Our CFPB Monitor blog is getting high praise from the ABA Journal. The publication has recognized the blog as one of the top 100 law blogs of 2012, out of approximately 3,500. In addition, we are the only blog focused on the Consumer Financial Protection Bureau that made the cut.
The ABA Journal has divided the list into 14 distinct categories and is now requesting that readers vote for their favorite blog in each. CFPB Monitor is in the "niche" category. If you are a fan of the blog, please vote for us at http://www.abajournal.com/blawg100. You will be prompted to register before voting by creating a username and password. The voting deadline is December 21.
We also encourage you to visit the blog at www.CFPBMonitor.com. Launched in July 2011—just as the CFPB opened for business— it now has thousands of subscribers and is visited by thousands of readers each month.
Among the readers who have given us positive feedback is Jacob Gaffney, Editor of HousingWire. Said Mr. Gaffney: "When providing guidance to my HousingWire reporters in CFPB coverage, I often direct them to CFPB Monitor. There is so much misinformation out there about this key entity, yet only a handful of trustworthy commentary websites. CFPB Monitor is one of the few reliable sources out there. It's vital reading material."
We owe much gratitude to all of our blog contributors in the Consumer Financial Services and Mortgage Banking Groups. And thank you for your support!
- Alan S. Kaplinsky
The U.S. Senate, by unanimous consent, has passed a bill (H.R. 4014) that amends the Federal Deposit Insurance Act to provide protection against waiver of the attorney-client privilege when privileged information is shared with the Consumer Financial Protection Bureau (CFPB) or by the CFPB with other federal agencies. The bill, which was also approved by the House of Representatives, is expected to be signed into law soon by President Obama.
The bill has two main components. First, it adds the CFPB to the list of federal agencies that may share privileged information of a regulated entity with other federal agencies without waiver of any state or federal law privilege. Second, it identifies the CFPB as a regulator to whom a regulated entity may submit privileged information without waiving any state or federal law privilege.
The bill is intended to give regulated entities that provide privileged information to the CFPB with the same anti-waiver protections they have when dealing with the federal banking agencies or state banking regulators. But those protections have several important limitations.
For example, the legislation contains no anti-waiver protection for privileged information the CFPB shares with state attorneys general or other state agencies. While it protects against waiver if the information the CFPB shares with another federal regulator is covered by a work product, attorney-client, or other recognized privilege, there is no anti-waiver protection for proprietary data, trade secrets, or other confidential information the CFPB passes on to other federal agencies. It also provides no anti-waiver protection for privileged information a regulated entity shares with state agencies other than state banking regulators.
Most significantly, the legislation does not address the fundamental issue of whether the CFPB has the right to compel production of privileged documents in examinations. That unresolved issue will continue to surface if the CFPB insists on receiving privileged documents from its supervised entities.
- Barbara S. Mishkin
The CFPB recently issued a Statement of Intent that describes its plans for sharing information about nonbanks with state banking and financial service regulators ("State Regulators") and coordinating supervisory and enforcement activity. In January 2011, the CFPB entered into a memorandum of understanding (MOU) with the Conference of State Bank Supervisors (CSBS) and various State Regulators to establish a general framework for information sharing, supervision, and enforcement cooperation.
Subsequently, the CFPB entered into similar MOUs with additional State Regulators. (According to the CSBS website, as of April 19, 2012, State Regulators in every state except New Mexico have signed such MOUs.) The Statement of Intent supplements the MOUs by detailing the types of information the CFPB intends to share and the cooperative actions it intends to take.
As far as supervision is concerned, the CFPB intends to coordinate its examination of a nonbank with a State Regulator having supervisory authority over the nonbank and provide examination reports upon such regulator's request. As for consumer complaints, the CFPB intends to provide such complaints or access to such complaints to State Regulators on an agreed systemic basis and develop a process to coordinate the handling of consumer complaints to avoid duplication of effort.
The CFPB also plans to provide State Regulators information about registered mortgage loan originators associated with institutions chartered and supervised by the State Regulators (if permitted by the relevant federal prudential regulators), and significant analytical reports derived from national mortgage loan system (NMLS) data as agreed by the CFPB and State Regulators.
