Consumer Finance Newsletter - December 2012

December 1, 2012


CFPB’s Recent Activity Regarding Credit Reporting Suggests Heightened Scrutiny Is on the Horizon

Issue: Last week, the Consumer Financial Protection Bureau (CFPB) issued a white paper titled “Key Dimensions and Processes in the U.S. Credit Reporting System: A review of how the nation’s largest credit bureaus manage consumer data,” describing the credit-reporting processes used by Equifax, Experian, and TransUnion, the three largest nationwide specialty consumer reporting agencies (NSCRAs). Among other topics, the report focused on the critical impact of credit-card debt on consumers’ creditworthiness. The report, and the accompanying remarks by Richard Cordray issued on December 13, are just the latest from the CFPB revealing the import the bureau has placed on regulating credit reporting.

On November 29, 2012, the CFPB issued a bulletin identifying its expectations of NSCRAs with respect to their obligations under the Fair Credit Reporting Act (FCRA) and the Act’s implementing regulation (Regulation V) to provide a “streamlined process” for consumers to obtain credit reports. The bulletin identifies numerous requirements under Regulation V and reminds NSCRAs to ensure compliance therewith. The bulletin comes on the heels of warning letters sent to several NSCRAs asking the NSCRAs to “advise [the CFPB] of the steps you have taken or will take to ensure compliance . . . or, if you believe these legal requirements do not apply . . . provide an explanation.”

Why You Should Care:
The white paper, bulletin, and recent warning letters reiterate that consumer awareness of and access to credit reporting is of significant interest to the CFPB, which has previously encouraged consumers to regularly review their credit reports.

If You Want Further Information: The CFPB’s credit reporting white paper is available here. Richard Cordray’s December 13 remarks are available here. The full text of the CFPB’s November 29 bulletin is available here.

If You Want Further Analysis: Contact Elizabeth McKeen, emckeen@omm.com.

The CFPB and FTC Investigate Mortgage Advertisements

On November 19, 2012, the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) announced a joint investigation into mortgage advertising following review of 800 randomly selected mortgage advertisements. The ads the two agencies reviewed were placed in newspapers, delivered via the internet, or sent by mail. As a result of their review, the CFPB and FTC issued 32 warning letters and commenced 19 formal investigations. When analyzing the advertisements, the agencies primarily interpreted Regulation N, the Mortgage Acts and Practices Advertising rule (12 CFR §1014). In its warning letter, the CFPB also noted its ability to enforce 12 U.S.C. § 5536(a)(1), which prohibits unfair, deceptive, or abusive acts or practices (UDAAP).

The CFPB specifically identified the following practices as problematic:

(a) The use of language or symbols suggesting the provider was affiliated with the government. Based on the sample of problematic ads released by the FTC, such symbols could include the use of the bald eagle in a logo, or the use of the initials of government agencies;

(b) The use of potentially inaccurate information about interest rates, for example, language suggesting that a variable or short-term interest rate was fixed for the life of the loan;

(c) Language suggesting that a reverse mortgage would not require any payments, when in fact the borrower was responsible for tax and insurance payments; and

(d) The use of potentially inaccurate information about the amount of cash or credit available to a consumer, for example, language suggesting that a customer was pre-approved for certain loan terms, when in fact those terms could change.

Why You Should Care: Although the warning letters were primarily based on the enforcement of Regulation N, which does not apply to banks per 12 CFR §1014.1 and 15 USC §45(a)(2), the CFPB’s warning letter mentioned the UDAAP provision, which does apply to banks. In addition, the warning letters describe very general features that could exist in the advertisements for any consumer financial product. If such qualities are deemed problematic in mortgage advertisements, they may be deemed problematic in other advertisements for consumer financial products.

Financial institutions may find it useful to monitor the CFPB’s investigations and enforcement actions in order to identify potential areas of concern, with an eye toward avoiding regulatory scrutiny and private consumer litigation.

