CFPB 2018 Year in Review, and What to Expect in 2019

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP

Let’s call it molasses. Because that is what the Trump administration figuratively poured into the consumer protection engine known as the CFPB. 

The Dodd-Frank Act created a monster, and a highly effective one. The Bureau of Consumer Financial Protection (the formal moniker of the CFPB, or Bureau) shut down bad actors, dealing harshly with some of the worst abusers. Enforcement actions were plentiful, and the CFPB used all the tools available to an aggressive prudential regulator to pressure regulated entities, including national banks, into cleaning up practices that the CFPB believed caused significant harm to consumers. 

But the Trump administration’s act of vandalism was not necessarily such a bad thing because the CFPB and its all-powerful director had become a tyrant, replacing the quiet but (mostly) effective prudential banking regulators with an insatiable beast that regulated through harsh, often devastating, enforcement actions, complete with huge civil monetary penalties and disgorgement, resulting in devastating fines and, quite often, unfair damage to reputations.

In November 2017, Obama appointee Richard Cordray announced that he was stepping down as director of the CFPB. President Trump moved quickly to name his Office of Management and Budget (OMB) director, Mick Mulvaney, as acting director. Before being named to the position, Mulvaney had harshly criticized the Bureau, so his appointment was met with concern within the agency and from consumer groups. For his part, Mulvaney continued to criticize the broad powers held by the CFPB, saying that the authority wielded by the director of the CFPB “should frighten people.”

CFPB Standstill?

One of Mulvaney’s first actions as acting director was to put a temporary hold on all regulatory and enforcement actions while he subjected them to review. And he took these steps while cutting funding, taking the unusual step in early 2018 of requesting zero dollars for Bureau activities.

Mulvaney also withstood a challenge to his position by Deputy Director Leandra English, whose lawsuit seeking status of acting director failed in the courts and was later dropped. English later resigned from the Bureau.

New Appointments, a Name Change and … a New Mission?

One early action was to add a layer of GOP political appointees above the career regulators who were already running the show at the CFPB. At least one of those appointees created controversy when it was learned that Eric Blankenstein, policy director of supervision, enforcement and fair lending, had in the past authored blog posts where he discussed racial slurs and seemingly suggested that most hate crimes were “hoaxes.”

Mulvaney made a number of additional early changes. First, he changed how the Bureau describes itself in press releases, adding as its primary mission to “help[] consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations.” Next, in a curious move, Mulvaney decided that the CFPB would henceforth be known as the BCFP because Congress established a Bureau of Consumer Financial Protection, and he even changed the signage at the door. (Although the name never stuck, and was ultimately dropped by the end of the year, the BCFP/CFPB issue was a distraction for many.)

In addition, the Bureau announced that it would start issuing a series of “requests for information” on a variety of topics to determine whether the Bureau is “fulfilling its proper and appropriate functions to best protect consumers.” The requests for information (RFIs) continued rapid-fire throughout 2018, and we discussed many of them here. The RFIs—which represent just one of the many ways Mulvaney sought to dramatically reshape the CFPB—offered both the public and covered entities a chance to weigh in on almost every aspect of the CFPB’s enforcement, supervision, rulemaking and education activities. While the information generated by this RFI process may theoretically have a significant impact on the future direction of the CFPB, it is unclear how significant these RFIs will be until at least next year, including under the new permanent director (discussed below). 

Not Just Ending Regulation by Enforcement

In late January, Mulvaney announced to staffers, and then in a major op-ed piece, that he was bringing an end to the CFPB’s much-criticized regulation by enforcement. Mulvaney’s comment was a simple yet compelling one: “[T]he people we regulate should have the right to know what the rules are before being charged with breaking them.” Mulvaney took this one step further in August 2018, when he announced at a meeting of the Mortgage Bankers Association that “regulation by enforcement is done.”

