Earlier this week, the Consumer Financial Services Law Subcommittee of the American Bar Association’s Business Law Section met in Santa Barbara for its winter meeting. This conference brings together practitioners in consumer financial services law from all sectors – private practice, in-house and government.
The following summary provides highlights and trends that came from the many substantive sections of the meeting and begin to answer the question as to what topics will be most important for anyone working in consumer financial services in 2024.
Expect Continued Fair Lending Enforcement. Throughout several sessions at the conference, speakers emphasized again and again (including the head of the Office of Fair Lending at the Consumer Financial Protection Bureau (“CFPB”), Patrice Ficklin) that focus on fair lending concerns was important to the CFPB in 2024. In particular, financial institutions were encouraged to look beyond the standard controls for identifying fair lending problems. Standard controls often include employing a variety of algorithmic and other automatic methods to attempt to identify burgeoning fair lending problems early and to correct course as quickly as possible, conducting training of all consumer-facing employees and maintaining strict lending criteria, with minimal opportunities for any individual to waive a consumer from requirements or to adjust interest rates. Controls that are not as standard today and that were mentioned by the speakers as being effective means for improving fair lending compliance include screening emails sent between consumer-facing employees for discussions involving any of the prohibited bases, as well as evaluating policies that may be in place regarding consumers who report income received from public assistance or who have formerly been incarcerated. For supervised financial institutions, to get a better sense of the CFPB’s activity regarding fair lending in the supervision context, review the Supervisory Highlights published in Summer 2023.
Publication of the Personal Financial Data Rights Rule (Section 1033). As readers may recall, we published a four-part series covering the substantive aspects of the Personal Financial Data Rights rule (“PFDR Rule”) and there was much discussion at the conference regarding the implications of the PFDR Rule. Comments were due December 29, 2023 regarding the proposed PFDR Rule and the intel from the conference was that the CFPB’s Director, Rohit Chopra, is very anxious to finalize the rule as soon as possible, maybe even as early as April 2024. Such an early finalization of the PFDR Rule portends that we will likely not see many changes from the proposed rule. In reviewing the comment letters the CFPB received (just under 11,000), there was actually not as much uniformity among those submitted by the financial services industry (i.e., the data providers under the rule), as we would typically expect. Nevertheless, the primary points of pain raised in the letters, most of which were mentioned at the conference, include the following:
Timeframe for initial compliance should be extended. The proposed rule required the largest financial institutions to comply with the rule as early as six (6) months after finalization of the rule. Most commenters requested somewhere between at least 18 and 24 months for any financial institution to commence compliance. The primary reasons for the requested delay were all based on technology concerns, not the least of which is that the required dashboards through which consumers and authorized third parties are intended to request information are supposed to be built in accordance with technical specifications established by standard-setting organizations and that have been evaluated and approved by the CFPB. To date, there are no specifications from such organizations to even be evaluated or approved.
Data providers should be allowed to charge fees. The proposed rule imposed a ban on data providers being able to charge fees for access to the information, but authorized third parties and data aggregators that will primarily be requesting the data on the consumer’s behalf can charge any fees they like. Meanwhile the data providers must invest substantial amounts of time and money to build and maintain the required interfaces that will facilitate the sharing of the information. Accordingly, many data provider comment letters have requested that the PFDR Rule establish that data providers may charge a reasonable fee for access to the information, generally charged to the authorized third party. The authorized third parties could then pass along the fees to the data aggregators. Consumers asking directly for their information from the data provider would not be charged a fee.
Screen-scraping should be explicitly prohibited. A major reason that the PFDR Rule specifies that data providers should build interfaces for the exchange of data is because of concerns related to the practice of effectuating the sharing of data by means of “screen-scraping.” Today, due to the lack of alternatives, the companies that would be authorized third parties under the PFDR Rule often will obtain the data on a consumer’s behalf, by requesting the consumer’s online banking credentials and using those credentials to access and “scrape” the data directly from the online banking portal. This process of accessing data is fraught with security concerns, and often technically violates the online banking agreements consumers have with their financial institutions. The PFDR Rule as proposed should minimize the amount of “screen-scraping” that occurs, but the commenters noted that without a ban on screen-scraping would-be authorized third parties could effectively duck out of the consumer protections imposed on them by the PFDR Rule by continuing to screen-scrape, instead of accessing the information through the required interfaces. As the Bank Policy Institute and the Clearinghouse said in their letter, “the CFPB should explicitly prohibit screen scraping and credential-based access by all third parties and data aggregators, not just authorized third parties and data aggregators used by those entities, with respect to data that a data provider has made available via a developer interface. This prohibition should extend to all data made available via the interface and not be limited to “covered data.”
Obligations and Liability Under the PFDR Rule, Generally. As written, the proposed rule leaves questions of liability for non-compliance with security, privacy and consumer protection standards to private contracts between and among parties, except that only data providers have the obligations to protect consumers. We discussed this point in our own coverage of the PFDR Rule, but, once again here is the rationale on this concern from the comment letter sent by the Bank Policy Institute and The Clearinghouse, “Data providers also would bear responsibility for ensuring that third parties become authorized third parties, abide by the relevant obligations to obtain such status, and access covered data via developer interfaces and do not use consumer credentials to access consumer interfaces. This puts a substantial oversight burden on data providers, individually and collectively, to monitor compliance by thousands of prospective data recipients. While data providers, particularly those that are regulated financial institutions, conduct appropriate due diligence on third parties and aggregators consistent with their third-party risk management obligations, it is not appropriate or feasible for data providers to bear responsibility for ensuring third party compliance with all relevant obligations.”