If You Want Further Information: The CFPB and FTC releases are found here and here respectively. The sample problematic ads released by the FTC are found here.

If You Want Further Analysis: Contact Brian D. Boyle, bboyle@omm.com.

The CFPB Further Refines its Remittance Rule

Issue: On November 27, 2012, the Consumer Financial Protection Bureau (CFPB) announced that it will amend its rules regulating foreign remittance transfers (the “Remittance Rule”). Remittance transfers are electronic funds transfers between consumers or from consumers to businesses that are made via non-depository companies known as “money transmitters” or through depository institutions such as banks and credit unions. The CFPB’s current Remittance Rule, which was scheduled to be effective starting February 7, 2013, gives certain cancellation rights to senders of “remittance transfers” and imposes disclosure and error resolution requirements on “remittance transfer providers.” 12 C.F.R. §§ 1005.30–.36. The CFPB announced that it will shortly propose clarifying amendments to the Remittance Rule, which it anticipates will push back the effective date until sometime during the Spring of 2013. The amendments will (a) provide that a remittance provider will not be held responsible if the consumer provided the wrong account number for the recipient and the provider was unable to reverse the transfer; (b) allow remittance providers flexibility in the way they satisfy the mandated disclosures of foreign fees and taxes; and (c) clarify that the only foreign taxes that need to be disclosed are national taxes, and not taxes imposed by sub-national jurisdictions.

Why You Should Care: This is the second time the CFPB will amend its remittance transfer rule to ease the burden on providers. The delayed effective date will give providers some breathing room as they implement procedures to comply with the regulation, although the CFPB plans to “move quickly” to implement its final rule and anticipates the effective date to be during the Spring of 2013.

If You Want Further Information: The February 7, 2012 final remittance transfer rule can be found here. The August 20, 2012 amendment can be found here. The CFPB’s November 27, 2012 announcement can be found here.

If You Want Further Analysis: Contact Brian D. Boyle, bboyle@omm.com.

CFPB to Share Information with State Regulators of Nonbank Entities

Issue: On December 6, 2012, the Consumer Financial Protection Bureau (CFPB) issued a Statement of Intent (Statement) describing its plans to coordinate and share information with state regulators. The release primarily pertains to state regulators having having supervisory authority over nonbank entities, which the Statement defines as “a person that offers or provides ‘consumer financial services or products’ as defined in 12 U.S.C. § 5481(5) that is not a depository institution [as] defined in 12 U.S.C. § 5102.”

The statement supplements the January 4, 2011 Memorandum of Understanding (MOU) between the CFPB and the Conference of State Bank Supervisors (CSBS), which established a general framework for information sharing and cooperation between the CFPB and state regulators of all providers of consumer financial products or services.

The Statement advises that the CFPB intends to coordinate enforcement actions with state regulators, and to share examination schedules, examination reports, and consumer complaint information with state regulators of nonbank entities, and that it intends to coordinate enforcement actions. Additionally, the CFPB intends to share, with the permission of the relevant federal regulators, Registered Mortgage Loan Originator (RMLO) information concerning RMLOs associated with institutions chartered and supervised by a State regulator.

Why You Should Care: The CFPB’s recent actions suggest that coordinated inquiries involving multiple state and federal regulators may become commonplace, though it remains to be seen whether such coordination will result in efficiency from the financial institutions’ perspective or will have the opposite effect. According to the CSBS, as of April 19, 2012, regulators in every state except for New Mexico and Florida have signed the MOU, and on December 5, 2012, Mayor Rahm Emanuel announced that the CFPB and the City of Chicago reached an agreement to share information and resources. On December 6, 2012, the CFPB entered into a similar information-sharing MOU with the United States Department of Justice regarding enforcement of fair lending laws.

If You Want Further Information: The full text of the CFPB’s Statement of Intent is available here. The CSBS January 4, 2011 MOU is available here. A map of states who signed onto the January 4, 2011 CSBS MOU is found here. The City of Chicago press release is available here. The DOJ MOU is available here.