But Mulvaney did not end there. First, he pushed one enforcement tool down the halls, at least temporarily. In early 2018, he announced that the Office of Fair Lending and Equal Opportunity will move from the CFPB’s Supervision, Enforcement and Fair Lending Division to the Office of the Director, where the former enforcers would instead focus on “advocacy, coordination and education,” and would no longer have responsibility for enforcement or the day-to-day oversight of companies.

In May 2018, Mulvaney moved again. This time, he announced to staff that he was effectively dismantling the CFPB’s Office for Students and Young Consumers, removing all functions except consumer education.

And in August 2018 we learned that, in perhaps his most controversial action as acting director, Mulvaney intended to cease supervisory examinations of the Military Lending Act (MLA), taking the position the law does not provide the Bureau with the authority to examine financial institutions for compliance with the statute. According to “internal agency documents” obtained by The New York Times, Mulvaney signed off on a two-page change to CFPB policy stating that “proactive oversight [of the MLA] is not explicitly laid out in the legislation.” Not surprisingly, controversy ensued. All 49 Democratic senators sent a letter to Mulvaney, asking that he reconsider his position. “The CFPB should not be abandoning its duty to protect our servicemembers and their families, and we seek your commitment that you will utilize all of the authorities available to the CFPB to ensure that servicemembers and their families continue to receive all of their MLA protections,” the lawmakers wrote.

In August, the CFPB joined four other regulators, issuing an interagency statement on the use of guidance in enforcement actions. “Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance,” the five regulators wrote. “Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area.”


In July 2018, in a push for new products and services in the financial services industry, Mulvaney announced the creation of the Office of Innovation, with Paul Watkins to lead it. Former CFPB Director Cordray had, during his tenure, created Project Catalyst, a program aimed at encouraging “consumer-friendly innovations,” but little came of it. Project Catalyst was transitioned into the new office, and the new office became focused on “creating policies to facilitate innovation, engaging with entrepreneurs and regulators and reviewing outdated or unnecessary regulations.”

In September, the newly established Office of Innovation issued a proposal for the creation of a “Disclosure Sandbox,” aimed at encouraging trial disclosure programs. Amending a policy created in 2013, the Bureau proposed to deem a covered person conducting a trial disclosure program to be in compliance with or exempt from a requirement of a CFPB rule or certain federal laws. To encourage companies to test new disclosures, the revised policy would streamline the application and review process “to focus on the quality and persuasiveness of the application,” the Bureau said, with a grant or denial of the application within 60 days of submission.

Critics quickly attacked the proposal; for example, consumer groups argued that the Bureau lacked authority to waive disclosure requirements mandated by law. Some Democratic state AGs joined in the fight, arguing, “The proposed Disclosure Sandbox allows the Bureau to broadly grant waivers for any specified reason, with minimal to no consumer safeguards, without transparency, and for potentially indefinite periods of time.”

Congressional Review Act Knocks Out CFPB Moves

Even before Mulvaney came into office, Congress started using its own set of tools to slow the gears at the CFPB. In 2017, empowered by President Trump’s control of the White House, Congress vacated the CFPB’s controversial arbitration rule (which would have largely struck down consumer arbitrations across all industries). And, in early 2018, Congress attempted the same with the Payday Rule. That consideration was later mooted by the Bureau’s own actions (see below).

Another controversial area, the Bureau’s auto lending guidance, went out the door in May 2018. Back in 2013, the CFPB released Bulletin 2013-02, providing guidance to indirect auto financing companies and taking the position that the practice of “dealer markups” would be challenged by the Bureau under a disparate impact theory of discrimination. But critics charged, with some justification, the CFPB with overstepping its bounds, particularly as the Bureau released the guidance without a public notice and comment period. In May, lawmakers used the Congressional Review Act to reject it.

Rules Changes and Delays

The Mulvaney-led CFPB also undertook a number of changes to prior Bureau rulemaking, most of which were welcomed by industry.

