November 7 – Read the newsletter below for the latest Mortgage Banking and Consumer Finance industry news, written by Ballard Spahr attorneys. In this issue, we discuss the FDIC’s new signage compliance date extension, California’s registration requirements for providers of EWA, the FCC’s effective date for new robocall rules, and much more.
- This Week’s Podcast Episode: How the CFPB Is Using Interpretive Rules to Expand Regulatory Requirements for Innovative Consumer Financial Products; Part Two: Earned Wage Access
- This Week’s Podcast Episode: State Fair Access and Debanking Laws Bring Country’s Political and Cultural Divisions to the Fore
- Trade Associations Sue the CFPB on Same Day as it Issues Final Open Banking Rule Under Section 1033 of Dodd-Frank
- U.S. Supreme Court Accepts Case Seeking to Determine Whether District Courts Must Accept FCC’s Interpretation of TCPA
- FDIC Extends Compliance Date for Parts of New Signage Rule
- FCC Sets April 15 as Effective Date for New Robocall Rules
- California Finalizes Registration Requirements for Providers of Earned Wage Access, Other Financial Products and Services
- Looking Ahead
Today’s podcast, which repurposes a recent webinar, is the conclusion of a two-part examination of the CFPB’s use of a proposed interpretive rule, rather than a legislative rule, to expand regulatory requirements for earned wage access (EWA) products. Part One, which was released last week, focused on the CFPB’s use of an interpretive rule to expand regulatory requirements for buy-now, pay-later (BNPL) products.
We open with a discussion of EWA products, briefly describing and distinguishing direct-to-consumer EWAs and employer-based EWAS. We review some of the consumer-friendly features that are common to EWAs, including that there is no interest charged and they are typically non-recourse, and discuss expedited funding fees and tips, neither of which is required to access EWAs. We also provide an overview of how some states have attempted to regulate (or specifically not regulate) EWAs.
We then transition into a discussion of the CFPB’s history with EWA products, including the Bureau’s advisory opinion in 2020 that took a markedly different approach to EWAs, essentially taking the position that a certain subset of EWAs fell outside of the definition of “credit” under the Truth in Lending Act (TILA) and Regulation Z. The CFPB’s proposed interpretive rule, on the other hand, states that EWAs are “credit” and that expedited funding fees and optional tips, in most circumstances, are part of the finance charge that must be disclosed under TILA and Regulation Z. We explore the Bureau’s reasoning in support of these conclusions and some of the compliance difficulties that the proposed interpretive rule would create were it to go into effect as written. Since this recording took place, the CFPB has posted over 148,000 comment letters that it has received on the proposed interpretive rule, many of which are from consumers who use EWAs to access a portion of their earned wages prior to their scheduled payday and are concerned that the proposed interpretive rule could limit or jeopardize their access to EWAs. The high number of responses demonstrates the level of interest that the CFPB’s proposed interpretive rule has generated.
We conclude with thoughts about vulnerabilities with both the proposed interpretive rule for EWAs and the interpretive rule for BNPLs that we described in part one of this podcast, as well as how these rules could potentially be challenged. One notable development that has occurred since our recording is that the Financial Technology Association has filed a complaint asking a D.C. federal court to strike down the interpretive rule for BNPLs because of the alleged violations of the Administrative Procedure Act that we discuss in this episode.
Former Practice Leader and Senior Counsel in Ballard Spahr’s Consumer Financial Services Group, Alan Kaplinsky, moderates today’s episode, and is joined by Partners in the Group, John Culhane and Michael Guerrero, and Of Counsel in the Group, John Kimble.
To listen to this episode, click here.
To listen to part one, click here.
Our podcast listeners are very familiar with federal fair lending and antidiscrimination laws that apply in the consumer lending area: the Equal Credit Opportunity Act (ECOA) and Fair Housing Act (FHA). Those statutes prohibit discriminating against certain protected classes of consumer credit applicants. For example, the ECOA makes it unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction, on the basis of race, color, religion, national origin, sex, marital status, or age (provided the applicant has the capacity to contract); the applicant’s use of a public assistance program to receive all or part of their income; or the applicant’s previous good-faith exercise of any right under the Consumer Credit Protection Act. The FHA prohibits discrimination concerning the sale, rental, or financing of housing based on race, religion, national origin, sex, disability, pregnancy or having children. The FTC sometimes relies on the “unfairness” prong of its UDAP (Unfair or Deceptive Acts and Practices) authority to bring other types of discrimination claims against companies subject to the FTC’s jurisdiction. The CFPB has tried to use the unfairness prong of its UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) authority in a similar manner with respect to companies and banks subject to its jurisdiction. A federal district court has invalidated the portion of the CFPB’s UDAAP Exam Manual provision upon which such authority was previously predicated and the case is now being considered by the Fifth Circuit.