If You Want Further Analysis: Contact Randall W. Edwards, redwards@omm.com.

Failed Cybersecurity Act of 2012 Provides Insight Into Likely Executive Order

Issue: In a close vote on November 14, 2012,[1] supporters of the Cybersecurity Act of 2012 failed to garner the 60 votes required in the United States Senate to end debate on the measure and allow passage of the bill. Proponents of the bill argued that the legislation is necessary to protect the nation’s cyber and communications infrastructure, while opponents, largely from the business community, argued that the measure imposes onerous requirements on businesses without effectively improving cybersecurity.

The Cybersecurity Act would have directed the Secretary of the U.S. Department of Homeland Security (DHS), in consultation with specified public and private entities, to establish a procedure for designation of the nation’s critical infrastructure and to conduct a sector-by-sector assessment of the cyber risks affecting this critical infrastructure.[2] “Critical infrastructure” is defined under the USA PATRIOT Act, 42 U.S.C. § 5195c(e), to mean “systems and assets, whether physical or virtual, so vital to the United States that [their] incapacity or destruction . . . would have a debilitating impact on security, national economic security, national public health or safety.” Covered critical infrastructure is likely to include entities belonging to the financial services, telecommunications, energy, water, and transportation sectors.[3]

The Cybersecurity Act would have required DHS, in coordination with other federal agencies, to implement education, training, and workforce development programs for federal employees and contractors in the area of cybersecurity.[4] With respect to private entities, the bill would have, among other things: (1) authorized the collection and sharing of “lawfully obtained cybersecurity threat” information with other private entities; (2) established a process for designating “cybersecurity exchanges” to facilitate information sharing with private and federal entities; and (3) provided legal protections for entities engaged in cybersecurity monitoring activities, including, under certain circumstances, a defense based on a “good faith reliance” that the Act’s Title VII, governing information sharing, permitted the conduct in question.[5]

In addition, the Cybersecurity Act would have imposed significant reporting requirements relating to cybersecurity and critical infrastructure. For example, the Attorney General and the Director of the Federal Bureau of Investigation must report on investigations and prosecutions of cybercrimes,[6] while the DHS Secretary must report on the national security implications of a cyberattack on the U.S. electrical grid.[7] Importantly, owners of systems or assets designated as critical infrastructure must report all “significant cyber incidents affecting covered critical infrastructure.”[8]

Why You Should Care: The November vote is the second time in the last few months that the Cybersecurity Act of 2012 failed in the Senate. This defeat increases the likelihood that President Obama—whose administration strongly supported the failed measure—will issue an Executive Order on cybersecurity. While the details of the anticipated Executive Order remain unknown, members of the business community can reasonably expect that that the Order will largely reflect the principles, objectives, and requirements of the Cybersecurity Act. An Executive Order on cybersecurity may create an added degree of uncertainty for covered entities, however, because the President may choose to change the provisions of an Executive Order at any time, without the support of Congress.

If You Want Further Information: The complete text of the Cybersecurity Act of 2012 is available here.

If You Want Further Analysis: Contact Randall W. Edwards, redwards@omm.com.

[1] S. 2105, 112th Cong. § 2(5) (2012).
[2] Id. §§ 103-106. The Cybersecurity Act also would allow the owner of any other system or asset to request that it be designated as covered critical infrastructure if the owner determines that statutory criteria are met. Id. § 103(b)(4).
[3] See S. 2105 § 103(b)(1) (guidelines for designation of covered critical infrastructure); see also USA PATRIOT Act, 42 U.S.C. § 5195c(b)(2).
[4] S. 2105 §§ 402-408.
[5] Id. §§ 701-706.
[6] Id. § 803(a)(1).
[7] Id. § 807(2).
[8] Id. § 105(b)(1)(D).