Payday Rule: Another high-profile inheritance from the prior administration is the Payday, Vehicle Title and Certain High-Cost Installment Loans Rule. The rule, among other new consumer protections, declares it an “unfair and abusive practice” for any lender to make covered short-term or longer-term balloon payment loans before reasonably determining that consumers have the ability to repay the loans according to their terms. In January 2018, the CFPB advised that it “intends to engage in a rulemaking process so that the Bureau may reconsider the Payday Rule.” The timing was unusual in that the announcement date (January 16, 2018) had been intended to be the effective date for the new rule. Thereafter, in June, two industry groups filed suit, arguing that the Bureau failed to comply with the Administrative Procedure Act when it promulgated the rule.

In late October, the CFPB formally announced its plans to reconsider the Payday Rule, saying it would issue a proposal in January 2019. “The Bureau will make final decisions regarding the scope of the proposal closer to the issuance of the proposed rules,” according to the statement. “However, the Bureau is currently planning to propose revisiting only the ability-to-repay provisions and not the payments provisions, in significant part because the ability-to-repay provisions have much greater consequences for both consumers and industry than the payment provisions.”

Prepaid Rule: Back in December 2017, the CFPB issued a cryptic statement concerning its 2016 rule governing prepaid accounts, noting simply that it “expects to issue a final rule amending certain aspects” of that rule. In so doing, the CFPB will likewise extend the rule’s effective date to April 1, 2019. And the CFPB did exactly that within a few weeks thereafter, fixing the worst issues in what had been a flawed new rule. The changes include (1) revising the error resolution and limited liability provisions of the Prepaid Accounts Rule in Regulation E to provide that financial institutions are not required to resolve errors or limit consumers’ liability on unverified prepaid accounts, (2) creating a limited exception to the credit-related provisions of the Prepaid Accounts Rule in Regulation Z for certain business arrangements between prepaid account issuers and credit card issuers that offer traditional credit card products, and (3) making clarifications or minor adjustments to provisions of the Prepaid Accounts Rule in Regulation E related to an exclusion from the definition of a prepaid account, unsolicited issuance of access devices, several aspects of the rule’s preacquisition disclosure requirements and submission of prepaid account agreements to the CFPB.

Mortgage Servicing Rule: The Bureau also made progress on its clarification of the Mortgage Servicing Final Rule, amending Regulation X. Issued in 2016, the final rule required services to send written notices (known as “early intervention notices”) to certain consumers at risk of foreclosure who requested a cease in communications under the Fair Debt Collection Practices Act (FDCPA). The finalized rule provides mortgage servicers with a ten-day window to provide the modified notice at the end of the 180-day period and “gives mortgage servicers more latitude in providing periodic statements to consumers entering or exiting bankruptcy.”

The CFPB also finalized amendments to Regulation P, providing financial institutions with an exemption from sending annual privacy notices to consumers, if certain conditions are met. The Gramm-Leach-Bliley Act (GLBA) and Regulation P mandate that banks provide consumers with privacy notices that describe whether and how the institution shares consumers’ nonpublic personal information with third parties and how the bank protects the information that it collects and maintains. Banks and other “financial institutions” under GLBA are required to provide an initial notice and generally required to provide annual notices.

Court Battles Over Constitutionality

In late January 2018, in a divided ruling in PHH Corp. v. CFPB, of the entire U.S. Court of Appeals, D.C. Circuit, the court held that the CFPB structure is indeed constitutional, reflecting a legislative desire to establish a truly independent agency. The ruling reversed a key ruling in an earlier three-judge decision by then-Judge (now Justice) Brett Kavanaugh, while reinstating the earlier panel’s rejection of the CFPB’s “absurd” analysis of the anti-kickback provisions of the Real Estate Settlement Procedures Act (RESPA). In June 2018, the CFPB formally dismissed the enforcement action