In the enforcement arena, the CFPB intends to provide State Regulators with reasonable notice before initiating a public enforcement action against a nonbank in a regulator's state, and information, data, and analysis about conduct and practices of nonbanks to inform enforcement activity. The CFPB also intends to consult State Regulators during the enforcement process about mutually beneficial information sharing, regularly consult with State Regulators to identify mutual enforcement priorities, and support enforcement activity by State Regulators, including through joint or coordinated investigations.
The sensitive nature of the information to be shared under the Statement of Intent raises concerns about the adequacy of the CFPB's and the State Regulators' information security systems. Last month, the Bureau's Office of Inspector General issued a report criticizing the CFPB's information security system. In response, the CFPB said it is taking actions to strengthen its system. Since the shared information will also need to be protected by State Regulators, we hope that before it shares information with a State Regulator, the CFPB will confirm that the State Regulator has an adequate information security system in place
The CFPB and the Department of Justice ("DOJ") recently executed a Memorandum of Understanding ("MOU") aimed at strengthening their coordination in connection with fair lending investigations. The MOU, executed on December 6, 2012, also seeks to avoid duplication of the agencies' respective enforcement efforts, particularly in coordinating investigations of alleged violations of the Equal Credit Opportunity Act ("ECOA").
Both the CFPB and DOJ have authority under ECOA. Moreover, under Dodd-Frank, the CFPB is authorized to conduct joint investigations with the DOJ in matters relating to fair lending, and it has independent authority to enforce the law and investigate alleged fair lending violations against members of the consumer financial services industry.
According to the CFPB, the goal of the MOU is to "promote consistent, efficient, and effective enforcement of federal fair lending laws." In its press release announcing the MOU, the CFPB outlined this' general framework:
Our 'review of the MOU leaves us with many unanswered questions. For example, while the agencies agreed to cooperate and coordinate their respective enforcement efforts, the MOU does not specify how the agencies plan to actually accomplish this goal. Rather, it merely states that the agencies will collaborate and conduct joint investigations "when appropriate." It also states that when the agencies conduct a joint investigation, they will "work closely together to coordinate their investigations in a manner that is consistent and complementary," but does not elaborate.
Examples of what can only be characterized as undefined aspirations between the two agencies are peppered throughout the MOU and, in our opinion, leave the industry wondering if any meaningful coordination will actually occur." In contrast to its stated purpose, the MOU does not appear to offer any certainty when it comes to the CFPB's fair lending enforcement activities and whether and how those efforts will be affected by the efforts of others.
- Stefanie H. Jackman
The 2012 CFPB Ombudsman's Report, released last week, contains a section that suggests the Bureau is rethinking having enforcement attorneys participate in the examination process. This is an apparent sign that the CFPB is responding to the industry's discomfort with the issue.
The report identified "the presence of enforcement attorneys at supervisory exams" as one of two systemic issues reviewed by the Ombudsman in FY 2012. Last February, in a Q&A following a teleconference at which Wendy Kamenshine, the Ombudsman, was a speaker, we raised concerns about the CFPB's policy to include enforcement attorneys in examinations and information-gathering meetings with a supervised entity's representatives. In particular, we described the policy's chilling effect on the attorney-client relationship resulting from the fear that enforcement attorneys will have access to attorney-client communications. At that time, Ms. Kamenshine indicated that she would share our concerns with others in the CFPB.
From the outset, supervised entities have been concerned that the participation of enforcement attorneys in examinations would inhibit free and open communication, and that the attorneys' presence was a signal that the examination process was intended to be a development ground for enforcement actions. Those fears have been heightened by the fact that the Bureau's three enforcement actions against credit card issuers all arose from examinations, and this connection was highlighted in remarks by Director Cordray.
