On April 25, 2022, the Consumer Financial Protection Bureau (CFPB) announced that it was invoking its dormant authority to examine nonbank companies posing risks to consumers. People who follow the CFPB were not surprised, since before the announcement, the bureau had already taken several actions that projected a renewed focus on nonbank financial services companies. These actions, and additional activity since the announcement, have covered numerous products and services, including loan origination and servicing; payments and remittance transfers; and credit reporting. The bulk of recent CFPB activity regarding nonbank companies, however, has involved credit, including all phases of the credit life cycle.

In this article, we provide an inventory of the CFPB’s nonbank-relevant regulation and enforcement action over the past few years.

Loan Origination by Nonbanks Attracts CFPB Rulemaking, Action Plan, Enforcement

It is clear that bank and nonbank mortgage lending remain high priorities for the CFPB. Last year, the bureau issued a request for information (RFI) on detecting discrimination in mortgage lending by both, including the effectiveness of Home Mortgage Disclosure Act (HMDA) regulation. Since July 2020, the CFPB has also sued or settled with nonbank mortgage companies over allegations of redlining or other discriminatory practices.

Additionally, the CFPB is a member of the Property Appraisal and Valuation Equity Task Force, whose much discussed action plan on appraisal and valuation bias will include a significant focus on the actions of nonbank participants, such as appraisers, appraisal management companies, and vendors of automated valuation models (AVM) and tax valuation models (TVM).

In the reverse mortgage market, the CFPB has sued one lender and entered into a consent order with another over deceptive advertising.

CFPB Wields Consumer Lending Laws

Outside of mortgage lending, the CFPB has taken enforcement action against several nonbank lenders in the past two years for violations of one or more consumer lending laws, including the Military Lending Act (MLA), Truth in Lending Act (TILA), Equal Credit Opportunity Act (ECOA), Consumer Financial Protection Act (CFPA), and Electronic Funds Transfer Act (EFTA). In some cases, the CFPB enforcement activity was for violations of prior consent orders. Violations alleged by the CFPB included:

  • Failing to provide timely and accurate adverse action notices required by the ECOA;
  • Advertising deceptively, in violation of the CFPA;
  • Violating the CFPA by failing to disclose consumer protections available under state law;
  • Refusing to cancel memberships and stop monthly membership fee charges, in violation of the CFPA;
  • Misrepresenting that referral sources were independent, in violation of the CFPA;
  • Originating loans that were not requested or authorized by consumers, in violation of the CFPA;
  • Deceiving consumers by misrepresenting the APR on loans;
  • Misrepresenting that income share agreements are not debts, in violation of the CFPA;
  • Failing to provide disclosures required by TILA;
  • Imposing prepayment penalties on private education loans, in violation of TILA;
  • Requiring consumers to preauthorize electronic funds transfers as a condition of receiving credit, in violation of the EFTA;
  • Originating unauthorized transfers for loan payments;
  • Charging military APRs in excess of the MLA’s rate cap;
  • Requiring loan repayment by military allotment, in violation of the MLA; and
  • Requiring arbitration, in violation of the MLA.

Bureau Increases Oversight of Loan Servicing and Debt Collections 

In May 2022, the CFPB issued an advisory opinion that the Equal Credit Opportunity Act (ECOA) covers loan servicing and account management activities. The advisory opinion echoed the 2021 joint amicus brief filed by the CFPB, Federal Reserve, Federal Trade Commission (FTC), and Department of Justice (DOJ) in a court case, as well as the Federal Reserve’s prior guidance in Consumer Affairs Letter CA 09-13.

In late June, the CFPB issued an advisory opinion on the Fair Debt Collection Practices Act and Regulation F. The opinion reminded debt collectors that they are prohibited from collecting “any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law” and advised that the CFPB interprets this prohibition to include convenience or “pay-to-pay” fees unless such fees are expressly authorized by either law or the agreement creating the debt.

In the past two years, the CFPB has engaged in numerous enforcement actions related to nonbank loan servicing or debt collections. The enforcement push covered a wide range of activities, including mortgage loss mitigation, student loan servicing, auto loan servicing and repossession, consumer loan servicing, accelerated loan payment plans, returned check collections, debt relief, and collection practices alleged to violate the Fair Debt Collection Practices Act (FDCPA) or the CFPA.

The CFPB and Department of Health and Human Services’ Center for Medicare and Medicaid Services also jointly reminded nursing care facilities that certain guarantee and collection practices may violate the FDCPA and Fair Credit Reporting Act (FCRA), in addition to violating the Nursing Home Reform Act. Simultaneously, the CFPB issued Consumer Financial Protection Circular 2022-05, which warned third-party debt collectors that attempting to collect nursing care facility debts that are invalid under the Nursing Home Reform Act may violate the FDCPA and FCRA.

Credit Reporting Comes Under Scrutiny

The CFPB has also engaged in nonbank enforcement actions related to consumer reporting since fall 2020. The violations included failing to provide risk-based pricing notices required by the FCRA, furnishing inaccurate data to consumer reporting agencies, and failing to correct inaccurate negative information in consumer files. In addition, the CFPB filed a lawsuit against a major credit bureau, alleging violations of a 2017 consent order related to deceptive marketing of credit scores and other credit-related products to consumers.