In June 2018, in the RD Legal Funding case, a New York-based federal judge dismissed the CFPB from a suit it joined with the New York attorney general, ruling that the structure of the Bureau is unconstitutional. In a 104-page ruling, Judge Loretta Preska agreed with Judge Kavanaugh that the CFPB “is unconstitutionally structured because it is an independent agency that exercises substantial executive power and is headed by a single Director.” Surprisingly, however, the court took it one step further, rejecting Judge Kavanaugh’s opinion that the remedy was to “invalidate and sever the for-cause removal provision and hold that the Director of the CFPB may be supervised, directed, and removed at will by the President.” Instead, the judge adopted Judge Karen Henderson’s dissent, arguing that “the presumption of severability is rebutted here. A severability clause ‘does not give the court power to amend’ a statute. Nor is it a license to cut out the ‘heart’ of a statute.” The case is now on appeal to the Second Circuit after that court agreed that Judge Preska’s decision was effectively a “final judgment” as to the CFPB. As we discussed back in August 2018, the Second Circuit could end up concurring with the D.C. Circuit’s opinion in PHH Corp. v. CFPB, which found the structure constitutional, or it could create a circuit split if the panel elects to affirm Judge Preska, among other scenarios. A split, of course, could lead to review by the Supreme Court.

Further muddying the waters, the Fifth Circuit, in CFPB v. All American Check Cashing, is currently considering the issue in an interlocutory appeal involving a check cashing company that challenged the constitutionality of the CFPB, only to have a Texas federal court side with the Bureau. Noting that the issue is one of “exceptional importance”—and hinges in part on a recent Fifth Circuit opinion that found the structure of the Federal Housing Finance Agency unconstitutional—the company has been granted a hearing of the en banc panel. The CFPB’s opposition brief argues that its structure is constitutional, and disputes the holding in RD Legal Funding. Oral argument is set for March 11, 2019.

2018 Enforcement Activity

Although it did not come to a complete standstill, enforcement activity dropped dramatically in 2018 to fewer than a dozen reported public actions.

And the CFPB likewise dropped a number of higher-profile cases. In addition to dismissing a suit against tribal lenders, the CFPB dropped its claims against online real estate titan Zillow. Back in 2017, the CFPB told Zillow that it was considering legal action arising out of Zillow’s practice of permitting mortgage lenders to pay a portion of a real estate agent’s Zillow advertising budget in exchange for touting the mortgage lender. Somewhat similar practices resulted in a RESPA-based enforcement action against a Los Angeles-based mortgage lender during the Cordray era. Much to the industry’s surprise, however, the Mulvaney-led CFPB dropped its investigation into Zillow’s co-marketing practices. The CFPB made no announcement of that decision, but Zillow itself released a public statement to that effect. Left unresolved by the no-action posture is whether the type of co-marketing practices adopted by Zillow are prohibited by RESPA’s anti-kickback provisions.

In April 2018, Mulvaney presided over a $1 billion penalty—one of the largest ever imposed—against one of the nation’s largest banks. As described in the consent order, the Bureau found that the bank violated the Consumer Financial Protection Act (CFPA) in the way it administered a mandatory insurance program related to its auto loans, and in the manner in which it charged certain borrowers for mortgage interest rate-lock extensions. Under the terms of the consent orders, the bank was likewise required to remediate harmed consumers and undertake certain activities related to its risk management and compliance management. The one bright spot for the bank: Mulvaney allowed the bank to offset $500 million of the penalty against the amount the bank was already paying the Office of the Comptroller of the Currency (OCC) for the same alleged violations.

But not every bank paid stiff fines. Indeed, one of the nation’s largest banks avoided civil monetary penalties in a CFPB enforcement action. However, the bank agreed to correct its actions going forward and will refund about $335 million to 1.75 million credit card customers who were allegedly overcharged on interest payments. According to the consent order, for nearly a decade, the bank did not conduct required re-evaluations that would have resulted in reduced annual percentage rates. 

