Consumer Finance Newsletter - March 2013

March 25, 2013


The CFPB’s Investigation of Auto Financing by Banks

According to a February 21, 2013 news report by Bloomberg, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) is scrutinizing the interest rates charged in connection with automobile financing. The CFPB is reportedly concerned about allegations that certain auto dealers mark up interest rates paid by particular borrowers in a manner that may have a disparate impact on minority borrowers. The CFPB believes such conduct may support a claim under the Equal Credit Opportunity Act, 15 U.S.C. §§ 1691 et seq. (“ECOA”). Perhaps because the CFPB lacks authority to directly regulate automobile dealer conduct, however, the CFPB has implied that it will attempt to address perceived disparities in auto loan pricing through its regulatory power over the funding banks, even though the banks have no input on pricing decisions made by the dealers.

In attempting to hold funding banks responsible under a disparate-impact theory for thousands of pricing decisions made by independent automobile dealers, the Bureau will face hurdles. For example, there has long been debate regarding whether disparate-impact claims are cognizable under ECOA, which does not include the “adverse effects” language included in the statutes under which the Supreme Court has previously found disparate-impact claims cognizable (e.g., Title VII of the Civil Rights Act of 1964 and the Age Discrimination in Employment Act). The availability of such claims under the Fair Housing Act, which likewise does not include the “adverse effects” language, is the subject of a pending certiorari petition in Mount Holly v. Mt. Holly Gardens Citizens in Action, Inc., 11-1507 (U.S.).

Additionally, the broad position the CFPB has staked out that “evidence [that a facially neutral practice has a] disparate impact” is a “method of proving lending discrimination”[1] is inconsistent with recent class certification precedents in disparate-impact cases, in which courts have found that aggregated statistical evidence purportedly showing a disparate impact may in fact mask the true drivers of the purported disparity. See Wal-Mart v. Dukes, 131 S. Ct. 2541 (2011) (“Dukes”); Barrett v. Option One Mortgage Corp., 2012 WL 4076465 (D. Mass. Sept. 18, 2012) (decertifying class in fair-lending class action post-Dukes). Thus to the extent private plaintiffs seize upon the CFPB’s guidance to aggregate disparate impact class-action claims against banks that fund auto loans, such claims will face significant hurdles at the class-certification stage.

Why You Should Care: The CFPB appears to be capitalizing on its regulatory authority over banks that fund automobile loans in order to influence the conduct of automobile dealers, which are beyond the CFPB’s jurisdiction. Nevertheless, the Bureau faces an uphill battle in attempting to hold funding banks responsible for any alleged disparate impact that purportedly results from lending decisions made by third-party auto dealers unrelated to the funding banks.

If You Want Further Information: The CFPB’s April 18, 2012 Fair Lending Bulletin can be found here. The February 21, 2013 news report can be found here.

If You Want Further Analysis: Contact Brian Boyle, bboyle@omm.com, or Elizabeth L. McKeen, emckeen@omm.com.

[1] CFPB Bulletin 2012-04 (Fair Lending) (April 18, 2012).

FTC Continues Leadership Role in the Regulation of Mobile Payments

Issue: When consumers wish to authorize another party, such as a retailer, to withdraw funds from the consumer’s financial account or to draw on the consumer’s line of credit, they typically use means such as a credit card, debit card, or a check. Many industry participants and regulators anticipate that many commonplace transactions will steadily shift to mobile payment platforms. These platforms allow a consumer to authorize a payment using his or her mobile device, either via the Internet or through a computer chip that communicates with physical readers at the retailer (referred to as “Near Field Communication”). Unlike the rules that govern more traditional payment methods, however, uniform regulations have not yet been adopted in the mobile payments sphere and best practices are still evolving. The Federal Trade Commission (“FTC”) recently released a report that suggests best practices for companies to consider applying to mobile payments and discusses the possibility of future legislation and regulation that will provide consumers with protections similar to those afforded them when they use more traditional payment methods.

Under Section 5(a) of the FTC Act, the FTC has broad powers to prevent “unfair or deceptive acts or practices in or affecting commerce.” Although banks are generally exempt from the FTC’s jurisdiction, the FTC sees its mandate to protect consumers in the commercial marketplace as broad, and notes its jurisdiction over many companies that participate in mobile payments, including: “hardware manufacturers, operating system developers, application developers, data brokers, coupon and loyalty program administrators, payment card networks, advertising companies, . . . retailers, . . . merchants, . . . telecommunications providers, [and] . . . non-depository providers of financial products or services, such as payment processors.”