Obligations and Liability for Transactions Under Regulations E and Z. One of the categories of “covered data” that is required to be shared by data providers under the proposed rule with authorized third parties and aggregators includes information necessary such that the authorized third party or data aggregator may institute a transaction on a consumer’s card (credit, debit, prepaid or otherwise) themselves. However, should an unauthorized transaction occur while that information is in the hands of said authorized third party or data aggregator, then the data provider ends up liable for that transaction, per the provisions of Regulations E and Z, and under those regulations the data provider has the further burden of conducting an investigation into whether the transaction was truly unauthorized. Accordingly, many data provider comment letters requested that the CFPB extend those Regulation E and Z obligations for investigation, data security and liability to the authorized third parties and data aggregators under whose watch the unauthorized transaction occurred.
Permit Consumers to Opt-In to Secondary Use of Their Data. The PFDR Rule severely restricts the ability for data providers, authorized third parties and data aggregators to use covered data for any purpose other than the primary use. Although this restriction is not to be unexpected from a consumer protection regulator, it is curious that the CFPB would choose to recommend such a strong control for an industry that already has more severe restrictions on secondary use thanks to existing laws that are decades old, including the Gramm-Leach-Bliley Act and the FCRA. The comment letter from the Mortgage Banking Association provided the following detail and commentary, “Consumers should also be allowed to opt-in to targeted advertising, cross-selling, and the sale of their data by third parties. These secondary uses are allowed under the Gramm-Leach-Bliley Act with consumer consent. Allowing consumers to choose to receive advertisements and information about other products offered by third parties would promote competition between third parties and data providers. Third parties would not need to rely on data providers for consumer information before offering products and could compete on an even playing field.”
While these six areas were the most frequent comments provided to the CFPB, as mentioned, there were a wide variety of additional areas that data providers, authorized third parties and data aggregators alike addressed. For example, some commenters requested that the PFDR Rule should clarify that participants are not consumer reporting agencies for purposes of the Fair Credit Reporting Act, including a comment letter from a data provider that explained, “mandatory participation in the consumer-authorized data sharing ecosystem should not result in a bank falling within the expanded definition of a ‘CRA’ or a ‘furnisher’”, referencing the greatly expanded definition of a consumer reporting agency in the CFPB’s concurrent FCRA rulemaking process. Other commenters focused upon the reporting requirements related to the interfaces that the PFDR Rule imposed upon data providers, observing that such reporting has little benefit as it does not provide protection to consumers and may betray security and trade secret information. Still others were concerned that the prong of the data provider definition that included companies that were engaged in the facilitation of payments from the covered products was too broad. As one comment letter explained, “[I]t appears that any person that ‘controls or possesses’ information on the ‘facilitation’ of payments from a Regulation E account or Regulation Z credit card would be treated as a Data Provider and subject to the full panoply of information-sharing requirements under the Proposed Rule. The Proposed Rule suggests that ‘payment facilitation products and services . . . would generally already be covered as Regulation E financial institutions,’ but the rule nowhere defines or analyzes ‘facilitation’ and, in the absence of clarity, the Proposed Rule would likely sweep in entities the CFPB does not address in the Proposed Rule and did not intend to cover.” Finally, it bears mentioning that a majority of the comments received were variations on a form letter prepared by a consumer group requesting that the CFPB include EBT cards as a covered product in the PFDR Rule. The CFPB did mention in the Federal Register commentary to the proposed rule that they envisioned incorporating additional products into the PFDR Rule coverage at a later time.
Considering When Discouragement Occurs. Separate and apart from the general focus on fair lending concerns already mentioned, many panels at the conference referenced the increased marketing activity that drives who applies for what credit products, and when. While redlining has long been recognized as an unfair practice that denies credit or provides credit at higher interest rates to populations in the redlined areas, targeted marketing to specific groups may effectively render the same kind of result. Often called “reverse redlining”, the problem occurs when targeted populations are primarily or exclusively marketed to by certain lenders that may only offer high-cost loans. As a result, these populations may have a much higher incidence of receiving loans with higher APRs than they would have received from a lender that offers a wider variety of loan types. Likewise, if the primary marketed material received by individuals shows only high interest rates, then those individuals may be discouraged from even submitting an application. A corollary concern arises when consumers reach lenders primarily through lead generation. Due to varying levels of interest and drive, higher cost lenders may respond leads much more consistently than other lenders, leading to consumers being discouraged from submitting applications for credit. Accordingly, creditors are encouraged to evaluate whether their marketing efforts and use of lead generation effectively results in discouraging applications in this manner.
Bonus Topic: Buy Now, Pay Later Legislation. Although not much discussed during the substantive panels of the meeting (the topics for which were settled months ago), participants buzzed about legislation that Governor Hochul of New York is promoting to regulate “buy now, pay later” (“BNPL”) companies. The push for this legislation appears to have commenced in conjunction with the Office of the Comptroller of the Currency issuing guidance to financial institutions called “Risk Management of ‘Buy Now, Pay Later’ Lending” in early December 2023. The guidance, consistent with other guidance related to risk management of relationships between banks and fintechs, identifies both general risks and specific risks related to BNPL transactions, including that “[b]orrowers could overextend themselves or may not fully understand BNPL loan repayment obligations” and “Merchandise returns and merchant disputes can be problematic for BNPL borrowers and banks because the issue may not be resolved during the brief term of the loan.” The proposed legislation would seek to normalize disclosures and consumer rights and protections in the BNPL space and would clearly provide the New York Department of Financial Services with enforcement authority.
While these topics were much discussed and debated at the conference, these are just a few topics percolating in the consumer financial services space. Keep watch here for updates throughout the year on other hot areas.