A South Carolina-based lender reached a $5 million deal with the CFPB over allegations it violated the CFPA, the Fair Credit Reporting Act (FCRA) and Regulation V. The CFPB consent order asserts that the company made humiliating and harassing in-person collection visits to consumers’ homes, among other wrongful conduct. In addition, the lender regularly furnished inaccurate and incomplete information about consumers to credit reporting agencies, the CFPB claimed

In July, a kinder, gentler Bureau announced a settlement with a Kansas-based company that used a network of debt collection companies to collect consumer debt. Some of these companies engaged in “frequent” unlawful debt collection acts and practices that harmed consumers, the CFPB alleged, such as representing that consumers owed more than they were legally required to pay or threatening consumers and their family members with lawsuits or arrest. Despite knowledge of these illegal consumer debt collection practices by the third-party collectors, the company continued placing debt with the third parties, even selling millions of dollars of debt to one of them with knowledge or reckless disregard of the company’s illegal practices, the Bureau charged. Pursuant to the consent order, for the violations of the CFPA and the FDCPA, a judgment of $3 million in civil money penalties was imposed both against the company and against its CEO, for a total of $6 million. However, full payment was suspended to just $500,000 and $300,000, respectively.

In August, a bank entered into a consent order arising out of an enforcement matter that was first filed in January 2017. At the time, the CFPB accused the bank of violating the prohibitions on deceptive and abusive conduct in the CFPA and the Electronic Fund Transfer Act (EFTA) with regard to the bank’s overdraft fees on one-time debit purchases and ATM withdrawals. According to the CFPB, the bank made consent to the overdraft fees appear mandatory for new customers and hid the fees that were charged. Under the consent order, the bank agreed to send all current customers who opted in before May 1, 2015, a letter with information about overdrafts and overdraft fees, and to reach out to all consumer reporting agencies to which it furnished information reflecting the overdraft fees of affected consumers within the past seven years to request that the information be corrected. The bank also represented that it will not require its employees to generate a specific number or percentage of opt-ins or provide employees direct or indirect financial incentives based on achieving a set goal of opt-in customers. Finally, the bank set aside $25 million to provide restitution and paid a $5 million civil penalty, but the CFPB allowed the bank to remit $3 million of that because of an earlier, separate $3 million penalty payment to the OCC in connection with the same conduct.

Also in August, a Missouri federal court entered an order effectuating a deal between the Bureau and two individuals over alleged violations of the CFPA, Truth in Lending Act and EFTA. The CFPB said the defendants (a father-and-son duo) obtained consumers’ personal and financial information from third-party data brokers and used the information to access consumers’ bank accounts without authorization. A judgment of more than $69 million included in the order was suspended in light of the defendants’ limited ability to pay upon forfeiture of $14 million in assets and payment of a $1 civil penalty

It took nearly ten months, until September 2018, for the CFPB to file its first enforcement action of the Mulvaney era. (All prior matters had been commenced in the Cordray era.) The first filing targeted a company that offered pension advance products. According to the Bureau, some customers were required to pay back advances at an annualized cost of 183 percent and incurred multiple fees, such as monthly management fees, a $300 setup fee and 1.5 percent late fees. That same company was separately hit with similar claims by the Virginia AG, resulting in a large default judgment after the company failed to defend.

In October, looking much like the old CFPB, the Bureau settled an enforcement action with a Tennessee-based small-dollar lender that included both restitution and a civil monetary penalty. The consent order notes that the lender violated the CFPA by sending collection letters threatening borrowers with legal action even where the applicable statute of limitations to collect the debt was expired, the CFPB said. In addition, the lender allegedly withheld funds during check-cashing transactions to satisfy outstanding amounts on prior loans without disclosing the practice to borrowers prior to the transaction. Pursuant to the consent order, the lender is prohibited from misrepresenting its consumer reporting activities and its intention (or likelihood) of filing suit to collect a debt; deducting money from check-cashing transactions is also prohibited unless certain conditions—including adequate disclosures—are met. The lender must also pay a modest amount for restitution, plus a $200,000 civil money penalty.