In its March 8, 2013 report on mobile payments, the FTC highlights three areas of regulatory concern.

  • Liability for unauthorized charges: The FTC expressed concern that consumers receive different levels of protection against unauthorized mobile payments, depending on the underlying payment method being used. The report explained that a mobile payment that debits a credit card line of credit has the greatest protections, capping liability for unauthorized use at $50. 12 CFR §1026.12. If the underlying account is a demand deposit (checking) or savings account, then the cap on liability can be $50, $500 or unlimited, depending on how long the consumer waits before reporting the unauthorized transaction. 12 CFR §1005.6. If the underlying account is a prefunded account such as a prepaid card, however, then there are more limited protections. (It should be noted, however, that the Consumer Financial Protection Bureau is evaluating greater regulation of prepaid cards. See 77 Fed. Reg. 30923 (May 24, 2012), available here.) Finally, of special concern to the FTC is the increasing practice of mobile carrier billing, whereby consumers make mobile payments that then appear as additional charges on their monthly mobile phone bill. The FTC report makes special recommendations that it believes mobile carriers should voluntarily adopt to provide consumers with protections (such as uniform dispute resolution procedures) in this relatively unregulated form of mobile payment processing. The FTC will hold a roundtable to develop recommendations for voluntary, regulatory, and legislative changes affecting mobile carrier billing practices on May 8, 2013.
  • Data security: The FTC report cites survey data indicating that a primary reason consumers cite for not adopting mobile payments is their concern that mobile payments would not provide adequate data security. Interestingly, the report comments that mobile payment platforms have the potential to provide greater data security not yet available with traditional payment forms, including “end-to-end” data encryption (providing security over consumer data at every step in the payment process) and “dynamic data authentication” (providing unique data for each transaction that cannot be used to authorize subsequent transactions, as is possible with simple credit card “swipes”). The FTC recommends these and other technological measures be widely adopted by mobile payment providers, as well as “common sense” consumer education (for example, suggesting consumers require passwords to unlock their phones).
  • Data Privacy: The FTC report found that mobile payment devices hold much more private consumer information than other forms of payment, such as credit cards, creating both potential benefits to consumers as well as posing greater privacy concerns. The FTC recommends that providers implement the recommendations in its March 2012 report on privacy, which we discuss in a previous client alert found here. As discussed in that alert, the three key principles are: (a) privacy by design, i.e., considering privacy issues at every stage of product development, (b) transparency, i.e., giving consumers more information about what data is being collected, and (c) consumer choice, i.e., allowing consumers to refuse to share certain data.

Why You Should Care: In addition to potential CFPB activities related to mobile payment companies, the FTC is showing interest in the regulation of various companies and other providers involved in the systems and technologies that will be the infrastructure of mobile payment processing. The legal landscape will continue to evolve as the FTC and other regulators seek to provide consumer protections even as consumers change the way they pay. Affected companies should keep abreast of the FTC’s expressed regulatory concerns and, in certain instances, actively engage the FTC in its development of recommendations for industry best practices, regulation, and legislation on matters affecting the ongoing development of the mobile payments marketplace.

If You Want Further Information: The FTC’s March 8, 2013 report, Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments, can be found here.

If You Want Further Analysis: Contact Randall W. Edwards, redwards@omm.com.

The Changing Judicial Treatment of TILA Rescission Rights

Issue: A consumer may demand rescission on a loan secured by her principal dwelling if the lender fails to make certain disclosures at origination. [1] [2] This right arises under the Federal Truth in Lending Act (TILA), which is contained in title I of the Consumer Credit Protection Act, as amended (15 U.S.C. § 1601 et seq.), and particular in Section 1635(a) thereof. The Act provides that the “right of rescission shall expire three years after the date of consummation of the [credit] transaction or upon the sale of the property, whichever occurs first[.]” 15 U.S.C. § 1635(f).

Whether a consumer must sue within the three-year period provided for under Section 1635(f) in order to prevent his or her claim from being time barred, or whether the consumer must merely send a written rescission demand within the three-year period is a matter of disagreement among the Federal Courts of Appeal. In a decision entered February 5, 2013, the Third Circuit joined the Fourth Circuit in finding that a consumer who made a written demand for rescission within the three-year period provided for in Section 1635(f) could file a lawsuit to enforce that demand even after the three-year period had passed. In contrast, the Ninth and Tenth Circuits have held that borrowers lose their right to rescind if they do not file suit within the three-year period, regardless of when the borrower sent a written demand for rescission. As discussed in our previous alert, the CFPB’s amicus filing may have been a factor in the Third Circuit’s decision.

