What do you do if you don’t feel like the federal government is sufficiently protecting consumers from financial services bad actors? If you’re an 800-pound California grizzly bear, you create a new financial regulator to do the job.
California’s proposed “mini-CFPB” – the Department of Financial Protection and Innovation (“DFPI”) – was put forth at the beginning of the year in California Governor Gavin Newsom’s proposed 2020-2021 state budget. In its proposal, the state cites a retreat in consumer protection by federal agencies, including the Consumer Financial Protection Bureau, additionally noting that agency’s susceptibility to potential constitutional challenge. The new DFPI would restructure and expand the current Department of Business Oversight (“DBO”) to achieve two goals: expand oversight and study emerging technologies, including virtual currencies.
The California Consumer Financial Protection Law (“CCFPL”) was introduced in January and progressed through the legislature until the COVID-19 pandemic hit the state in mid-March. The bill languished from March to June and it looked like the DFPI might never see the light of day. However, narrowly meeting a legislative deadline, the CCFPL was passed by the state legislature on Monday, August 31. If signed, the law will take effect on January 1, 2021. Governor Newsom is expected to sign the bill.
Addressing Consumer Protection Concerns
California has expressed its disappointment that federal oversight of financial services is fragmented and incomplete, leaving “consumers vulnerable to abuse.” For example, a few weeks ago, California Attorney General Xavier Becerra filed a lawsuit alleging a new Federal Deposit Insurance Corporation (“FDIC”) rule allows predatory lenders to evade state usury laws. That press release cites a series of other efforts Attorney General Becerra has made in the consumer protection space:
Last month, Attorney General Becerra filed a lawsuit against the federal Office of the Comptroller of the Currency (OCC) challenging a near-identical rule that exempts buyers of high-interest loans originated by a federally chartered bank from state interest-rate caps. Previously, in February 2020, Attorney General Becerra submitted a comment letter to the FDIC opposing its proposal to preempt state usury laws that regulate payday loans and other high-cost lending. In January 2020, Attorney General Becerra submitted a comment letter opposing the OCC’s proposal to exempt payday and other high-cost lenders from state usury laws. In October 2017, Attorney General Becerra issued a statement in support of the federal Consumer Financial Protection Bureau’s (CFPB) Payday Lending rule. In March 2019, he submitted a comment letter opposing a proposal by the CFPB to formally delay the implementation of its 2017 Payday Rule. Additionally, Attorney General Becerra filed an amicus brief in support of the consumer-plaintiff in De La Torre v. Cash Call successfully arguing that the interest rate of the loan may render it unconscionable under California law.
Viewed in context of the Attorney General’s actions, the creation of the DFPI seems a natural extension of California’s increasing regulatory and enforcement scrutiny of consumer protection issues.
Highlights of the CCFPL
- Applies to any person that offers or provides a consumer financial product or service to a California resident
- Prohibits unlawful, unfair, deceptive, or abusive acts or practices with respect to consumer financial products or services and prescribes rules and regulations defining unfair, deceptive, and abusive acts and practices for both consumer and commercial financial products
- Ensures accurate and clear disclosures of consumer financial products and services
- Authorizes penalties of up to $1,000,000 per day or $25,000 per act or omission in violation
While the DBO’s authority was limited to specified industries, transactions, and entities that were or should have been licensed, the DFPI will have authority over any “covered person,” defined as any person that “engages in offering or providing a consumer financial product or service to a resident of this state,” any service provider of a covered person, and any affiliate of a covered person acting as a service provider.1
Financial products and services encompasses ‘traditional’ financial services, including extensions of credit other than to an originator of consumer credit transactions; extending or brokering certain leases; real estate settlement services; deposit-taking activities; transmission, exchange, or otherwise custodying funds or financial instruments; selling, providing, or issuing stored value or payment instruments, except for sellers who do not exercise substantial control; check cashing, check collection, and check guarantee; certain financial advisory services offered in a regulated capacity, including credit and debt counseling and repair services; certain consumer reporting agencies; consumer debt collection; or brokering the offer or sale of a franchise. In addition to these, the CCFPL also includes financial data processors and in its regulatory authority. This final group may have broad implications, including entities that use “any technological means” to provide payments or other financial data processing products or services to a consumer, which means include “processing or storing financial or banking data for any payment instrument, or through any payment system or networks used for processing payment data, including payments made through an online banking system or mobile telecommunications network.”2 Financial data processing products and services do not include web hosting services and merchants or retailers who transmit or store consumer payment data for transactions between the merchant or retailer and that consumer.
The DFPI may further define financial products or services by regulation where doing so would frustrate an attempt to evade any consumer financial law or where such product or service may be offered by a financial institution that has or will likely have a material impact on consumers, as long as it is not exclusively for identity authentication, identity theft prevention and detection, document or public record retrieval, or related to anti-money laundering activities.
However, there are substantial carve-outs from this broad definition. As with most state-level financial regulations, the CCFPL will not apply to banks, bank holding companies, savings and loans, credit unions, or similar financial institutions chartered under federal law or the laws of another state. In addition, it will not apply to:
- Licensees of other state agencies (for example, insurance brokers licensed by the California Department of Insurance)
- Most licensees under the DBO acting under the authority of their license, including licensed escrow agents; licensed finance lenders, brokers, program administrators or mortgage loan originators; licensed broker-dealers or investment advisers; licensed residential mortgage lenders or mortgage servicers; licensed check sellers, bill payers, proraters; licensed capital access companies; or most licensees under the Financial Institutions Law.
