By Mercedes Kelley Tunstall

Partner | Financial Regulation

Since our last Cabinet News & Views issue on December 19, the Consumer Financial Protection Bureau (“CFPB”) has finalized yet another rule, this one addressing the circumstances under which medical bills should be removed from credit reports, approved a standard setting body for its Open Banking rule and brought five major enforcement actions.

This level of activity far outstrips the activity of all the other federal financial agencies. As we discussed previously, Congress has the ability to roll back regulatory rules and other kinds of announcements pursuant to the Congressional Review Act (“CRA”) and members of the House Committee on Financial Services issued warning letters to regulators, including the CFPB, that regulators should not continue last-minute rulemakings because they intend to use the CRA, as appropriate. But, perhaps this flurry of activity from the CFPB belies a method to the madness. In other words, the CFPB may be issuing as much as possible in an attempt to drown CRA actions, betting that Congress will have limited time and resources (and interest) in rolling back all of the CFPB actions, and so at least some will remain standing. It will be interesting to see if that strategy pans out.

Here is a summary of the CFPB’s most recent activities:

• In the final rule addressing medical bills and credit reports, which is called the “Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information”, which was issued just two days ago on January 7, the CFPB has amended Regulation V, the regulation that implements the Fair Credit Reporting Act to include a new definition for “medical debt information” and alters when and how a creditor may obtain such medical debt information substantially.  As the CFPB’s press release accompanying the rule announces the changes made by the final rule not only prohibit “lenders from considering medical information” but also “bans medical bills on credit reports.” Further, the CFPB’s final rule puts the burden for policing whether a medical bill is displayed on a credit report and distributed to credit report users upon the credit reporting agencies.
• Pursuant to the CFPB’s Personal Financial Data Rights rule, also known as the Open Banking rule (which we have written about extensively here and here), yesterday, January 8, the CFPB announced that it has approved the application of a “standard setting organization” (“SSO”) that gets to establish and dictate to the banking industry technical standards by which consumer account information may be accessed and transmitted (every second of every day) by the (unlicensed and unregulated) data companies so that they can facilitate the transfer such information from traditional banks to startups. The SSO has been in business for a whole five years and based upon that legacy of experience, their application has now been approved. But it has been approved subject to some conditions, described in the CFPB’s Order. Namely, the SSO must “develop standards to promote open banking without regard to sponsorships or other financial incentives” that would give market players “secret information or any other advantage”; the SSO must also report to the CFPB regarding whether the market is using its technical standards; and the SSO must also “make freely available to the public” any standards developed and “ensure that non-members have the same access as members do” to those standards.
• The five enforcement actions the CFPB has commenced over the holiday season involve some of the biggest banks, some of the biggest retailers, a major mortgage lender, and one of the nationwide consumer reporting agencies, among others. 
• Three of the biggest banks were sued for allegedly allowing fraud to occur on the Zelle payment network, which is a type of network that allows for person-to-person payments (“P2P”). The company running the Zelle payment network was also sued by the CFPB.  All P2P payment platforms have a certain level of fraud occur because fraudsters can so easily request payments from individuals, often posing as a trusted contact.  In its complaint, which includes many redacted sections which presumably include information that constitutes trade secrets, the CFPB claims that these three banks alone had complaints from customers totaling $870 million dollars, and involving 910,000 customers. Accordingly, the CFPB has alleged these banks and the payment network company have violated the Consumer Financial Protection Act (“CFPA”) by engaging in unfair, deceptive or abusive acts or practices.  In addition, the banks have violated the Electronic Funds Transfer Act (“EFTA”) and Regulation E by failing to adequately investigate fraud according to the error resolution requirements and by not accepting liability for the fraud pursuant to the unauthorized transfer liability provisions.  The CFPB also alleges that the banks have violated the CFPA by “offering or providing consumer financial products or services not in conformity with Federal consumer financial law or otherwise committing any act or omission in violation of a Federal consumer financial law,” which is a means of compounding the violations of the EFTA and Regulation E.

