By Mercedes Kelley Tunstall

Partner | Financial Regulation

Since our last Cabinet News & Views issue on December 19, the Consumer Financial Protection Bureau (“CFPB”) has finalized yet another rule, this one addressing the circumstances under which medical bills should be removed from credit reports, approved a standard setting body for its Open Banking rule and brought five major enforcement actions.

This level of activity far outstrips the activity of all the other federal financial agencies. As we discussed previously, Congress has the ability to roll back regulatory rules and other kinds of announcements pursuant to the Congressional Review Act (“CRA”) and members of the House Committee on Financial Services issued warning letters to regulators, including the CFPB, that regulators should not continue last-minute rulemakings because they intend to use the CRA, as appropriate. But, perhaps this flurry of activity from the CFPB belies a method to the madness. In other words, the CFPB may be issuing as much as possible in an attempt to drown CRA actions, betting that Congress will have limited time and resources (and interest) in rolling back all of the CFPB actions, and so at least some will remain standing. It will be interesting to see if that strategy pans out.

Here is a summary of the CFPB’s most recent activities:

• In the final rule addressing medical bills and credit reports, which is called the “Prohibition on Creditors and Consumer Reporting Agencies Concerning Medical Information”, which was issued just two days ago on January 7, the CFPB has amended Regulation V, the regulation that implements the Fair Credit Reporting Act to include a new definition for “medical debt information” and alters when and how a creditor may obtain such medical debt information substantially.  As the CFPB’s press release accompanying the rule announces the changes made by the final rule not only prohibit “lenders from considering medical information” but also “bans medical bills on credit reports.” Further, the CFPB’s final rule puts the burden for policing whether a medical bill is displayed on a credit report and distributed to credit report users upon the credit reporting agencies.
• Pursuant to the CFPB’s Personal Financial Data Rights rule, also known as the Open Banking rule (which we have written about extensively here and here), yesterday, January 8, the CFPB announced that it has approved the application of a “standard setting organization” (“SSO”) that gets to establish and dictate to the banking industry technical standards by which consumer account information may be accessed and transmitted (every second of every day) by the (unlicensed and unregulated) data companies so that they can facilitate the transfer such information from traditional banks to startups. The SSO has been in business for a whole five years and based upon that legacy of experience, their application has now been approved. But it has been approved subject to some conditions, described in the CFPB’s Order. Namely, the SSO must “develop standards to promote open banking without regard to sponsorships or other financial incentives” that would give market players “secret information or any other advantage”; the SSO must also report to the CFPB regarding whether the market is using its technical standards; and the SSO must also “make freely available to the public” any standards developed and “ensure that non-members have the same access as members do” to those standards.
• The five enforcement actions the CFPB has commenced over the holiday season involve some of the biggest banks, some of the biggest retailers, a major mortgage lender, and one of the nationwide consumer reporting agencies, among others. 
• Three of the biggest banks were sued for allegedly allowing fraud to occur on the Zelle payment network, which is a type of network that allows for person-to-person payments (“P2P”). The company running the Zelle payment network was also sued by the CFPB.  All P2P payment platforms have a certain level of fraud occur because fraudsters can so easily request payments from individuals, often posing as a trusted contact.  In its complaint, which includes many redacted sections which presumably include information that constitutes trade secrets, the CFPB claims that these three banks alone had complaints from customers totaling $870 million dollars, and involving 910,000 customers. Accordingly, the CFPB has alleged these banks and the payment network company have violated the Consumer Financial Protection Act (“CFPA”) by engaging in unfair, deceptive or abusive acts or practices.  In addition, the banks have violated the Electronic Funds Transfer Act (“EFTA”) and Regulation E by failing to adequately investigate fraud according to the error resolution requirements and by not accepting liability for the fraud pursuant to the unauthorized transfer liability provisions.  The CFPB also alleges that the banks have violated the CFPA by “offering or providing consumer financial products or services not in conformity with Federal consumer financial law or otherwise committing any act or omission in violation of a Federal consumer financial law,” which is a means of compounding the violations of the EFTA and Regulation E.