- Merchants and other sellers of nonfinancial goods and services extending credit (a) that does not significantly exceed the fair market value of the good or service; (b) where the debt is not sold or assigned unless delinquent; and (c) such business does not regularly extend credit, as defined under the Truth in Lending Act (15 USC § 1601 et seq). Collections activity related to such delinquent debt is also excluded.
Notwithstanding these exclusions, several entities types will be swept under the new DFPI’s oversight, including licensees not included in the exemption list, like payday lenders licensed under the California Deferred Deposit Transaction Law and student loan servicers.
Expansion of Oversight: Unlawful, Unfair, Deceptive, or Abusive Acts or Practices
The CCFPL prohibits covered persons from engaging in any unlawful, unfair, deceptive, or abusive act or practice with respect to consumer financial products or services. This expands the previous ‘UDAP’ authority by adding a prohibition on abusive acts or practices and granting broad rulemaking authority to the DFPI. Rules prohibiting ‘UUDAAP’ must consider “the relative harm to the consumer, the frequency of the act or practice in question, and whether such act or practice is unintentional or stems from a technical, clerical, or nonmaterial error” and may include requirements for the purpose of preventing those acts or practices.3
Unlawful: Section 90003(a) of the new bill makes it unlawful to (a) offer or provide any nonconforming financial product or service; (b) not permit the DFPI to access or copy records; (c) not maintain records; or (d) not make reports or provide information to the DFPI.
Unfair or Deceptive: ‘Unfair’ and ‘deceptive’ are to be interpreted consistent with California’s unfair competition law (Cal. Bus. & Prof. Code § 17200) and related case law. The DFPI may also define unfair, deceptive, and abusive acts or practices in connection financial products by regulation. Such definition may include the offering or provision of financial products and services to small business recipients, nonprofits, and family farms, and data collection and reporting on the provision of commercial financing or other products and services.
Abusive: ‘Abusive’ is to be interpreted consistent with Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (12 USC § 5481), with inconsistencies in favor of the consumer. To be abusive, an act or practice must (a) materially interfere with a customer’s ability to understand a term or condition of a consumer financial product or service and (b) take unreasonable advance of a customer’s (i) lack of understanding of that product or service’s material risks, costs, or conditions; (ii) inability to protect him or herself in selecting or using such product; or (iii) reasonable reliance on a covered person to act in the consumer’s interest.4 This definition, the same as the one given in § 1031(d) of the Dodd-Frank Act, will likely lean on further clarity attempted in a policy statement issued by the CFPB in January of this year. In that statement, the CFPB stated an intent to focus on citing conduct as abusive where (a) the conduct’s harm outweighed its benefit; and (b) the factual basis is not identical to that used in alleging unfair or deceptive conduct; further, (c) the CFPB intends to limit the types of monetary relief to be sought for abusiveness violations where a good-faith effort was made to comply with the abusiveness standard.
The DFPI may also prescribe rules to ensure full, accurate, and effective disclosures to consumers “in a manner that permits consumers to understand the costs, benefits, and risks associated with the product or service, in light of the facts and circumstances.”5
The DFPI will be authorized to bring a civil action or “other appropriate procedures” against an entity “licensed, registered or subject to oversight by the DFPI” to enforce the CCFPL, the Consumer Financial Protection Act of 2010, or CFPB regulations. Such actions must be brought within four years of the date of discovery of the violation, except as otherwise permitted by equity or relevant law. The DFPI may also recover its costs if it prevails.
Specific enforcement powers include:
- Investigatory powers
- Subpoena powers
- Hearing powers
- Equitable remedies (reformation of contracts, public notification, limits on activities or functions, refunds or returns, revocation of licenses)
- Civil penalties (restitution, disgorgement or compensation for unjust enrichment, payments of damages)
- Monetary penalties for any violation of the CCFPL, rule, final order, or written condition issued by the DFPI, including:
- For any act or omission, the greater of $5000 per day or $2,500 per act
- For any reckless violation, no more $25,000 per day or $10,000 per act or omission
- For any knowing violation, no more than the lesser of 1% of the person’s total assets, $1,000,000 per day, or $25,000 per act or omission
The DFPI will also consider mitigating factors in imposing penalties, including the financial resources of the person charged, good faith of the person charged, gravity of the violation, severity of risks to or losses of consumers, and any history of previous violations.
The legislature has retained a level of oversight for itself. Each registration requirement sunsets after four years, at which time the legislature must conduct public hearings to address whether the registration requirement should be extended, revised, or terminated. The DFPI must also publish annual public reports on the DFPI’s actions, including findings of the newly established Financial Technology Innovation Office.
In addition to its expanded regulatory powers, the CCFPL requires the DFPI to establish a Financial Technology Innovation Office that:
- Investigates, researches, analyzes, and reports on markets for consumer financial products or services, including virtual currencies
- May develop and implement outreach and education programs to underserved consumers and communities
- May develop and implement initiatives to promote innovation, competition, and consumer access within financial services
Richard Cordray, the former CFPB director, has said that “it could be the most powerful year ever for consumer financial protections in California," depending, of course, on what happens.7 We will be carefully tracking progress to see if the expanded powers of the DFPI effectively balance regulation with business, and whether other states follow California in creating their own mini-CFPBs, as we have seen with the California Consumer Protection Act.
1. Cal. Fin. Code § 90005(f), as added by AB-1864, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1864.
2. Id. at § 90005(k)(7).
3. Id. at § 90009(c).
5. Id. at 90009(d).
6. Id. at § 90006(d).
7. Berry, “Banks, consumer groups both got what they wanted in ‘mini-CFPB’ bill.”