Amazon has been grappling with a massive fake review problem for some time and claimed to cease more than 200 million fake reviews in 2020. The rise of generative AI has made it easier than ever for bad actors to write fake reviews.

The Rule Prohibits: 

- Offering incentives to customers in exchange for writing positive or negative feedback. “Providing compensation in exchange for reviews that must reflect a particular sentiment is a deceptive practice.”

- Reviews and testimonials written by “insiders” at a company who fail to “clearly and conspicuously” disclose their affiliation with the business.

- Company-controlled review websites, which often advertise themselves as providing independent opinions on products they actually own.

- Threatening or intimidating customers into removing negative reviews.

- Buying or selling fake followers or views on social media.

The Rule will become effective 60 days after the date it’s published in the Federal Register.

FTC Final Rule: https://www.ftc.gov/system/files/ftc_gov/pdf/r311003consumerreviewstestimonialsfinalrulefrn.pdf

FTC Guidance: Endorsements, Influencers, and Reviews | Federal Trade Commission (ftc.gov)

The proposed rule would prohibit NSF fees on transactions that are declined instantaneously or near-instantaneously—that is, those declined with no significant perceptible delay after the consumer initiates the transaction. This prohibition would cover transactions involving the use of debit cards, ATMs, or certain person-to-person apps. The proposed rule would declare that charging such fees would constitute an abusive practice under the Consumer Financial Protection Act. 

Proposed rule:

https://www.consumerfinance.gov/rules-policy/rules-under-development/nonsufficient-funds-nsf-fees/?utm_source=newsletter&utm_medium=email&utm_campaign=general_updates&utm_term=1.26.24

The Consumer Financial Protection Bureau (CFPB) recently released two Issues for the Spring 2024 edition of its Supervisory Highlights . 

Issue 32 cites Auto Loan Furnishers for allegedly deficient credit reporting practices.

Issue 33 focuses on Mortgage Servicers engaged in UDAAPs and regulatory violations while processing payments. 

Supervisory Highlights, Issue 32, Spring 2024: 

https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-32_2024-04.pdf

Supervisory Highlights, Issue 33, Spring 2024: 

https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-33_2024-04.pdf

The Consumer Financial Protection Bureau issued its final rule to implement Section 1071 of the Dodd-Frank Act. Section 1071 amended the Equal Credit Opportunity Act to require financial institutions to collect and report certain data in connection with credit applications made by small businesses, including women- or minority-owned small businesses. The final rule was accompanied by a “Grace Period Policy Statement” and a “Statement on Enforcement and Supervisory Practices Relating to Small Business Lending Rule under the Equal Credit Opportunity Act and Regulation B.” 

Key provisions of the final rule include: 

“Covered Financial Institution” Definition. As defined in Section 1002.105(a), a “financial institution” is any entity that engages in financial activity and includes both depository institutions and non-depository institutions such as online lenders, platform lenders, lenders involved in equipment and vehicle financing (captive financing companies and independent financing companies), and commercial finance companies. Motor vehicle dealers are excluded. A “covered financial institution” is defined in Section 1002.105(b) as a financial institution that originated at least 100 covered credit transactions for small businesses in each of the two preceding calendar years.

“Small Business” Definition. Section 1002.106(b) defines a “small business” as having the same meaning as a “small business concern” in the Small Business Act and that had gross annual revenue in the prior year of $5 million or less. The gross revenues threshold is to be adjusted for inflation every five years.

“Covered Application” Definition. Section 1002.103(a) defines a “covered application” as “an oral or written request for a covered credit transaction that is made in accordance with procedures used by a financial institution for the type of credit requested.” A request from a small business for a refinancing, unless otherwise excluded by the final rule, is a “covered application” even if no additional credit is requested. Excluded from that definition pursuant to Section 1002.103(b) are (1) reevaluation, extension, or renewal requests on an existing business account, unless the request seeks additional credit, and (2) inquiries and prequalification requests. (However, even if a reevaluation, extension or renewal request on an existing business account includes a request for additional credit, the transaction is not counted for purposes of determining if the financial institution is a covered financial institution.)

