On July 26, 2023, the Consumer Financial Protection Bureau (“CFPB”) published its periodic Supervisory Highlights, summer edition. These most recent Supervisory Highlights shed light on a range of unfair, deceptive, and abusive practices across various consumer financial products. From July 2022 to March 2023, the CFPB conducted supervisory examinations, uncovering concerning trends that demanded attention and action. For the first time, the CFPB's Supervisory Highlights report includes insights from its Supervision information technology program, which focused on the critical role technology plays in the financial services industry and its impact on regulatory compliance.

This comprehensive Supervisory Highlight report focuses on a wide range of critical areas within the consumer financial services industry, including (1) auto origination, (2) auto servicing, (3) consumer reporting, (4) debt collection, (5) deposits, (6) fair lending, (7) information technology, (8) mortgage origination, (9) mortgage servicing, (10) payday and small-dollar lending, and (11) remittances. As previously stated, these examinations were conducted between July 1, 2022, and March 31, 2023, and offered a detailed overview of the industry's compliance landscape during this period.

Key findings by the CFPB:

1. Auto Origination

CFPB examiners discovered instances where consumers were misled by auto lenders in marketing materials about the quality of the cars that they were eligible to purchase under certain auto loan offers. The vehicles depicted in the ads were often larger, more expensive, and newer than what the advertised loan offers actually covered, leading to confusion and dissatisfaction among consumers.

2. Auto Servicing

The CFPB identified abusive practices among loan servicers, including charging fraudulent interest on inflated loan balances. These servicers based interest calculations on false representations by dealers regarding the vehicle's options and enhancements, even when such features were nonexistent. Consumers found themselves paying more than they should have, trapped in a cycle of debt.

CFPB examiners also found that servicers canceled automatic payments without sufficient notice, resulting in unavoidable late fees for consumers who had consistently paid their balances automatically for years. Then, after repossession, servicers engaged in illegal collection practices, enforcing blanket cross-collateralization by requiring payments on unrelated debts before consumers could retrieve their repossessed vehicles.

3. Consumer Reporting

The CFPB’s examination findings revealed multiple deficiencies in Consumer Reporting Companies’ (CRCs) procedures, most notably the failure to maintain an adequate process for re-assessing end-users' permissible purpose(s) when indicators of improper consumer report usage by an end-user surfaced. This lack of oversight created a heightened risk of unauthorized disclosures, jeopardizing the privacy and security of consumers' sensitive data.

In some instances, CFPB examiners discovered that these deficiencies resulted in CRCs furnishing consumer reports to end-users despite having reasonable grounds to believe that the end-users lacked the required permissible purpose. The CFPB found that such lapses in compliance posed significant risks to consumer privacy, potentially allowing sensitive information to fall into the wrong hands.

4. Debt Collection

Medical debt collection was another area of concern highlighted in the report. The CFPB examiners found that debt collectors continued their collection attempts on work-related medical debt despite having sufficient information to render the debt uncollectible under state worker's compensation laws. The report concludes that these debt collectors violated the Fair Debt Collection Practices Act through false representation, harassment, and deceptive practices, causing distress to consumers already burdened by medical expenses.

5. Deposits

The CFPB examined certain financial institutions and found that when a consumer's checking account had insufficient funds for a transaction, these institutions would transfer funds from the consumer's line of credit to cover the transaction, along with assessing a line of credit transfer fee and interest on the extended credit amount. In cases where the line of credit did not have sufficient funds, the transaction would be denied, resulting in a non-sufficient funds (NSF) fee being charged. Surprisingly, the institutions also assessed a line of credit transfer fee on top of the NSF fee for the same denied transaction.

The CFPB found that charging both the NSF and line of credit transfer fees on the same transaction was an unfair act or practice. This double fee imposition caused substantial harm to consumers, as those enrolled in the line of credit program were charged two fees, while non-enrolled consumers only incurred a single fee for a denied transaction. The report explains that this automated process of charging double fees lacked transparency, and consumers had no reasonable means of avoiding this substantial injury.

The CFPB objectively reported that the supervised institutions argued that they had safeguards in place to prevent assessing both fees on the same day. However, the CFPB found that the way their systems posted NSF fees resulted in the fees being incurred on different days, even though they were part of the same transaction. As a result of the CFPB's findings, the institutions committed to making system changes and agreed to refund $113,358 to 4,147 affected consumers. To resolve the issue, the institutions additionally eliminated NSF fees for unpaid transactions entirely, ensuring fair treatment for all consumers and avoiding the double fee problem altogether.

6. Fair Lending

The Equal Credit Opportunity Act (ECOA) strictly forbids creditors from engaging in any form of discrimination against credit applicants based on race, sex, color, religion, national origin, sexual orientation, gender identity, marital status, or age (as long as the applicant is capable of entering into a contract). Discrimination is also prohibited if an applicant's income comes from any public assistance program or if the applicant has legitimately exercised any right under the Consumer Credit Protection Act.

The CFPB examiners found that proper documentation of exception requests and adherence to lender policies were lacking in some cases, emphasizing the need for lenders to establish more robust policies, guidelines, and transparent practices to ensure compliance with the ECOA and Regulation B and uphold consumer protection standards. During CFPB supervisory examinations, certain lenders were found to have policies and procedures that permitted pricing exceptions, including exceptions for competitive offers, resulting in statistically significant disparities in granting these exceptions to borrowers.

