Mulvaney Outlines “New Mission” for the CFPB in Email to Bureau Staff

Yesterday afternoon, Acting Director Mulvaney sent an email to the entire CFPB staff in which he drew a sharp contrast with the views of his predecessor, Director Richard Cordray, and outlined a new direction  for the Bureau.

In explaining how “things would be different” at the Bureau, Acting Director Mulvaney  criticized the agency’s aggressive approach under former CFPB Director Richard Cordray, citing a statement Mulvaney attributed to the former Director that “[p]ushing the envelope is a loaded phrase, but that’s absolutely what we did.” Acting Director Mulvaney explained “that entire governing philosophy of pushing the envelope frightens me a little.” Instead, he stated that the Bureau must work for everyone, including both consumers and providers of financial services.

With these considerations in mind, Acting Director Mulvaney explained that the Bureau will begin reviewing everything that it does, “from investigations to lawsuits and everything in between.” As part of this review:

  • Enforcement will focus on quantifiable and unavoidable harm, and the Bureau “won’t go looking for excuses to bring lawsuits.”
  • The Bureau will engage in formal rulemaking where appropriate but will avoid “regulation by enforcement.”
  • The Bureau will have new priorities. Acting Director Mulvaney noted that a third of complaints received by the Bureau relate to debt collection, while prepaid cards and payday lending – areas in which the Bureau has recently finalized regulations – account for relatively few complaints.
  • The Bureau will employ more quantitative analysis and consideration of measurable costs and benefits.

Acting Director Mulvaney closed by stating:

CFPB has a new “mission”: we will exercise, with humility and prudence, the almost unparalleled power given to us to faithfully enforce the law in furtherance of the mandate given to us by Congress. But we go no further. Simply put, the days of aggressively “pushing the envelope” of the law in the name of the “mission” are over.

This new approach will be hailed as welcome news by the consumer financial services providers that have found themselves in the Bureau’s crosshairs – and criticized by those consumer advocates who will see this as a retreat from Director Cordray’s aggressive approach.

CFPB Dismisses Suit Against Tribal Lenders

In a surprising turn of events, the CFPB on Thursday dismissed its ongoing litigation against Golden Valley Lending, Inc., Silver Cloud Financial, Inc., Mountain Summit Financial, Inc., and Majestic Lake Financial, Inc.  The Bureau’s case was predicated on a controversial theory that turned alleged violations of state law into alleged violations of the Dodd-Frank Act, and comes on the heels of the CFPB’s recent announcement that it intends to review processes and policies across the agency, including enforcement.  While the dismissal was without prejudice, this marks a significant event in the Mick Mulvaney-led CFPB, as it was the first such motion to dismiss ongoing litigation of which we are aware.  Whether this is an isolated event or the beginning of a series of similar dismissals remains to be seen.

CFPB Requests Public Comment on Bureau Activities

The Consumer Financial Protection Bureau announced today a planned series of Requests for Information on the Bureau’s activities and how those activities impact consumers and covered entities. According to the press release, the goal of issuing these Requests for Information is to “ensure the Bureau is fulfilling its proper and appropriate functions to best protect consumers.” These requests will be published in the Federal Register. The first such Request will seek public comment on the Bureau’s practices relating to the Civil Investigative Demands issued as part of an enforcement investigation. The Bureau’s announcement suggests that the year ahead will provide a series of opportunities for entities subject to the Bureau’s jurisdiction to participate in reform of its practices and policies.

CFPB Intends To Reconsider Payday Rule

Yesterday, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) announced that it “intends to engage in a rulemaking process so that the Bureau may reconsider the Payday Rule.” The Payday Rule, previously published last fall, became effective on January 16, 2018.

The announcement may be a first step toward substantially reversing or eliminating the Payday Rule. The CFPB’s announcement follows December’s introduction in the House of Representatives of a bi-partisan resolution to, in effect, repeal the rule under the Congressional Review Act—similar to the legislation introduced effectively nullifying the Bureau’s arbitration rule—and may precipitate a substantial scaling back of the rule by the Bureau itself. As a result, the CFPB’s announcement is sure to become an issue in confirmation hearings for the next CFPB Director, since the next Director will decide what changes, if any, to make to the Payday Rule.