“Covered Credit Transaction” Definition. Section 1002.104 defines a “covered credit transaction” as an extension of credit primarily for business or commercial (including agricultural) purposes, but excluding (1) trade credit, (2) transactions reportable under the Home Mortgage Disclosure Act (HMDA), (3) insurance premium financing, (4) public utilities credit, (5) securities credit, and (6) incidental credit. The exclusions for HMDA-reportable transactions and insurance premium financing were not included in the CFPB’s proposal. In addition to loans, lines of credit, and credit cards, “covered credit transactions” include merchant cash advances and other sales-based financing. Consistent with the CFPB’s proposal, “covered credit transactions” also do not include (1) factoring, (2) leases, (3) consumer-designated credit that is used for business or agricultural purposes, or (4) the purchase of an originated credit transaction, an interest in a pool of credit transactions, or a partial interest in a credit transaction such as through a loan participation agreement.

Data Points. The final rule, in Sections 1002.107 and 1002.108, requires a covered financial institution to collect and annually report to the CFPB data on covered applications from small businesses. The data that must be reported and collected consists of:

• Unique identifier, application date, application method, application recipient
• Credit product, guarantees, loan term, credit purp ose, amount applied for, amount approved or originated
• Action taken, action taken date, denial reasons
• Pricing information (interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, prepayment penalties
• Census tract, National American Industry Classification Code, number of workers, time in business
• Number of principal owners
• Minority-owned, women-owned and LGBTQI-owned business statuses
• Ethnicity, race, and sex of principal owners

With respect to the demographic information described in the last two bullet points, a financial institution cannot require an applicant to provide such information. If the applicant fails or declines to provide the information necessary to report a data point, the financial institution must report the failure or refusal to provide the information. However, financial institutions are not required or permitted to report these data points based on visual observation, surname, or any other basis, which differs from the approach under the Home Mortgage Disclosure Act (HMDA).

Compliance Dates; Special Transitional Rules. The final rule will be effective 90 days after it is published in the Federal Register. However, compliance with the rule will not be required as of that date. Pursuant to the final rule, a financial institution is a covered financial institution subject to the rule’s data collection and reporting requirements if it originated 100 or more covered transactions in each of the prior two calendar years. However, in Section 1002.114(b), the final rule contains staggered compliance dates that differ depending on the number of covered originations a covered financial institution originated in 2022 and 2023. These dates are as follows:

• A financial institution must begin collecting data and otherwise complying with the final rule on October 1, 2024 if it originated at least 2,500 covered originations in both 2022 and 2023.
• A financial institution must begin collecting data and otherwise complying with the final rule on April 1, 2025, if it:

· Originated at least 500 covered originations in both 2022 and 2023;

· Did not originate 2,500 or more covered originations in both 2022 and 2023 and;

· Originated at least 100 covered originations in 2024.

• A financial institution must begin collecting data and otherwise complying with the final rule on January 1,  2026, if it originated at least 100 covered originations in both 2024 and 2025.

The CFPB issued the following materials concurrently with the final rule: 

• Small business lending rule compliance dates info sheet
• Small business lending data points chart
• Filing instructions guide

On January 17, 2023, Kenneth Polite, Assistant Attorney General (AAG) for the Criminal Division of the U.S. Department of Justice (DOJ), announced that the DOJ had made “significant changes” to its FCPA (Foreign Corrupt Practices Act) Corporate Enforcement Policy (the “Policy” or the “CEP”). Most notably, the revised Policy increases the incentives for companies to voluntarily self-disclose misconduct, cooperate with DOJ investigations, and implement timely and appropriate remediation.

Under the revised Corporate Enforcement Policy:

• Companies that voluntarily self-disclose misconduct will be eligible for declinations, even where aggravating circumstances that may ordinarily warrant criminal prosecution are present, provided specific conditions are met. 

• Companies that do not voluntarily self-disclose, but engage in extraordinary cooperation and remediation, will be eligible for a fine reduction of up to 50% from the low end of the U.S. Sentencing Guidelines (“Guidelines”) range. However, there will be no presumption of entitlement to such a reduction, and the most substantial reductions will be reserved for only the “most extraordinary levels” of cooperation and remediation. Recidivists will be eligible for a similar reduction, but generally not from the low end of the Guidelines range.