Why You Should Care: Although the Ninth and Tenth Circuits impose a three-year deadline on the commencement of litigation concerning the handling of a valid rescission deman, the Third and Fourth Circuits allow borrowers to extend that deadline by merely sending a rescission demand by the three-year deadline. Borrowers incur no cost when sending such a demand, and as a result, lenders can expect an increased number of rescission demands in the Third and Fourth Circuits.

A lender who agrees to rescind a loan should proactively manage risks to avoid exposing itself to unintended consequences. Upon rescinding the mortgage loan, the lender must return all payments made by the borrower and cancel the security interest on the property; in return, the borrower must pay off the loan. 15 U.S.C. § 1635(b); 12 C.F.R. §1026.23(d). However, there is the risk that the borrower may be unable to repay the loan or that the borrower may attempt to repay the loan by merely tendering the mortgaged property, which may be worth less than the amount owed. This may result in at least some portion of the loan becoming an unsecured claim that could be subject to discharge in bankruptcy.[3] Some courts have attempted to prevent such an inequity in various ways, including requiring borrowers to “allege tender of the net loan proceeds,” Miranda v. Wells Fargo Bank, N.A., 490 Fed. Appx. 612, 613 (4th Cir. 2012) (unpublished), and refusing to allow borrowers to repay the loan by merely returning the mortgaged property. Sanders v. Mt. Am. Fed. Credit Union, 689 F.3d 1138, 1145 (10th Cir. 2012). These options are not exhaustive. As one court has noted, a court may generally exercise its “equitable powers to protect a creditor's interests during the TILA rescission process.” Id. at 1144.

In light of the ease with which a borrower can make a rescission demand, and the potential for the inequitable result described above, lenders may wish to review their procedures for responding to rescission requests, as well as their procedures for executing loan rescissions.

If You Want Further Information: The Third Circuit’s February 5, 2013 decision, Sherzer v. Homestar Mortgage Services, --- F.3d ---, No. 11-4254, can be found here. The decisions from the Fourth, Ninth and Tenth Circuits are Gilbert v. Residential Funding LLC, 678 F.3d 271 (4th Cir. 2012) (opinion found here), McOmie-Gray v. Bank of America Home Loans, 667 F.3d 1325 (9th Cir. 2012) (opinion found here), and Rosenfield v. HSBC Bank, USA et al., 681 F.3d 1172 (10th Cir. 2012) (opinion found here).

If You Want Further Analysis: Contact Elizabeth L. McKeen, emckeen@omm.com.

[1] For closed-end loans, these disclosures generally include “the annual percentage rate, the finance charge, the amount financed, the total of payments, the payment schedule” and certain disclosures for high-cost and higher-priced loans as defined in the Home Ownership and Equity Protection Act and its implementing regulations. 12 C.F.R. §§ 1026.23(a)(3)(ii), 1026.32(c),(d); and 1026.35(b)(2). For open-end loans, the required disclosures are found in 12 C.F.R. §1026.15(a)(3). Please also note that there are accuracy tolerances, e.g., under 12 C.F.R. § 1026.23(g),(h).
[2] This right does not apply to all mortgage loans. See 15 U.S.C. §1635(e).
[3] See, e.g., In re Murray, 239 B.R. 728, 735 (Bankr. E.D. Pa. 1999) (“[T]he Defendant's failure to properly acknowledge his valid recision [sic] of the Contract, under 15 U.S.C. § 1635(b), should eliminate the Defendant's claim. In the absence of its security interest, which must be terminated as a result of the valid recision [sic] under § 1635(b), the Defendant is left with no better than an unsecured claim against the Debtor.“)

FTC Publishes New Mobile App Privacy Guidelines

Issue: Calling itself the "the nation's chief privacy agency," the Federal Trade Commission (“FTC”) issued a non-binding staff report on February 1, 2013 on how companies operating in the mobile app industry should improve their data privacy disclosures.[1] The FTC explained that its recommendations are based on the agency’s prior enforcement and policy experience in this area, as well as a much-publicized mobile privacy workshop that the FTC held in May 2012. The report provides a snapshot of the rapidly expanding mobile services industry and describes what the agency sees as the “unique privacy concerns” associated with mobile devices that collect unprecedented amounts of personal data from consumers.