Our focus during this podcast show is not on these Federal antidiscrimination statutes, but rather on the fact that an increasing number of states have either enacted or are considering enacting legislation requiring financial institutions to provide persons (both existing customers and prospective customers) who are not ordinarily protected by the federal antidiscrimination statutes with fair access to financial services. The first broad fair access requirements appeared in a Florida statute enacted in 2023, which generally prohibits financial institutions from denying or canceling services to a person or otherwise discriminating against a person in making available services on the basis of enumerated factors, commonly including factors such as political opinions, or any other factor that is not quantitative, impartial, and risk-based.
Because this topic is very controversial, we invited individuals who support and oppose these new types of state statutes: Brian Knight, Senior Research Fellow at the Mercatus Center at George Mason University, Professor Peter Conti-Brown of the Wharton School of the University of Pennsylvania, and Peter Hardy who co-leads our Anti-Money Laundering (AML) Team at Ballard Spahr. (Brian was previously a guest on our May 23, 2024 podcast which focused on the related topic of Operation Chokepoint.) Brian is generally supportive of these state fair access laws. Professor Conti-Brown and Peter Hardy generally oppose these types of laws.
We cover the following subtopics, among others:
- Why were these laws enacted?
- What financial institutions are subject to these laws? Do they cover only depository institutions or do they also cover non-banks? Do they cover only consumer transactions or do they cover business transactions as well? Do they cover out-of-state financial institutions doing business with residents of the states that have enacted these statutes? Are there exemptions based on small size?
- Since banks are not public utilities, and have shareholders and employees to whom they owe duties, why should they be forced to do business with people or companies who generate fossil fuel or who manufacture or sell firearms, to take just two examples of industries protected by these statutes?
- What are the private and public remedies for violating these statutes?
- Does the National Bank Act, the Home Owners’ Loan Act, and the Federal Credit Union Act preempt these state laws?
- Do these laws run afoul of AML laws as the Treasury suggests?
Brian believes that these state statutes don’t force any financial institution to do business with a particular person or company. The statutes simply say that you must give a good reason for a declination. A good reason would be one based on risk to the institution such as a lack of experience in evaluating the company’s business. Another good reason would be that the company is engaged in an unlawful business. A bad reason for a declination would be that the bank doesn’t like the political or cultural positions of the company.
Peter Conti-Brown believes that banks should be able to decide with whom they desire to do business as long as they don’t violate existing federal laws that prohibit discrimination, like ECOA and the FHA. Peter expresses skepticism that there was or is a need for these statutes. The “bottom line” is that the state statutes are bad public policy. Peter also believes that these state statutes are preempted by the National Bank Act.
Peter Hardy believes that these state statutes throw a monkey wrench into banks’ efforts to comply with AML requirements and the Bank Secrecy Act. He explains how these statutes could help bad actors evade the BSA.
We have previously blogged about these statutes.
Alan Kaplinsky, Senior Counsel and former chair for 25 years of the Consumer Financial Services Group, hosts the discussion.
The link to the podcast is here.
On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) issued its final rule implementing Section 1033 of the Dodd-Frank Act (the “Final Rule” or the “Open Banking Rule”), granting consumers greater access rights to the data their financial institutions hold. Although there are some differences, the Final Rule largely tracks the Proposed Rule announced by the CFPB last year on October 19, 2023, with the largest concession coming in the form of the extended effective date.
The Final Rule was immediately met with criticism from industry groups. The Banking Policy Institute and Kentucky Bankers Association filed a lawsuit on the day the Final Rule was issued in the U.S. District Court for the Eastern District of Kentucky seeking injunctive relief, alleging that the CFPB exceeded its statutory authority.
Scope of the Final Rule
The Final Rule applies to data providers, third parties, and data aggregators. “Data provider” is defined to mean a financial institution under Regulation E, card issuers under Regulation Z, or any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person. Digital wallet providers are specifically listed as an example. While some commenters pushed the CFPB to expand the scope of data providers, it declined to do so at this time, although it did explain that it intends to do so in the future.
“Third parties” are defined to mean any person or entity that is not the consumer about whom the covered data pertains or the data provider that controls or possesses that data. To become an “authorized third-party,” entities must comply with authorized procedures outlined in the Final Rule. The Final Rule also has additional requirements for “data aggregators,” which are defined to mean a person that is retained by and provides services to authorized third parties to enable access to covered data.