• For companies that voluntarily self-disclose misconduct, fully cooperate with an investigation, and timely and appropriately remediate, but do not receive a declination under the Corporate Enforcement Policy, DOJ will recommend a reduction in the company’s fine of 50% to 75% from the low end of the Guidelines range, provided the company is not a criminal recidivist. Recidivists will be eligible for a similar reduction, but generally not from the low end of the range.

The revised CEP is a positive development that illustrates the DOJ’s commitment to incentivize companies to detect and prevent corporate misconduct, and to cooperate with DOJ when they identify misconduct.

https://www.justice.gov/opa/speech/file/1562851

On June 4, 2024, the Consumer Financial Protection Bureau (CFPB” issued a Consumer Financial Protection Circular 2024-03 (CFPB Circular 2024-03 https://www.consumerfinance.gov/compliance/circulars/consumer-financial-protection-circular-2024-03/ ) warning that the use of unlawful or unenforceable contract terms and conditions for consumer financial products or services may violate the prohibition on deceptive acts or practices in the Consumer Financial Protection Act (CFPA).

Pursuant to the CFPA, a representation, omission, act or practice is deceptive when:

1. The representation, omission, act, or practice misleads or is likely to mislead the consumer;

2. The consumer’s interpretation of the representation, omission, act, or practice is reasonable under the circumstances; and

3. The misleading representation, omission, act, or practice is material. A representation is “material” if it involves information that is important to the consumer and, hence, likely to affect their choice of, or conduct regarding a product.

The CFPB also referenced compliance Bulletin 2022-05 (CFPB Bulletin 2022-05 https://www.consumerfinancemonitor.com/2022/03/24/cfpb-issues-compliance-bulletin-on-consumer-reviews/) regarding consumer reviews. The CFPB reminded covered persons that they could be liable under the CFPA if they deceive consumers using form contract restrictions on consumer reviews that are unenforceable. The CFPB explained that “including an unenforceable material term in a consumer contract is deceptive, because it misleads consumers into believing the contract term is enforceable,” and that “disclaimers in a contract such as ‘subject to applicable law’ do not cure the misrepresentation caused by the inclusion of an unenforceable contract term.”

Aggressive enforcement is on the horizon now that businesses have had more than two years to comply with California’s landmark California Privacy Rights Act (CPRA) amendments set to take effect on January 1, 2023, with a look-back period, extending its protections retroactively to January 1, 2022.

On August 24, 2022, California AG Rob Bonta announced a $1.2M enforcement action settlement with beauty retailer Sephora USA, Inc. to resolve claims that Sephora violated the California Consumer Privacy Act (CCPA). The California Attorney General’s Office alleged that Sephora did not notify consumers that the company was selling personal information and did not honor consumer requests to opt-out of those sales. 

Under the CCPA, a “sale” is broadly defined. In addition to covering direct sales of data, it can also include arrangements where data providers receive some benefit from permitting a third-party access to data covered under the CCPA. The allegation contains descriptions of Sephora’s privacy policy – both text of the policy, and how a user navigates the policy. The Sephora allegation signals that in addition to actual business practices, the California AG is also looking for CCPA noncompliance in a business’s privacy policy. 

California continues to lead the way in U.S. privacy law. It is critical that your privacy program practices and policy strictly comply with the substantive requirements of the CCPA to withstand regulatory scrutiny. 

On July 29, 2022, the Consumer Financial Protection Bureau (CFPB) and Department of Justice (DOJ) issued a joint letter to auto finance companies, reminding them of the protections afforded to servicemembers and their dependents under the Servicemembers Civil Relief Act (SCRA).

The SCRA covers both auto lending and leasing. The SCRA covers debts incurred before active duty. The CFPB is authorized to address unfair, deceptive, or abusive practices related to auto financing for all members of the public, including servicemembers, under the Consumer Financial Protection Act.

The DOJ and CFPB continue to focus on ensuring the rights of servicemembers under the SCRA. It is advisable for auto finance companies to review their SCRA policy, procedures and compliance program to ensure compliance with the SCRA. 

The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.

Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.

The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.

The Insights page is not intended as legal advice to any person or company but instead is provided for news information purposes only.