• One of the biggest retailers in the United States was sued by the CFPB for allegedly requiring its delivery drivers “to use costly deposit accounts to get paid.” The deposit accounts were offered by a fintech (i.e., the kind of company the CFPB prefers over traditional banks in its Open Banking Rule). The fintech was engaged by the retailer because competitors were paying delivery drivers instantly and the retailer’s payments were processed by direct deposit directly into the driver’s personal bank accounts, which usually takes a day to appear in the account, but can take longer. The fintech, which is not a bank and therefore is not insured by the Federal Deposit Insurance Corporation (“FDIC”), worked with a variety of agents to place the funds into deposit accounts and, as the complaint alleges, they “designed and implemented an account-opening process .  . . that enabled them to open and fund [accounts for the drivers] without their informed consent, and in many instances, on an unauthorized basis” using personal information provided to them by Walmart, including Social Security numbers. The complaint goes on to allege that the drivers had no choice but to accept the accounts, if they wanted to access their pay, and were never presented with the terms or conditions of the accounts. Finally, the accounts could not be used to make purchases and the funds in the accounts had to be transferred from the accounts to external accounts, and if the drivers wanted the pay “instantly” they had to pay the greater of 2% or $2.99 to transfer the funds to their external accounts. Both the retailer and the fintech are accused of violating the CFPA for two counts of abusive acts or practices and two counts of unfair acts or practices. In addition, the fintech is accused of two counts in violating the Truth In Savings Act and Regulation DD and seven counts of violating EFTA and Regulation E.

• One of the three nationwide consumer reporting agencies was sued by the CFPB for allegedly failing to properly “intake, process, investigate, and notify consumers about consumer disputes” in violation of the FCRA. Specifically, the CFPB’s press release indicates that it is their view that the consumer reporting agency conducted “sham investigations” that failed to properly address consumer disputes and improperly reinserted “inaccurate information on consumer reports.” As a result, the CFPB has alleged nine violations of various sections of the Fair Credit Reporting Act and an additional four violations of the CFPA for engaging in unfair acts or practices.

• Alleging participation in a kickback scheme in violation of the Real Estate Settlement Procedures Act (“RESPA”), which activity can also serve as the basis of criminal charges from the Department of Justice, the CFPB sued a major mortgage lender on December 23, 2024.  As the complaint states, “when real estate agents accept things of value in exchange for referring their clients to a provider of other services, it corrupts the real estate agents’ relationship with their clients and taints their advice”, so the mortgage lender’s referral network proffered to real estate agents, in which they received referrals of customers looking to buy a home, allegedly meant that real estate brokers were incented to “actively [steer] their clients away from comparison shopping” with other lenders and refrain from discussing other financing options, including first-time homebuyer assistance and USDA loans, with them.  In return for participation in the referral network, real estate agents had to pay the mortgage lender 35% of their commission and undertake to “steer their clients into using [the mortgage lender] to finance their home.” The mortgage lender even supposedly took action to “penalize” real estate agents for failing to “preserve and protect” the lender’s priority with customers. The complaint alleges one count against the mortgage lender for violating Section 8(a) of RESPA, the anti-kickback provision.

• Finally, in a lawsuit filed on January 6, the CFPB alleged that a lender to borrowers buying manufactured homes built and sold by companies affiliated with the lender, knowingly trapped “people in risky loans in order to close the deal on selling a manufactured home.” As the press release accompanying the complaint filed in the lawsuit explains, the CFPB alleges that the lender “manipulated lending standards when borrowers did not make sufficient income”, “fabricated unrealistic estimates of living expenses” and “made loans to borrowers it projected could not pay”, all in violation of the Truth In Lending Act and Regulation Z. Interestingly, the press release included a link that pulls up 221 complaints against the lender in the CFPB’s consumer complaint database, encouraging folks to read them verbatim.