The Final Rule defines covered data to mean transaction information, account balance information, information to initiate payment to or from a Regulation E account, terms and conditions, upcoming bill information, and basic account verification information. The Final Rule includes examples for some, but not all, of those categories, and it does not contain any express exclusions for de-identified or anonymized data.
Substance of Final Rule
The Final Rule requires data providers to provide a right of access to authenticated consumers and authenticated third parties (including data aggregators acting on behalf of an authorized third-party) to the most recently updated covered data. Access must be in electronic format that is transferrable to consumers and third parties and usable in a separate system (known as portability under privacy laws), and data providers cannot impose any fee or charge to consumers or third parties. The CFPB has stated that the purpose of this requirement is to encourage competition, while critics have stated that it will allow third parties to profit from consumer data at the expense of banks and other data providers.
Data providers must also establish and maintain two interfaces—one for consumers, and one for developers. The developer interface is defined to mean the interface through which a data provider receives requests for covered data and makes available covered data to authorized third parties, and it would need to satisfy several requirements relating to format, performance, and security. Adhering to standards set by a qualified industry standard would constitute an indicia of compliance that would provide a safe harbor in some instances. The CFPB’s rule outlining the qualifications to become a recognized industry standard setting body, which can issue standards, was finalized in June.
Data providers will also need to make certain information publicly available in both human and machine readable formats, which go well beyond the standard annual privacy policy updates. Additionally, data providers will need to maintain written policies and procedures relating to data availability and accuracy, as well as data retention and access requests.
With respect to third parties, the Final Rule contains a three-part authorization procedure to become an authorized third-party: providing the consumer with an authorization disclosure, certifying that the third-party agrees to specific obligations, and obtaining the consumer’s express informed consent. The Final Rule allows data aggregators to perform the third-party authorization, subject to specific requirements.
The Final Rule also imposes limitations on the third-party’s secondary uses of consumer data, explicitly prohibiting the use of consumer data for targeted advertising, cross-selling of other services of products or services, and the sale of data. Many commentators requested greater clarity on the secondary use limitations, especially on how to determine primary versus secondary uses, and seeking carve-outs for de-identified data. The Final Rule did not specifically address de-identified data or how data may be used to train artificial intelligence or algorithms, but it did explicitly allow for the use of covered data for “uses that are reasonably necessary to improve the product or service the consumer requested.”
It is also worth noting that the Final Rule carried through numerous other specific requirements relating to data security, data retention, consent revocation, reauthorization, and written policies and procedures.
Compliance Timelines
In perhaps the biggest change from the Proposed Rule, the CFPB extended the earliest compliance timeline. Under the Proposed Rule, the largest depository institutions would have had to comply within six months after publication, while the smallest institutions would have had four years to comply.
Under the Final Rule, the largest depository institutions—defined to mean those that hold at least $250 billion in total assets—will have until April 1, 2026, to comply. While this extended compliance date is obviously welcome news, the threshold for a company to fall within the category of the largest depository group was previously set at $500 billion in total assets under the Proposed Rule, which means more institutions will now be subject to the new initial deadline set forth in the Final Rule.
Depository institutions with between $250 billion and $10 billion will have until April 1, 2027; those with between $10 billion and $3 billion have until April 1, 2028; those with between $3 billion and $1.5 billion have until April 1, 2029; those with between $1.5 billion and $850 million have until April 1, 2030; and those with less than $850 million are exempt from the Final Rule entirely.
Reception and Criticisms
On the same day that the CFPB issued the Final Rule, the Bank Policy Institute filed a lawsuit in federal court challenging aspects of the CFPB’s rulemaking under Section 1033 of the Dodd-Frank Act. The complaint asks the court to set aside the Final Rule in its entirety pursuant to the Administrative Procedure Act, and to enter an order permanently enjoining the CFPB from enforcing the Final Rule.
Other industry groups have been similarly critical of the Final Rule. In particular, many organizations and groups in the banking industry have voiced the following criticisms in response to the Final Rule:
- Under the Final Rule, third parties are able to profit, at no cost, from a system built and maintained by banks, and that banks are not able to exercise control over customer data once it is transferred to third parties;
- the CFPB was mistaken in not affirmatively and explicitly sunsetting the practice of “screen scraping” in the Final Rule, a method whereby third parties or data aggregators collect data from a website or application by using consumer credentials to log into consumer accounts; and
- the new compliance deadline in the Final Rule, while extended, will still be difficult for organizations to meet given that qualified industry standards have yet to be set by any recognized industry setting body.