Weaknesses in lenders' policies, lack of oversight, and failure to take corrective action contributed to observed disparities without evidence of legitimate reasons justifying the discrepancies. Some policies lacked proper documentation requirements for exception requests, hindering monitoring and verification, while others granted loan officers discretionary pricing authority without competitive offer documentation or management approval. The CFPB found that proper compliance training was also lacking.

7. Information Technology

The CFPB's Supervision Program is responsible for evaluating information technology controls at supervised institutions to ensure compliance with Federal consumer financial law and safeguard consumers from potential risks. The effectiveness of these controls in detecting and preventing data breaches and cyberattacks is thoroughly assessed by the CFPB. During examinations, CFPB examiners identified instances where institutions engaged in unfair acts or practices, violating the Consumer Financial Protection Act (CFPA) due to their failure to implement adequate information technology controls that could have prevented or mitigated cyberattacks.

In particular, the CFPB report notes that the password management policies of these institutions for specific online accounts showed weaknesses. They also lacked sufficient controls concerning log-in attempts, and there was inadequate implementation of multi-factor authentication or a reasonable alternative for consumer accounts. The CFPB found that these weaknesses could lead to violations of the law, including the prohibition against engaging in Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs).

8. Mortgage Origination

The CFPB conducted assessments of several supervised institutions' mortgage origination operations to ensure compliance with Federal consumer financial laws, including Regulation Z. One area of examination focused on loan originator compensation, where Regulation Z prohibits compensation based on the terms of a transaction. The CFPB clarified that differentiation in compensation based on credit product types, as products are merely bundles of specific terms, is impermissible. Some institutions violated Regulation Z by compensating loan originators differently for brokered-out mortgage products not offered in-house compared to in-house loans. This practice was in conflict with the regulation's requirements. In response to the CFPB's findings, the institutions have since adjusted their compensation plans to adhere to Regulation Z guidelines.

9. Mortgage Servicing

Examiners discovered UDAAP and regulatory violations among mortgage servicers, particularly during the loss mitigation and servicing transfer processes, as well as payment posting procedures.

Regarding loss mitigation timing, some servicers violated Regulation X by not evaluating complete loss mitigation applications within 30 days of receipt, as required. Additionally, some servicers evaluated applications within the specified timeframe but failed to provide the required written notices to borrowers within 30 days. In response to these findings, servicers enhanced their policies and provided additional training to rectify the issues.

Examiners also identified an unfair act or practice where servicers delayed processing borrower requests to enroll in loss mitigation options, including pandemic-related forbearance extensions, due to incomplete applications. These delays, which ranged up to six months, caused significant harm to borrowers, leading to prolonged delinquency, late fees, default notices, and negative credit reporting. The CFPB found that the servicers' delays exposed borrowers to potential financial injuries, as they could not reasonably avoid these issues given their reliance on the servicers' handling of the applications. The harm to consumers outweighed any potential benefits to consumers or competition. In response to these findings, servicers ceased the unfair practice and implemented improved policies and procedures to ensure timely processing of loss mitigation applications and provide borrowers with appropriate options.

10. Payday and Small Dollar Lending

Payday lenders were also found to have engaged in unfair and abusive collection practices. Some lenders included language in loan agreements that prevented consumers from revoking consent for contact regarding outstanding balances. According to the report, false collection threats were common, with lenders falsely claiming the authority to garnish wages. In some instances, unauthorized wage deductions were made, leaving consumers confused and taken advantage of, according to the report.

11. Remittances

The CFPB examined both depository and non-depository institutions for compliance with the Electronic Funds Transfer Act (EFTA) and its implementing Regulation E, including Subpart B (Remittance Rule). The Remittance Rule mandates that remittance transfer providers must establish and maintain written policies and procedures to ensure compliance with error resolution requirements related to remittance transfers. However, the CFPB founds that some institutions failed to develop specific policies to adhere to these requirements, which has been an ongoing issue highlighted in previous editions of Supervisory Highlights.

For instance, some institutions used their anti-money laundering compliance policy as a substitute for a dedicated Remittance Rule policy. Although these policies covered some basics, they lacked detailed guidance for employees to differentiate between notices of error, which have specific Remittance Rule requirements, and other complaints. Additionally, they did not clearly outline the required notifications to consumers based on error determinations. Some institutions had manuals indicating awareness of the Remittance Rule, but their procedures did not provide sufficient guidance for employees to consistently and compliantly resolve error notices. The report explains that merely reciting the Remittance Rule requirements without comprehensive instructions for compliance falls short of ensuring full compliance as mandated by the Remittance Rule.

In addition to the above findings, the CFPB's supervisory efforts led to enforcement actions, including a settlement with Citizens Bank on May 23, 2023. The settlement addressed allegations of violations of consumer financial protection laws related to the handling of credit card disputes and fraud claims. The CFPB accused Citizens Bank of inadequately managing and responding to such customer disputes. As part of the settlement, Citizens Bank agreed to pay a $9 million civil money penalty to resolve the matter.