• One of the biggest retailers in the United States was sued by the CFPB for allegedly requiring its delivery drivers “to use costly deposit accounts to get paid.” The deposit accounts were offered by a fintech (i.e., the kind of company the CFPB prefers over traditional banks in its Open Banking Rule). The fintech was engaged by the retailer because competitors were paying delivery drivers instantly and the retailer’s payments were processed by direct deposit directly into the driver’s personal bank accounts, which usually takes a day to appear in the account, but can take longer. The fintech, which is not a bank and therefore is not insured by the Federal Deposit Insurance Corporation (“FDIC”), worked with a variety of agents to place the funds into deposit accounts and, as the complaint alleges, they “designed and implemented an account-opening process .  . . that enabled them to open and fund [accounts for the drivers] without their informed consent, and in many instances, on an unauthorized basis” using personal information provided to them by Walmart, including Social Security numbers. The complaint goes on to allege that the drivers had no choice but to accept the accounts, if they wanted to access their pay, and were never presented with the terms or conditions of the accounts. Finally, the accounts could not be used to make purchases and the funds in the accounts had to be transferred from the accounts to external accounts, and if the drivers wanted the pay “instantly” they had to pay the greater of 2% or $2.99 to transfer the funds to their external accounts. Both the retailer and the fintech are accused of violating the CFPA for two counts of abusive acts or practices and two counts of unfair acts or practices. In addition, the fintech is accused of two counts in violating the Truth In Savings Act and Regulation DD and seven counts of violating EFTA and Regulation E.

• One of the three nationwide consumer reporting agencies was sued by the CFPB for allegedly failing to properly “intake, process, investigate, and notify consumers about consumer disputes” in violation of the FCRA. Specifically, the CFPB’s press release indicates that it is their view that the consumer reporting agency conducted “sham investigations” that failed to properly address consumer disputes and improperly reinserted “inaccurate information on consumer reports.” As a result, the CFPB has alleged nine violations of various sections of the Fair Credit Reporting Act and an additional four violations of the CFPA for engaging in unfair acts or practices.

• Alleging participation in a kickback scheme in violation of the Real Estate Settlement Procedures Act (“RESPA”), which activity can also serve as the basis of criminal charges from the Department of Justice, the CFPB sued a major mortgage lender on December 23, 2024.  As the complaint states, “when real estate agents accept things of value in exchange for referring their clients to a provider of other services, it corrupts the real estate agents’ relationship with their clients and taints their advice”, so the mortgage lender’s referral network proffered to real estate agents, in which they received referrals of customers looking to buy a home, allegedly meant that real estate brokers were incented to “actively [steer] their clients away from comparison shopping” with other lenders and refrain from discussing other financing options, including first-time homebuyer assistance and USDA loans, with them.  In return for participation in the referral network, real estate agents had to pay the mortgage lender 35% of their commission and undertake to “steer their clients into using [the mortgage lender] to finance their home.” The mortgage lender even supposedly took action to “penalize” real estate agents for failing to “preserve and protect” the lender’s priority with customers. The complaint alleges one count against the mortgage lender for violating Section 8(a) of RESPA, the anti-kickback provision.

• Finally, in a lawsuit filed on January 6, the CFPB alleged that a lender to borrowers buying manufactured homes built and sold by companies affiliated with the lender, knowingly trapped “people in risky loans in order to close the deal on selling a manufactured home.” As the press release accompanying the complaint filed in the lawsuit explains, the CFPB alleges that the lender “manipulated lending standards when borrowers did not make sufficient income”, “fabricated unrealistic estimates of living expenses” and “made loans to borrowers it projected could not pay”, all in violation of the Truth In Lending Act and Regulation Z. Interestingly, the press release included a link that pulls up 221 complaints against the lender in the CFPB’s consumer complaint database, encouraging folks to read them verbatim. 

By Alix Prentice

Partner | Financial Regulation

The UK’s Prudential Regulation Authority (“PRA”) has issued a consultation paper on proposals for rules and expectations for regulated firms to report operational incidents and material third-party arrangements (the “CP”) in order to collect data to enable monitoring and responses to risks.

Operational incident reporting

The proposed new rules will set out specific operational incident reporting requirements, with the definition of ‘operational incident’ being a single or series of linked events which disrupt operations in a way that interferes with the delivery of a service or impacts the availability, authenticity, integrity or confidentiality of information or data relating to an end user. Reportability is subject to clear thresholds that pose a risk to the PRA’s objectives, and should be made using a phased approach entailing:

• an initial incident report;
• further intermediate reports if there is a significant change in circumstances; and
• a final report.

The PRA is proposing that firms submit reports using a template in order to streamline the information that it receives.