Last fall, the CFPB issued an advisory opinion declaring that use of name-only matching procedures by consumer reporting agencies does not meet the reasonable procedures requirement of FCRA Section 607(b). In the summer of 2022, the CFPB also issued an interpretation detailing that:

  • Companies using and furnishing consumer reports must have a permissible purpose under the FCRA;
  • Insufficient identity matching procedures can result in furnishing reports without a permissible purpose that cannot be cured by disclaimers about insufficient matching procedures;
  • Users must ensure they avoid violating privacy rights by obtaining consumer reports without a permissible purpose; and
  • Covered entities may face criminal liability under FCRA Section 620 for knowingly and willfully providing consumer reports to an unauthorized person.

In addition, the CFPB filed a joint amicus brief with the FTC and the North Carolina Department of Justice in a case involving an online consumer reporting service and the interaction of Section 230 of the Communications Decency Act with the FCRA. As CFPB Director Rohit Chopra and FTC Chair Lina Khan noted in a joint statement, “As tech companies expand into a range of markets, they will need to follow the same laws that apply to other market participants. The CFPB and FTC will be closely scrutinizing tech companies’ efforts to use Section 230 to sidestep applicable laws and will seek to ensure that this legal shield is not being used or abused to gain an undue competitive advantage over law-abiding businesses.”

Finally, the CFPB issued an interpretive rule affirming the ability of states to regulate consumer reporting markets with limited exceptions. As Chopra noted on the rule’s release, “Given the intrusive surveillance that Americans face every day, it is critical that states can protect their citizens from abuse and misuse of data. The legal interpretation issued today makes clear that federal law does not automatically hit delete on state data protections.”

Bureau Steps in on Payments, Remittances, and Deposits

The CFPB’s nonbank activity has not been limited to credit- and debt-related aspects of financial services. One of Chopra’s first actions after confirmation was to issue orders pursuant to Section 1022(c)(4) to several large technology companies requiring them to file information with the CFPB regarding payments practices. The orders compelled production of information regarding policies, procedures, and practices related to:

  • Consumer-to-consumer (C2C) or consumer-to-business (C2B) products offered or planned;
  • The marketing of C2C and C2B payments products;
  • Fees associated with the use of C2C or C2B products;
  • Metrics used to evaluate C2C and C2B payments products;
  • Data collection and usage, including collection of data related to the race, color, religion, national origin, sex, sexual orientation, gender identity, marital status, or age of consumer or commercial users of the payments products;
  • Data monetization, including behavioral targeting and the sharing of payments data across product lines;
  • Data sharing, including categories of third-party recipients of the data;
  • Consumer complaints;
  • Any restrictions on access, consumer eligibility, commercial user eligibility, or consumer payments choices; and
  • Consumer protection practices, such as those related to fraud, error resolution, privacy, information security, and unequal treatment.

The CFPB, sometimes in joint actions with state attorneys general, has also taken enforcement action against nonbank remittance transfer providers. For example, the bureau and the Attorney General of the State of New York sued a remittance transfer provider for violations of the EFTA, the Remittance Transfer Rule, Regulation E, and the CFPA. The CFPB separately entered into similar consent orders with two other remittance transfer providers.

The CFPB also issued an order against a FinTech offering an automated savings tool. The order alleged the FinTech engaged in deceptive marketing practices because the tool routinely caused overdrafts that were not always reimbursed by the FinTech, which also kept a significant portion of the interest earned by the savings account. Another FinTech was sued by the CFPB for deceptive marketing by falsely claiming deposits it collected were held in FDIC-insured accounts when they were not.

CFPB Gathers Information on Other Nonbank Financial Products

Enforcement activity is not the only area of nonbank consumer financial services where the CFPB is active. They are gathering additional information on financial products and services where nonbanks are significant players. On June 9, the CFPB issued an RFI on employer-driven debt products. Although such products are sometimes funded by banks, they are more frequently funded by employers or originated in partnership with FinTechs or other nonbank lenders.

In September, the CFPB released a study on the rapid growth, and consumer protection implications, of the “buy now, pay later” segment.

In the digital space, the bureau, along with other members of the Federal Financial Institutions Examination Council, issued an RFI on the use of artificial intelligence (AI) and machine learning in financial services, including appropriate risk management, governance, and controls. The CFPB also convened a Small Business Regulatory Enforcement Fairness Act (SBREFA) panel as part of a rulemaking process related to AVMs and the prevention of algorithmic bias in home valuations. The bureau also published Consumer Financial Protection Circular 2022-03 to remind lenders of ECOA’s requirement for statements of specific reasons to applicants against whom adverse action is taken, even when those actions are taken on the basis of complex algorithms, which are sometimes called “black box” or “uninterpretable” models. The CFPB also published an interpretive rule clarifying the limits of the CFPA’s “time and space” exception for marketing with respect to digital marketers providing content strategy, segmentation, or targeting services in addition to time or space for advertising.

The Bottom Line

In short, the writing is on the wall. The CFPB is serious about consumer protection, regardless of the type of financial services company involved. Nonbank financial services companies are facing ongoing CFPB scrutiny and should take steps to ensure that their practices are compliant.

Treliant understands the depth and breadth of the CFPB’s consumer protection supervision and enforcement authority. If your financial services company needs assistance with evaluating your practices in light of recent CFPB activity, please contact LWoosley@Treliant.com.