The announcement serves as a means of eliminating industry compliance uncertainty and maintaining the status quo while regulatory policy and agency leadership is in flux. Although the compliance date for most provisions is August 19, 2019, yesterday’s effective date also makes April 16, 2018, the deadline for submitting an application for preliminary approval to become a registered information system under the Payday Rule. In its announcement, the CFPB encouraged potential applicants for preliminary approval to become a registered information system under the Payday Rule to request a waiver of the April 16, 2018 deadline to submit applications. Another recent CFPB release addressed industry concerns about complying with the Prepaid Account Rule beginning in April 2018 while proposed amendments to the Prepaid Account Rule remain outstanding.

California Bill Would Mandate Expedient Software Updates for Credit Bureaus

Following the Equifax data breach in 2017, there has been heightened awareness surrounding how credit reporting agencies handle consumers’ personal information. At the same time, recent high-profile attacks, such as the “WannaCry” ransomware attacks, have focused media and regulatory attention on vulnerabilities associated with unpatched systems. In response to these two concerns, on January 10, a bill was introduced in the California legislature that would amend existing law regulating the cybersecurity practices of consumer credit reporting agencies (CRAs) specifically as they relate to vulnerability patching.

AB 1859 would add provisions requiring CRAs to update software vulnerabilities in certain circumstances.  Namely, if the CRA knows or reasonably should know that one of its computer systems is subject to a vulnerability and knows or reasonably should know that a software update is available to address that vulnerability, the CRA must apply the software update expediently, “in keeping with industry best practices,” but in any case within 10 days after becoming aware of the vulnerability and the available software update.

The bill would also create a private right of action for California residents whose personal information was acquired by a breach caused, in whole or in part, by a violation of the software update provisions described above.  Moreover, it would allow residents to recover civil penalties for “willful, intentional, or reckless” violations of the software update provisions.

At first blush, by mandating a particular security practice in one specific industry sector, the language of AB 1859 appears to be a departure from the traditional risk-based regulatory approach that encourages organizations to adopt “reasonable” security best practices tailored to their cyber risks without mandating more specific cybersecurity requirements. Notably, however, in 2016 the California Office of the Attorney General adopted a more prescriptive approach to regulating the cybersecurity practices of companies doing business in California. Specifically, in its 2016 Data Breach Report, the Attorney General stated that the list of twenty Critical Security Controls (“CSC”) developed by the Center for Internet Security (“CIS”) “define a minimum level of information security” that all organizations that collect or maintain personal information about California residents should meet.  Most importantly, in light of the requirement under California law to implement and maintain reasonable security practices, the report stated that a “failure to implement all the [c]ontrols that apply to an organization’s environment constitutes a lack of reasonable security.”  See 2016 Data Breach Report (emphasis added). Included among the CSC controls is Control 4, “Continuous Vulnerability Assessment and Remediation,” which requires regular scanning for vulnerabilities and the adoption of proactive patching processes. Moreover, California law already provides a private cause of action for damages by customers injured by a company’s failure to “implement and maintain reasonable security procedures and practices” in violation of California Civil Code Section 1798.81.5.

The bill is currently set for hearing in committee on February 10.

Federal Reserve Releases Regulatory Agenda

Today the Federal Reserve issued its semiannual regulatory flexibility agenda for fall 2017, which lists regulatory matters the agency anticipates having under consideration during the period from November 1, 2017 through April 30, 2018.

The agenda is notable in two respects.  First, the Federal Reserve anticipates issuing, together with the Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation, a proposed rule to implement the “source of strength” requirement of section 616(d) of the Dodd-Frank Act by September 2018.  Section 616(d) requires that any bank holding company or savings and loan holding company serve as a source of financial strength for any depository institution that it controls, and that any other company that controls an insured depository institution serve as a source of strength for such an institution.  Under section 616(d), the agencies were supposed to have issued an implementing rule no later than July 21, 2012.

Second, the agenda does not list a final rulemaking for the Net Stable Funding Ratio (“NSFR”) rule.  The federal banking agencies proposed the NSFR in May 2016, when the agencies were led by appointees of President Obama.  The NSFR’s absence on the Federal Reserve’s agenda suggests that the agencies – now led by appointees of President Trump in the case of the Federal Reserve and the OCC – may need additional time to determine how they intend to finalize the rule, if at all.

Senate Banking Committee Holds Hearing on Reform of Regulations Related to Money Laundering and Other Illicit Financing Activities

The Senate Banking Committee held its first hearing of 2018 earlier this week to discuss potential reform of the current U.S. regulatory framework for combating money laundering and other forms of illicit financing.  Current proposals for reform include raising the mandatory reporting thresholds for currency transactions and suspicious activity, requiring the collection of beneficial ownership information for U.S. companies at the time of incorporation, and allowing greater information sharing among financial institutions and the government.  The potential reforms are receiving initial bipartisan support on some key issues as legislators from both parties have voiced concerns over the need to update the current Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) regulatory regime.