The Ombudsman's Report includes a section near the end on enforcement lawyers' participation in examinations, and it concludes with this passage:
To reflect on the success and challenges of the new policy, achieve consistency in its implementation, and improve transparency with CFPB staff and supervised entities, the Ombudsman recently recommended that the CFPB review the policy's implementation. Until that review is complete, the Ombudsman recommended that the CFPB establish ways to clarify the Enforcement Attorney role in practice at the supervisory examination. The Ombudsman understands that the CFPB now is considering these recent recommendations.
The recommendation comes on the heels of meetings between the Ombudsman and various interested parties. These included individual meetings with CFPB leaders and staff, as well as bank officials, outside attorneys, as well as other meetings with some groups representing providers of consumer financial products and services that do not work with banks, according to the report.
We are not sure what it would mean for the Bureau to "review implementation" of the enforcement attorneys' role in examinations, or what ways there are to "clarify" that role, but we find it encouraging that the Bureau is at least "considering" the Ombudsman's recommendations. It remains to be seen what results emerge from this consideration, and whether the Bureau's continues to base its enforcement actions on the examination process. But there is at least some indication that the Bureau is listening to the industry's concerns. A more cooperative and less enforcement-oriented examination process could enable it to achieve the Bureau's consumer protection goals more quickly and with less cost to the industry and, ultimately, to consumers.
- Barbara S. Mishkin and Christopher J. Willis
The Federal Trade Commission recently announced that it entered into a settlement with Epic Marketplace, Inc., (Epic) an online advertising company, of charges that its "history sniffing" practices violated Section 5 of the FTC Act. The settlement serves as another reminder that companies operating online need to consult legal counsel when drafting privacy policies and regularly monitor those policies to make sure they accurately reflect the company's information sharing practices.
Epic acted as an intermediary between website owners and advertisers by purchasing advertising space on the owners' websites and contracting with advertisers to place their ads on those websites. Epic used "cookies" to collect data from consumers who visited websites on which the company had purchased advertising space (Epic Network). Through a merger, Epic acquired a company that engaged in "history sniffing," which involves using a code to determine whether a consumer has previously visited a web page, based on how the consumer's web browser styles the display of the page's hyperlink.
The FTC alleged that by including the history-sniffing code in advertisements it placed on the Epic Network, Epic was able to determine whether someone viewing the advertisement had also previously visited web pages outside of the Epic Network. Based on the knowledge it obtained on which web pages a consumer had visited, Epic assigned the consumer to various interest categories and used those categories to send the consumer targeted advertisements.
The settlement bars Epic from engaging in history-sniffing and requires it to delete and destroy all data obtained through the practice. It also bars any misrepresentations about Epic's privacy policies, including about the extent to which data is collected, used, disclosed or shared or a software code on a web page determines if the consumer has previously visited a website.
Effective January 1, 2013, the Consumer Financial Protection Bureau (CFPB) will assume responsibility for enforcing the Fair Credit Reporting Act (FCRA). Earlier this year, the CFPB revised various FCRA model forms and mandated that they be implemented by this date.
The CFPB released another round of edits on November 14, 2012, to correct "typographical and other technical errors" in four of these forms: the Summary of Consumer Identity Theft Rights (Appendix I); the Summary of Consumer Rights (Appendix K); the Notice of Furnisher Responsibilities (Appendix M); and the Notice of User Responsibilities (Appendix N). The new forms and a brief explanation of their changes can be found here.
Of these forms, the Summary of Consumer Rights and the Notice of User Responsibilities are of primary interest to employers that use results of background checks in making employment decisions. The FCRA requires employers to provide individuals with the Summary of Consumer Rights before taking adverse employment action based on such results. The Notice of User Responsibilities summarizes the duties of employers as users of consumer reports under the FCRA.
Employers already using the previously published model forms may continue to do so for now. The CFPB has stated that it intends to restate the entire regulation in 2013, and once that occurs, all employers must use the new forms to comply with the FCRA.
While the latest changes are technical, they may foreshadow that the CFPB is gearing up to undertake an active supervisory and enforcement role under the FCRA. Employers should be particularly aware of these developments as they occur, and they should review their policies and procedures to ensure continued compliance with the Act.
- Brian D. Pedrow and Paul Apicella