In response to the financial crisis of 2008, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”), the most sweeping and comprehensive financial services legislation since the 1930s. One of the central features of Dodd-Frank was the creation of the Consumer Financial Protection Bureau (CFPB), a single federal agency responsible for all consumer protection functions. More importantly, Dodd-Frank essentially re-defined the existing regulatory structure by changing the roles of the various regulators, the scope of industries they regulate, and the tools they use to identify future problems. This structural change has led—and will continue to lead—to a dramatic increase in the scope and level of regulation in the financial services industry.

Who Regulates? Limitations to Exemptions of State Law 

“It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.” 

This concept—with the states operating as laboratories of democracy, experimenting with new laws and policies—was described in 1932 by U.S. Supreme Court Justice Louis Brandeis in the case New State Ice Co. v. Liebmann. Prior to Dodd-Frank, many state laws attempting to regulate the activity of national banks were preempted by federal regulators, who asserted that the state laws overlapped or conflicted with federal law. Dodd-Frank changed this dynamic by raising the standards that must be met before federal regulators can assert preemption. The change fundamentally increased the importance of the role of the states in the regulatory process, and will result in increased legislative and regulatory activity as states are further empowered to act independently to achieve their own policy goals based on local conditions.

Increased Importance of State Attorneys General

As the individuals who enforce and often push for these laws, the state Attorneys General received a regulatory windfall under Dodd-Frank. Specifically, under § 1042, a “State regulator may bring a civil action or other appropriate proceeding to enforce the provisions of this title or regulations issued under this title with respect to any entity that is State-chartered, incorporated, licensed, or otherwise authorized to do business under State law…” State Attorneys General are rarely shy about using the power they have been granted and many have already brought actions by using these new Dodd-Frank powers—for example, the Illinois A.G. suing a predatory lender in Chicago; Connecticut and Florida in a joint lawsuit against a mortgage rescue company; and Mississippi bringing charges against a credit reporting agency.

This power also extends to other state regulators who may have been previously hamstrung by the law of their own states. For example, under New York General Business Law § 349, the Attorney General is the only state official empowered to bring an action for an unfair or deceptive act or practice. Dodd-Frank, however, extended this power such that other state regulators can bring these types of actions. Benjamin Lawsky, the former Superintendent of New York’s Department of Financial Services, was thus empowered, frequently wielding this new authority prior to his departure.

Increased Cooperation between CFPB and States

As a result of this expanded role for state regulators, the relationship between the states and federal regulators—in particular the CFPB—takes on new importance. In order to aid in this relationship, state regulators and the CFPB have entered into agreements to enhance cooperation. For example, in 2011, the CFPB and Conference of State Bank Supervisors signed an agreement to work together to achieve examination efficiencies and to avoid duplication of time and resources. Also in 2011, the National Association of Attorneys General and the CFPB agreed to a Joint Statement of Principles, establishing a framework for regulation of financial products and services. This cooperation has resulted in numerous joint enforcement actions starting with the 2012 National Mortgage Settlement with the country’s five largest mortgage servicers. This cooperative framework will lead to further public and private enforcement actions as the CFPB and states share information and cooperate to achieve common goals and objectives.

Who is Regulated? The Larger Participant Rule

Another major change caused by Dodd-Frank is re-defining the type of companies covered by federal regulation, including many companies that were previously regulated under state law, or perhaps not regulated at all. Dodd-Frank authorizes the Bureau to define by regulation larger participants of certain markets for financial products or services. These “larger participant” rules extend the CFPB’s oversight into markets which may not have been regulated in the past.

Dodd-Frank § 1024 specifically gives the Bureau supervisory authority over all nonbanks offering three specific types of consumer financial products or services: (i) mortgages; (ii) private education loans; and (iii) payday loans. The law also grants CFPB supervisory authority over “larger participants” (as defined by the Bureau) in markets for other consumer financial products or services. While defining a company as a larger participant does not impose new substantive consumer protection requirements, it does subject these companies to the Bureau’s regulatory and enforcement authority.

The Bureau is authorized to supervise these entities for purposes of: (i) assessing compliance with federal consumer financial law; (ii) obtaining information about the companies’ activities and compliance systems or procedures; and (iii) detecting and assessing risks to consumers and consumer financial markets. In order to accomplish this, the Bureau conducts formal examinations of these entities—or it may simply request information from supervised entities without conducting examinations. The Bureau prioritizes its activity among these companies based on, among other things, the size and risk to a particular market, the extent of relevant overlapping state regulation, and any market information that the Bureau has on the company, including, for example, any consumer complaints about the company which have been submitted to the Bureau.

The Bureau has defined larger participants in five markets to date: consumer reporting, consumer debt collection, student loan servicing, international money transfers, and most recently, automobile financing. This regulatory expansion was an intended goal of Dodd-Frank which will continue in the future.