Continue Reading

Ninth Circuit Strikes Down Ban on Retailers’ Credit Card Surcharges

On January 3, 2018, in Italian Colors Restaurant v. Becerra, No. 15-15873, a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit invalidated an application of a California law that would prohibit merchants from imposing a surcharge on credit card payments. The California law would allow offering discounts for payments by other means.

The case follows Expressions Hair Design v. Schneiderman, 137 S.Ct. 1144 (2017), in which the U.S. Supreme Court held 8-0 that a similar New York law regulated speech rather than the conduct of price-setting. In that case, the Court remanded to the Second Circuit to evaluate the New York law under the First Amendment. The Ninth Circuit reached that constitutional issue in Italian Colors and concluded that the California surcharge ban, as applied, violated the First Amendment.

The Ninth Circuit panel held that Expressions Hair “foreclose[d]” California Attorney General Xavier Becerra’s argument that the California surcharge ban regulates conduct rather than speech. The panel then held that, as a restriction on commercial speech, the ban required examination under First Amendment intermediate scrutiny under the Supreme Court’s Central Hudson test. See Cent. Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of New York, 447 U.S. 557 (1980).

Under that test, the First Amendment allows commercial speech restrictions that concern unlawful activities or misleading speech or that “directly” advance a substantial government interest without being “more extensive than necessary.” The Ninth Circuit panel quickly dealt with the first prongs of the Central Hudson test, holding that characterizing a (legally permissible) price differential as a surcharge rather than a discount would not concern illegal activity and would not be misleading, although it conceded that the alternate framing could have significant behavioral effects on consumers.

The panel appeared to find a substantial interest in the statute’s stated goal of “promot[ing] the effective operation of the free market and protect[ing] consumers from deceptive price increases.” However, Judge Sarah Vance of the Eastern District of Louisiana, sitting by designation, wrote for the panel, “[w]e fail to see how a law that keeps truthful price information from customers increases the accuracy of information in the marketplace.” Indeed, the panel suggested that characterizing the price differential as a surcharge would be more accurate given that the higher cost for credit card transactions is the result of credit card fees. The panel also expressed skepticism that the statute “directly advanced” the stated government interest when it had a “swath” of exemptions, including for municipalities, public utilities, and the state itself.

The Ninth Circuit panel also held that the statute was more extensive than necessary – indeed, that there was “no reasonable fit between the broad scope of [the statute] . . . and the asserted state interest.” The court explained that more tailored approaches might include banning deceptive or misleading surcharges, requiring retailers to disclose surcharges before and at the point of sale, or enforcing existing laws banning unfair business practices and misleading advertising.

Although the panel’s decision was limited to the law as applied to the specific plaintiffs’ desired pricing scheme, its reasoning suggests a wider effect. As this decision opens the door to surcharges for using credit cards, credit card companies may revisit the possibility of pursuing contractual prohibitions on surcharges – an approach that has been litigated extensively, and inconclusively, on antitrust grounds.

CFPB Releases Credit Card Report

On December 27, 2017, the CFPB released its biennial report on the state of the credit card market. The CFPB’s report found the market to be stable and growing steadily. In particular, the Bureau found that the cost of credit card credit to consumers remains stable overall, in terms of both total costs and the structure of those costs. Some trends noted in the report include the growing use of secured credit cards – which require a cash security deposit and are often used by consumers to build credit history – and the significant proportion of consumers who are interacting with their credit card accounts online and through mobile applications. The report does not make specific recommendations or signal any intent by the CFPB to pursue major regulatory initiatives with regard to credit cards.

Continue Reading

Whistleblower Retaliation: How Companies Should Prepare for the Supreme Court’s Upcoming Decision

For unprepared companies, whistleblowers can cause serious problems. Companies could be subject to burdensome investigations by law enforcement authorities or hit with substantial fines and other sanctions. Companies might even face exposure for alleged retaliation against a whistleblower if the situation is not handled carefully.

In this article for the New York Law Journal on the upcoming Supreme Court decision in Digital Realty Trust v. Somers, David Kornblau and Stephen Dee explain the right way for companies to ensure that their culture and process encourage whistleblowers to address issues internally rather than by reporting them to the government. The full article can be found here.