* * *
Compliance with the Final Rule will be a long and arduous process for data providers, third parties, and aggregators alike, requiring an update to technical processes and legal procedures. Indeed, for some companies, the Final Rule will require not just updates to account for the specific requirements set forth in the Final Rule, but also a more comprehensive overhaul to their underlying security procedures to align with the security standard set forth in the federal Gramm-Leach-Bliley Act. Companies would be wise to start assessing the impact of the Final Rule on their operations now, even if implementation of some of the technical updates will need to be delayed until standard setting bodies are formed.
Gregory P. Szewczyk, Mudasar Pham-Khan and Alan S. Kaplinsky
The U.S. Supreme Court has agreed to consider a case that could clarify whether the Hobbs Act, which limits judicial review of FCC final orders to appeals courts, means that district courts must accept the FCC’s interpretation of the Telephone Consumer Protection Act (TCPA).
The case, McLaughlin Chiropractic Associates Inc. v. McKesson Corporation, et al. deals with unsolicited faxes that a subsidiary of the McKesson Corp. sent to the chiropractic group.
While the Supreme Court has considered whether the Hobbs Act covers private litigation, it has not decided whether district courts must accept a specific agency order that interprets the TCPA. In most cases, courts have afforded deference to the FCC’s rulings.
In 2019, the FCC decided that “By this declaratory ruling, we make clear that an online fax service that effectively receives faxes ‘sent as email over the Internet’ and is not itself ‘equipment which has the capacity . . . to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper’ is not a ‘telephone facsimile machine’” and thus falls outside the scope of the statutory prohibition.
In the McKesson case, the U.S. District Court for the Northern District of California ruled that the Hobbs Act does not allow a district court to review whether the FCC’s interpretation of the TCPA is wrong. The Ninth Circuit Court of Appeals affirmed the district court’s decision. The appeals court’s decision created a split among federal courts, since the Fourth Circuit had determined that district courts should decide how much deference to give to an FCC decision.
McLaughlin Associates said, as a result, the issue remains unsettled.
“As the district court in this case correctly recognized, whether the Hobbs Act requires federal courts to treat an agency’s legal interpretation of a federal statute as ‘invariably binding’ is a question that is in dire need of ‘critical guidance’ from a ‘higher court,’” McLaughlin Associates wrote in its petition to the Supreme Court.
McKesson disagreed, saying, among other things, that McLaughlin could not attack the FCC’s order, that the TCPA does not prohibit faxes sent to online fax service and that the FCC’s ruling deserves “respect.”
FDIC Extends Compliance Date for Parts of New Signage Rule
The FDIC is providing financial institutions with additional time to comply with parts of the new FDIC signage and advertising rule by extending the compliance date from January 1, 2025 to May 1, 2025.
The extension only applies to provisions of the final rule governing the use of the official FDIC signs and advertising statements – Part 328, subpart A. The compliance date related to misrepresentations of deposit insurance coverage, subpart B of Part 328, remains January 1, 2025.
The extension applies to the provisions governing “(1) the use of the FDIC official sign, official digital sign, and other signs differentiating deposits and non-deposit products across all banking channels, including physical premises, automated teller machines (ATMs) and digital channels, and (2) the establishment and maintenance of written policies and procedures to achieve compliance with Part 328.” The FDIC said that based on feedback from banks and other industry participants, agency officials understand that some financial institutions would find it beneficial to have the additional time.
”The revisions in the final rule extend the certainty and confidence associated with the FDIC official sign to digital channels, such as bank websites and mobile applications, through which depositors are increasingly handling their banking needs,” FDIC officials added, in explaining the new rule.
The final rule establishes a new black and navy blue official digital sign. Banks will be required to display the FDIC official digital sign near the name of the bank on all bank websites and mobile applications. Banks also will be required to display the FDIC official digital sign on certain automated teller machines.
The final rule also modernizes requirements for display of the FDIC official sign in bank branches and other physical premises to take into account the changing design of bank branches and other physical bank locations where customers make deposits.
FCC Sets April 15 as Effective Date for New Robocall Rules
The FCC set April 11, 2025, as the effective date for new rules designed to make it easier for consumers to revoke consent for calls and texts subject to the Telephone Consumer Protection Act and requiring callers honor these requests in a timely manner.
The new rules, adopted in February, require that callers honor do-not-call and consent revocation requests within a reasonable time, not to exceed 10 business days from receipt.
In February, the FCC also codified the Commission’s 2015 ruling that consumers can revoke consent under the Telephone Consumer Protection Act through any reasonable means. The rules also add to the FCC’s 2012 ruling that clarified that a one-time text message confirming a consumer’s request that no further text messages be sent does not violate the Telephone Consumer Protection Act as long as the confirmation text merely confirms the called party’s opt-out request and does not include any marketing information.