In November, in a settlement with the consumer lending unit of a major foreign bank with U.S. operations, the CFPB secured nearly $12 million in consumer refunds and penalties. After reviewing certain lending and marketing practices of the nondepository consumer financial services company, the Bureau identified violations of the CFPA. During the relevant period, the company allegedly marketed an add-on product known as S-GUARD GAP to cover the “gap” between a consumer’s primary auto insurance payout and the outstanding auto loan balance in the event a consumer suffered a total loss of his or her vehicle. But consumers who purchased the product for a loan that had a loan-to-value ratio greater than 125 percent would not receive the “true full coverage” promised by the company. To settle the CFPB’s charges, the company agreed to provide roughly $9.29 million in restitution to approximately 3,493 consumers (including an estimated $7.3 million in statement credits) who purchased the add-on S-GUARD GAP product. The company will also pay a $2.5 million civil penalty. Such CFPB actions involving the marketing of so-called add-on products were a major thrust of the Cordray era, and this action shows that add-on practices can still trigger CFPB action.

In December, the Bureau reached a deal with the bank arm of a major insurance company over allegations the bank violated the FCRA and the CFPA by obtaining consumer reports without a permissible purpose, furnishing to consumer reporting agencies (CRAs) consumer credit information it knew or had cause to believe was inaccurate, and failing to promptly correct or update the information provided to CRAs. The consent order prohibits future violations and requires the company to implement and maintain reasonable written policies and procedures. Of interest to many, the consent order calls for neither restitution nor any civil monetary penalties. 

In an action involving a nonbank mortgage company, the CFPB asserted that a company misled veterans about its so-called Interest Rate Reduction Refinancing Loans by overstating the benefits of refinancing. A proposed stipulated final judgment and order will require the company to pay $268,869 in redress and a civil penalty of $260,000.

Other Litigation

In CFPB v. Nationwide Biweekly Administration, Inc., a California federal district court affirmed a nearly $8 million civil monetary penalty and the imposition of injunctive relief. Under the defendant’s so-called Interest Minimizer program, it debited an amount equal to one-half of a consumer’s monthly home mortgage payment every two weeks. The company promoted the financial services product as an opportunity to save thousands of dollars the consumer otherwise would have paid in loan interest, as the format resulted in 26 debits per year, or one extra mortgage payment. Following a seven-day bench trial, the court issued a mixed decision, affirming a nearly $8 million monetary penalty but declining to order restitution of almost $74 million.

In July, the Bureau lost its battle with a law firm. According to an earlier complaint filed by the CFPB, an Ohio law firm allegedly violated the CFPA and FDCPA with debt collection letters that falsely implied that attorneys were “meaningfully involved” in the collection of debts. But the court disagreed. While a letter may be deemed deceptive even if the statements contained therein are literally true, both an advisory jury and U.S. District Judge Donald C. Nugent determined that the letters were not deceptive because lawyers at the firm actually were meaningfully involved in the collection of debts. The court likewise noted that the CFPB offered no evidence to show that any consumer was harmed by the law firm’s practice of identifying itself as a law firm in the demand letters, that any consumer did or would be inclined to prioritize payment for the debts referenced in the demand letters over any other debt they may have owed, or that any consumer was or would be induced to pay the amount sought in the demand letters even if they did not owe the debt.

Amicus Activity

During the Cordray era, the CFPB was extraordinarily active in so-called friend of the court filings, taking numerous positions, and always in support of consumers. Those filings largely, but not completely, ended when Mulvaney took control. In an interesting move, the Bureau sided with the industry defendant in an amicus brief filed with the Supreme Court in an FDCPA case set for oral argument next spring. The justices agreed to answer the question of whether the statute applies to nonjudicial foreclosure proceedings in Obduskey v. McCarthy & Holthus LLP, where the Tenth Circuit ruled that a law firm hired to pursue such a foreclosure was not a debt collector under the FDCPA.