Outsourcing and third-party reporting

Given the increasing reliance on third-party support of both an outsourcing and non-outsourcing nature, the PRA is proposing the collection of data on all ‘material third-party arrangements.’ These can be outsourcing or non-outsourcing arrangements the failure of which would have a significant impact on their failure or disruption. Note that the Financial Conduct Authority or FCA is proposing a different approach, and will require notifications for all material third-party arrangements.  Also note that the PRA proposes requiring firms to maintain and submit a structured register of information on all of its material third-party arrangements.

Next steps

Implementation is scheduled for no earlier than the second half of 2026, with incident reports to be hosted by the FCA’s Connect portal. Responses to the consultation paper are due by 14 March 2025.

By Alix Prentice

Partner | Financial Regulation

The UK’s Financial Conduct Authority (“FCA”) and Prudential Regulation Authority (“PRA”) have issued a joint policy statement on their guidelines for the prudential assessment of acquisitions and increases in qualifying ‘controlling’ holdings in regulated firms (the “Policy Statement”).

The Policy Statement includes a new PRA Supervisory Statement on the prudential assessment of acquisitions and increases in control, along with new FCA non-Handbook guidance on the same. Included within the changes are help with identifying controllers within limited partnership structures and clarification on what constitutes ‘significant influence’ for the purposes of assigning control. Specific updates include:

A. Significant influence

Control can be obtained via a below-threshold stake in shares and/or voting power when that stake also entails possession of ‘significant influence.’ The Policy Statement includes clarifications to the effect that the key indicator is the ability to direct or influence decisions made by the board, which could be through a board appointment or through another arrangement.

B. Submitting the notification

In light of comments about PRA and FCA expectations of pre-notification engagement, the regulators have decided to maintain the existing list of examples when additional information may be required, and when prior engagement is encouraged so that notice givers may receive explanations of specific information requirements, for example, when a larger firm or group with a significant market share would be created. Note that no changes to the notification templates are proposed in the Policy Statement.

C. Limited partner and general partner structures

While the regulators continue to assess private equity structures and control matrices on a case-by-case basis, additional guidance is now included by the PRA and FCA to help notice givers identify controllers in limited partnership structures.

Implementation

The PRA and FCA’s guidance and supervisory statement became effective on 1 November 2024.

By Jodi L. Avergun

Partner | White Collar Defense and Investigations

By Christian Larson

Associate | White Collar Defense and Investigations

By Keyes Gilmer

Associate | Global Litigation

The U.S. Court of Appeals for the Fifth Circuit (the “Fifth Circuit”) granted the federal government’s motion and stayed enforcement of a lower court’s nationwide injunction against enforcement of the Corporate Transparency Act (“CTA”). As a result, filing of beneficial ownership information (“BOI”) reports with the Financial Crimes Enforcement Network (“FinCEN”) is once again mandatory for all non-exempt reporting companies. FinCEN, the government agency responsible for enforcement of the CTA, immediately announced that it will resume enforcement of the CTA and its BOI reporting deadlines, albeit with slight timeline adjustments.

On December 23, 2024, in Texas Top Cop Shop, Inc., et al. v. Garland, a three-judge panel of the Fifth Circuit stayed a Texas court’s recent nationwide preliminary injunction prohibiting the implementation of the CTA’s beneficial ownership filing requirements.¹ In doing so, the Fifth Circuit found that the government had “made a strong showing that it is likely to succeed on the merits in defending CTA’s constitutionality.”² The stay permits FinCEN to carry out enforcement of the law while the lawsuit filed in Texas proceeds on a regular schedule. Within hours of the decision, FinCEN published an alert announcing that corporate filers were required to comply with the CTA’s beneficial ownership reporting rules, but with the following adjustments to the CTA’s reporting deadlines:³

• Reporting companies that were created or registered prior to January 1, 2024 have until January 13, 2025 to file their initial BOI reports with FinCEN.
• Reporting companies that are created or registered in the United States on or after September 4, 2024 that had a filing deadline between December 3, 2024 and December 23, 2024 have until January 13, 2025 to file their initial BOI reports with FinCEN.
• Reporting companies created or registered in the United States on or after December 3, 2024 and on or before December 23, 2024 have an additional 21 days from their original filing deadline to file their initial BOI reports with FinCEN.
• Reporting companies that are created or registered in the United States on or after January 1, 2025 have 30 days to file their initial BOI reports with FinCEN after receiving actual or public notice that their creation or registration is effective.

Cadwalader previously commented on Texas Top Cop Shop and other decisions challenging the constitutionality of the CTA, three of which are currently pending in various federal courts. We will continue to monitor the developments in all of the pending lawsuits.