The FTC’s report provides recommendations for four broad categories of businesses deemed to be “critical players in the mobile market,” including: (a) designers of mobile operating systems or platforms; (b) app developers; (c) advertising networks and analytic companies; and (d) app developer trade associations. For mobile platform developers, the FTC’s recommendations range from the development of icons for depicting the transmission of user data to the provision of contemporaneous privacy disclosures. Among other things, the report recommends companies obtain “affirmative express consent” for the collection of any sensitive data, such as geolocation data.

Why You Should Care: The FTC’s February 1, 2013 report is the agency’s third report focusing on mobile apps and privacy in less than a year (the agency released two staff reports in 2012 concerning mobile apps aimed at children), and is yet another sign that the FTC is increasingly focused on consumer privacy practices related to mobile apps.[2] The FTC may have a secondary reason for promoting increased transparency through the use of privacy disclosures. Because the FTC may only bring enforcement actions against “unfair or deceptive” practices pursuant to Section 5 of the Federal Trade Commission Act, the FTC may believe it has a stronger argument that a company that chooses to implement a privacy policy risks placing itself within the FTC’s enforcement jurisdiction if the company later fails to comply with those same privacy policies.

As the report acknowledges, implementation of these recommendations invites some degree of coordination between the various segments of the mobile app industry, for example, so that app developers can better understand how third-party ad network software works and, in turn, provide more accurate disclosures to consumers. Unlike the earlier 2012 reports that focused primary on the practices of mobile app developers and third-party advertising and analytics companies for apps aimed at children, the FTC’s February 2013 report includes detailed recommendations for a broader range of businesses, including the designers of mobile operating platforms and app developer trade associations. By applying to all mobile apps, and not just those aimed at children, the FTC’s most recent guidelines signals that even more companies will need to focus on privacy issues moving forward. Thus, any company operating with a mobile app should carefully review the FTC’s recommendations to determine how it can minimize potential regulatory issues down the road.

If You Want Further Information: A copy of the FTC’s staff report can be found here.

If You Want Further Analysis: Contact Randall W. Edwards, redwards@omm.com.

[1] FTC, Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report, February 1, 2013.
[2] This FTC report comes on the heels of recent California Attorney General actions, including the creation of a Privacy Enforcement and Protection Unit, similarly focused on consumer privacy issues related to mobile apps. Office of the California Attorney General, Press Release, “Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit,” July 19, 2012, available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-privacy-enforcement-and-protection.

Cybersecurity Order Creates Challenges, Uncertainties for Key Sectors of the Nation’s Infrastructure

Issue: On February 12, 2013, President Obama issued an Executive Order (“Order”) allowing for national standards and increased information sharing to enhance the cybersecurity of the Nation’s “critical infrastructure.” The Order could have a sweeping impact on private sector companies deemed to be “critical infrastructure,” including those in communications, select manufacturing, energy, financial services, food and agriculture, health care and public health, information technology, transportation, and other industries identified in the accompanying Presidential Policy Directive on cybersecurity.[1] Private participation is voluntary, although government “incentives,” preferential treatment for governmental contractors that adhere to the Order, and potential regulatory requirements all could mean that some critical infrastructure companies would have no effective choice but to participate.[2] The Order comes nearly three months after the Senate failed to pass a more comprehensive measure, the Cybersecurity Act of 2012, which the President strongly supported.

Identification of critical infrastructure. The Order directs the Secretary to use a risk-based approach to identify the Nation’s critical infrastructure within 150 days. The test will identify critical infrastructure “where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security.”[3’] The Order does not allow the Secretary to identify “commercial information technology products” and “consumer information technology” as critical infrastructure, which means certain popular technology companies will not be affected. The Secretary will develop a process for “stakeholders,” owners and operators of critical infrastructure, as well as the sector-specific agencies regulating them, to provide information relevant to the classification process. Companies operating within any of the targeted sectors will learn from the Secretary of Homeland Security (“Secretary”) whether they have been classified as owners or operators of critical infrastructure covered under the Order. The Secretary will also ensure that identified owners and operators are provided with the basis for the decision to include them and allow the company an opportunity to request a reconsideration of its classification.[4]