On October 11, California’s Office of Administrative Law (OAL) approved the Department of Financial Protection and Innovation’s (DFPI’s) registration rulemaking for providers of the following products:
- Income-Based Advances (more commonly known as earned wage access (EWA) products);
- Private Postsecondary Education Financing (including income share agreements (ISAs);
- Debt Settlement Services; and
- Student Debt Relief Services.
These requirements will go into effect February 15, 2025, after which only registrants, applicants for registration, and exempt entities will be allowed to provide or offer to provide the subject products to California residents. The final rule is the culmination of an effort that began with initial proposed regulations in April of 2023 and included a disapproval decision by the OAL of an earlier version of the regulations.
The DFPI was empowered to create these registration requirements by California’s Consumer Financial Protection Law (CCFPL), which was signed into law by Governor Newsom on September 25, 2020. The CCFPL provides that the DFPI may “prescribe rules regarding registration requirements applicable to a covered person engaged in the business of offering or providing a consumer financial product or service,” but not for “[a] covered person who is licensed by the department under another law and who is providing a financial product or service within the scope of that license.” Cal. Fin. Code § 90009(a). Because the DFPI states in the final rule that, for instance, EWAs are loans subject to the California Financing Law (CFL) and providers of EWAs are finance lenders under the CFL, the CCFPL necessitates that the rule include a number of exemptions for providers offering these products within the scope of another California license, including the following:
- Providers offering EWAs and/or private postsecondary education financing within the scope of a CFL license;
- Providers offering debt settlement services within the scope of a California proraters license;
- Providers offering EWAs within the scope of a California Deferred Deposit Transaction license; and
- Licensees under the Student Loan Servicing Act when offering or providing education financing to be serviced by the licensee after origination.
While the rule states that the DFPI’s determination that providers must register does not constitute a determination that other licensing laws do not apply, registered providers of compliant EWAs are specifically exempted from CFL licensing. Notably, the initial proposed rule required that, in order for registered EWA providers to qualify for this licensing exemption, they had to meet the charge limitations of the CFL (with “charges” defined broadly to include expedited funding fees, subscription fees, and tips). In the Final Statement of Reasons, the DFPI explained that it removed the CFL rate caps for EWAs “to address procedural concerns related to economic impact[.]” A similar provision was not removed for registered providers of education financing with income-driven repayment provisions (including ISAs), who still must limit charges to what is allowed in the CFL in order to be exempt from licensure. Cal. Code Regs. Tit. 10 § 1462.5(a)(3).
Another notable change made during the rulemaking process was to the registration trigger: the initial proposed regulations required registration of those engaged in the business of “offering or providing subject products,” while the final rule limits the registration requirement to those engaged in the business of “offering to provide or providing subject products.” Cal. Code Regs. Tit. 10 § 1010(a) (emphasis added). This is a subtle change with potentially large ramifications, particularly when one entity offers a subject product that another entity (who may be exempt from registration) will be providing. For example, the CCFPL does not apply to state-chartered banks or national banks. Cal. Fin. Code § 90002(c); Cal. Fin. Code § 90002(b)(7). If an EWA product is offered by a fintech but provided by the fintech’s bank partner, then the registration trigger does not seem to have been met for either entity (i.e. because the bank is exempt and the fintech is not “offering to provide” the product). The Final Statement of Reasons, however, seems to hint that the DFPI may have a broader interpretation of this language in mind:
Whether a person is [subject to registration] is fact specific. Section 1010, subdivision (a), is intended to ensure that all companies that hold themselves out as offering or providing subject products are subject to regulation. The regulation is not intended to require marketing firms, newspapers, and other advertisers that advertise [subject products] on behalf of a…business and who do not own or control the activities of the…business to register under the CCFPL.
The DFPI recently announced that it is soliciting comments on what other industries it should establish registration requirements for under the CCFPL. Comments are due by December 12.
John A. Kimble, John D. Socknat and John L. Culhane, Jr.
Post-Election Webinar - The Impact on the Banking and Consumer Financial Services Industry
A Ballard Spahr Webinar | November 12, 2024, 12:00 PM – 1:00 PM ET
Speakers: Alan S. Kaplinsky, John L. Culhane, Jr.
13th Annual Utah Fall Employment Law Seminar
A Ballard Spahr Seminar | November 13, 2024 | 8:00 AM – 12:00 PM ET
Little America Hotel
500 Main Street
Salt Lake City, UT 84101
Panelists: Jason D. Boren, Charles Frohman and Nima Darouian
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2024 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.