How Regulation Happens

Collection Consumer Complaints

In addition to expanding the scope of what entities and industries are regulated by the CFPB, Dodd-Frank also instructs the Bureau on how it should make those determinations. One of the biggest changes as a result of Dodd-Frank is the reliance on consumer complaints to inform the regulatory agenda. In its 2015 Semi-Annual Report, the CFPB explains that information obtained from consumers “informs every aspect of the Bureau’s work, including research, rule writing, supervision, and enforcement.” Formation of regulatory policy based on the complaints of those who are impacted, without meaningful verification or interpretation as to the causes of the complaints, is a profound change in the way that regulation is formed.

Under Dodd-Frank § 1013, the Bureau is required to receive complaints from consumers, specifically by establishing a unit - the Office of Consumer Response - “whose functions shall include establishing a single, toll-free telephone number, a website, and a database or utilizing an existing database to facilitate the centralized collection of, monitoring of, and response to consumer complaints regarding consumer financial products or services.”

This extension is particularly intrusive—and unnecessary, considering we live in an age of social media which allows real-time feedback by consumers through a multitude of channels.

To facilitate the submission of complaints, the CFPB launched its Consumer Complaint Database on June 19, 2012. It was initially populated with credit card complaint data, but has since been expanded to include other products, including mortgages, bank accounts, student loans, vehicle and other consumer loans, credit reporting, money transfers, debt collection, payday loans, and prepaid cards. As of March 1, 2005, the Bureau has handled nearly 560,000 complaints, with mortgages and debt collection being the most frequently covered areas.

On March 19, 2015, the Bureau announced that it was finalizing rules to allow consumers to add narratives about their complaints. The addition of the consumer narratives will increase the significance and impact of these complaints. According to the Bureau, “consumer narratives provide a first-hand account of the consumer’s experience, and adding the option to share them will greatly enhance the utility of the database. The narratives will provide context to complaints, spotlight specific trends, and help consumers make informed decisions. The narratives may encourage companies to improve the overall quality of their products and services, and more vigorously compete over good customer service.”

In this respect, the CFPB’s function of collecting consumer complaints to inform its regulatory priorities, as required by Dodd-Frank, has morphed into a mechanism to police the quality of companies’ products and customer service, extending the Bureau’s regulatory oversight into the private relationship between a company and its customers. This extension is particularly intrusive—and unnecessary, considering we live in an age of social media which allows real-time feedback by consumers through a multitude of channels.

Data Collection 

Another new regulatory tool at the CFPB’s disposal is the requirement that it collect information on the financial markets in order to determine its regulatory priorities. Under Dodd-Frank § 1022, the CFPB is directed to “monitor for risks to consumers in the offering or provision of consumer financial products or services, including developments in markets for such products or services.”

The CFPB performs this monitoring by gathering and compiling information from “variety of sources, including examination reports concerning [companies], consumer complaints, voluntary surveys and voluntary interviews of consumers, surveys and interviews with [companies], and review of available databases.” In addition, the CFPB can gather information by requiring companies to provide other information as necessary for it to “fulfill the monitoring, assessment, and reporting responsibilities imposed by Congress.” This section of the law was enacted because prior to the financial crisis, Congress felt there was a lack of data on consumer financial products and services that hindered federal oversight and regulation.

The CFPB’s data collection regime has been the target of extensive criticism, especially from privacy advocates. In September 2014, the Government Accountability Office (GAO) published a report in which it reviewed the CFPB data collection program.  According to the GAO report, the CFPB has conducted large-scale data collections including one where it obtained 173 million mortgage loans from a data aggregator.

While the GAO found that other federal regulators (e.g., the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency), collect similarly large amounts of data, it did determine that the CFPB “lacks written procedures and comprehensive documentation for a number of processes, including data intake and information security risk assessments. The lack of written procedures could result in inconsistent application of the established practices,” including “assessing and managing privacy risks,” “monitoring and auditing privacy controls,” and “documenting results of information security risk-assessments consistently and comprehensively.” The GAO’s finding is ironic, given the CFPB’s continued emphasis on the importance of companies having written policies and procedures in the context of effective compliance programs.

Beyond the obvious privacy and data security risks, the CFPB’s collection of large amounts of consumer data will fundamentally change the way regulators act. To reiterate, this was part of Dodd-Frank’s goal and is not an unintended consequence; its impact, however, will be dramatic as regulators utilize “big data” to more easily spot trends and trouble spots earlier—all of which will lead to increased regulation.

Conclusion

Although viewed by many as an overreaching agency run amuck, the CFPB is largely following the rules as established by Dodd-Frank. As a result, barring a major change in the law, the Bureau will continue to expand its reach, with a corresponding increase in the regulation of the financial services sector. The calls for regulatory reform and amendments to Dodd-Frank do not currently have the necessary political support. Until they do, this expanding regulatory environment will continue unabated.

 

By Neal Doherty