Creation of national standards. The Order directs the National Institute of Standards and Technology (“NIST”) to develop, through a public comment process, a set of baseline standards, methodologies, procedures, and practices for addressing and reducing cyber risks, to be called the “Cybersecurity Framework.” In developing the Cybersecurity Framework, NIST must “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”[5] The President has set a rapid timeline: a preliminary version of the Cybersecurity Framework must be published within 240 days, and a final version will be published within one year.[6]

Sector-specific regulation. The Order directs any sector-specific agency responsible for regulating the security of critical infrastructure to determine whether it can adopt the Cybersecurity Framework under its existing authority.[7] Sector-specific agencies must report to the President whether additional authority is required to meet those needs within 90 days of the release of the preliminary Cybersecurity Framework.[8]

Expansion of information sharing. Under the Order, a Department of Defense two-way, information-sharing program will be dramatically expanded to allow the voluntary participation of all owners and operators of critical infrastructure.[9] The Secretary and Attorney General will be responsible for the rapid dissemination of both classified and unclassified reports to critical infrastructure entities authorized to receive them. Although the purpose of the program is to share “cyber threat” information, the Order does not indicate what specific information private entities would in turn share with federal authorities.

Why You Should Care: The Executive Order on cybersecurity is intended to protect industries critical to national security, economic security, public health and safety. It is unclear, however, whether the Order better addresses concerns raised by those who successfully opposed the Cybersecurity Act of 2012, including that it would impose onerous requirements on businesses without effectively improving cybersecurity. While the Order indicates that compliance with the Cybersecurity Framework will be voluntary, and that the Framework will reflect industry best practices, the President also has made clear that he believes the need for robust, new national standards is vital. Affected industries can expect increased pressure to participate as the Administration develops its incentives program and as sector-specific regulators determine which aspects of the Cybersecurity Framework can be adopted under existing regulatory authority.

The Executive Order creates new legal challenges for companies engaged in information sharing with federal authorities. The Order does not indicate what specific types of information will be requested from a critical infrastructure company, how such information will be used, and to what extent it will may be disclosed to third parties, including to other private-sector participants, state and local law enforcement, or in response to a FOIA request. Nor does the Order indicate whether a company’s sensitive privileged or trade secret information will be sought through this program. The legal consequences of sharing privileged information has been a source of major concern for members of the financial services industry.

The Order may also create downstream litigation risks for companies that choose to participate. Unlike the Cybersecurity Act of 2012, the Order does not include a statutory defense for participating companies based on good faith compliance with the law. It is unclear how the Order interacts with existing federal privacy laws, such as the Right to Financial Privacy Act or the Communications Privacy Act, which ordinarily limit a company’s ability to disclose certain types of information to government authorities. Nor is it clear what types of potentially costly technical security measures companies may be required to implement to protect the classified and sensitive information to be shared through this program, or what liabilities await a participating company that, despite these efforts, experiences a security breach.

Finally, the Order provides little in the way of certainty of expectations moving forward. As mentioned in our December alert on the Cybersecurity Act of 2012, unlike legislation, an Executive Order may be changed at any time by the President, without the consent of Congress.

Companies that are concerned about the increased regulatory burdens of being classified as an owner or operator of a critical industry should consider how they can shape the development of the Cybersecurity Framework. They may also wish to take advantage of any public input process for determining which entities will be classified as owners or operators of critical infrastructure and what the contents of the Cybersecurity Framework will be. Any company considering voluntary adoption of the Cybersecurity Framework or participation in the information-sharing program should carefully weigh the risks and potential costs. In any event, companies should fully expect that this Executive Order is only the opening salvo in what will be a long-term and comprehensive restructuring of our nation’s cyber and information security policies and practices .

If You Want Further Information: The complete texts of the President’s Executive Order and accompanying Presidential Policy Directive are here and here, respectively. The complete text of the Cybersecurity Act of 2012, which did not pass the Senate, is available here.

If You Want Further Analysis: Contact Randall W. Edwards, redwards@omm.com.

[1] See Exec. Order, Improving Critical Infrastructure Cybersecurity (“Order”), § 2 (Feb. 12, 2013); Presidential Policy Directive (“PPD-21”), Critical Infrastructure Security and Resilience (Feb. 12, 2013), at 10-11.
[2] Order § 8(e).
[3] Id. § 9(a).
[4] Id. § 9.
[5] Id. § 7(a).
[6] Id. § 7.
[7] Id. § 10(a).
[8] Id. § 9(a).
[9] Id. § 4.