Director Kraninger Confirmed by Senate

Back in June, we correctly predicted that Trump would nominate Kathy Kraninger as the next CFPB director. Largely a career congressional staffer on the appropriations side, Kraninger held a prior position at OMB, where she reported to Mulvaney as program associate director for general government. She graduated from Georgetown Law School in 2007 and was described by one admirer as “a good communicator, a brilliant and quick thinker” with “the ability to work on long-term issues while simultaneously handling short-term crises.” Kraninger also survived a mini-crisis when it was learned that she may have spearheaded the Trump administration policies on family separations at the border.

After multiple delays, the Senate Banking Committee approved Kraninger by a vote of 13 to 12 along party lines in September 2018, sending her nomination to the full Senate for consideration. The movement then stalled until, with the Republican majority assured following the midterm elections, Sen. Mitch McConnell (R-Ky.) filed cloture just prior to Thanksgiving, and Kraninger was narrowly confirmed on a party-line vote.

What to Expect in 2019

So, what will 2019 offer for CFPB followers?

On December 10, Kathy Kraninger was sworn in as director of the CFPB. Subject to pending litigation discussed above regarding challenges to the constitutionality of the Bureau, including possible severing of the “for cause” requirement for removal of the director, she begins a five-year term as leader of the Bureau.

Many assume that Kraninger, as a close associate and former subordinate of Mulvaney, will continue the tone and approach Mulvaney set at the CFPB. However, her first day on the job did not involve the theatrics of Mulvaney’s first day (which in fairness was due in significant part to the then-pending battle with Ms. English). And in brief remarks with reporters, she did seem to signal that she would take a different path forward than that of Mulvaney, and while there is no chance that she will be the second coming of Cordray, she did state, “I think Congress gave us the full panoply of tools, and we will use them. Where there are bad actors we will absolutely take enforcement actions to the fullest extent of the law.” While this suggests a possible return to the balanced approach taken by the prudential regulators in the pre-CFPB days discussed above, similar words were spoken by Mulvaney early in his tenure.

In this regard, Kraninger scrapped the initiative begun by Mulvaney to brand the Bureau as the BCFP instead of the CFPB. The move to retain the CFPB initialism had the support of industry, based on a Bureau internal analysis that the change to BCFP would result in estimated costs of as much of $300 million, as well as the support of consumer groups. Accordingly, this action by Kraninger was a noncontroversial way for her to signal that she will be her own person.

Kraninger’s approach may reflect the reality of Democrats taking control of the House in the midterms and their assumption of the chairs of various House committees. Chief among those from the CFPB’s standpoint will be the House Financial Services Committee, likely to be led by Rep. Maxine Waters. Although hope springs eternal, in these politically charged times and with a presidential contest in less than two years, it is hard to imagine that there will not be major battles between House Democrats and CFPB leadership in 2019.

However Kraninger chooses to proceed, we have plainly seen a reordering of priorities within the Bureau, and that probably means an uptick in civil investigative demands, but this time directed at whatever targets to which the new Bureau decides to turn its attention. One potential target would be some segments of the reverse mortgage lending industry, where the CFPB has been uncharacteristically quiet to date.     

So 2019 may look much like 2018 for the CFPB, with a few caveats: 

First, pending appeals, such as the All American Check Cashing and RD Legal Funding cases, may result in rulings on CFPB constitutionality that could force the issue to the Supreme Court, where the Bureau’s fate is far from certain. Second, we will wait to see whether Kraninger stakes out new territory for the Bureau, or whether she is content to take her lead from Mulvaney’s agenda and political appointees. Third, it is still too early to tell whether the Bureau will revisit any other Cordray-era rulemaking. Stay tuned.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.