Archives for December 2022

On Oct. 25, 2022, the Director of the Consumer Financial Protection Bureau (CFPB), Rohit Chopra, announced at a fintech conference that the CFPB “will launch the process to activate a dormant authority under Section 1033 of the Consumer Financial Protection Act . . . [to] provide for personal financial data rights for Americans . . .”

As background, § 1033[1] of the Consumer Financial Protection Act, a/k/a, the Dodd-Frank Act, generally allows a consumer access to transactional information that a business holds related to products or services that were provided to the consumer.

Specifically, § 1033(a) provides:

“Subject to rules prescribed by the Bureau, a covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”

Of course, the rulemaking process under § 1033 was actually “launched” six years ago when the CFPB issued a Request for Information, which was followed by an Advance Notice of Proposed Rulemaking in 2020 that received 100 comments.

SMALL BUSINESS REGULATORY ENFORCEMENT ACT (SBREFA) PROCESS

Director Chopra’s announcement was aligned with the Spring 2022 Unified Agenda that indicated the CFPB would issue a Small Business Regulatory Enforcement Fairness Act Outline (“Outline”) in November 2022.  In fact, the CFPB ended up slightly ahead of schedule, issuing the Outline on Oct. 27.

The purpose of the Outline is “to assess the impact on small entities that would be directly affected by the proposals under consideration prior to issuing a proposed rule regarding section 1033.”  The CFPB will convene a Small Business Review Panel to request and receive feedback from small entity representatives, and others may submit comments by Jan. 25, 2023.

SBREFA OUTLINE

The Outline consists of 149 questions on these topics:

• Coverage of data providers subject to the proposals under consideration
• Recipients of information
• The types of information a covered data provider would be required to make available
• How and when information would need to be made available
• Third party obligations
• Record retention obligations
• Implementation period
• Potential impacts on small entities

COVERAGE OF DATA PROVIDERS

The CFPB is proposing rules that would require a defined subset[2] of covered persons[3] that are data providers[4] to make consumer financial information available to a consumer or an authorized third party.[5],[6],[7],[8]

The CFPB is beginning with these covered persons, in part, “because they both implicate payments and transaction data,” noting, however, that it “intends to evaluate how to proceed with regard to other data providers in the future.”

Initially, as proposed, the rules would apply to this subset of covered persons:

1. Financial institutions with consumer “accounts” as defined in Regulation E,[9] such as banks, credit unions and other entities holding consumer asset accounts; and

2. “Card issuers” as defined in Regulation Z.[10]

Regarding entities that meet the Regulation E definition, the CFPB identifies:

• Banks and credit unions that directly or indirectly hold a consumer asset account (including a prepaid account);

• Other persons that directly or indirectly hold an asset account belonging to a consumer (including a prepaid account); and

• Persons that issue an access device and agree with a consumer to provide electronic fund transfer (EFT) services (including mobile wallets and other electronic payment products).

Regarding entities that meet the Regulation Z definition, the CFPB identifies:

• Issuers of a credit card account under an open-end (not home-secured) consumer credit plan (as defined in Regulation Z § 1026.2(a)(15)(ii)), i.e., a credit card account under an open-end (not home-secured) consumer credit plan is any open-end credit account that is accessed by a credit card; and

• Issuers that do not hold consumer credit card accounts, but that issue credit cards, such as by issuing digital credential storage wallets, notwithstanding that those transactions rely on consumer credit card accounts held at another entity.

The CFPB is also considering exempting some data providers from a requirement to make data available via data portals based on thresholds, such as asset size of activity level.

RECIPIENTS OF INFORMATION

The CFPB is proposing that “a covered data provider would satisfy its obligation to make information available directly to a consumer by making the information available to the consumer who requested the information or all the consumers on a jointly held account.”  This section includes a discussion of third-party authorization requirements.

TYPES OF INFORMATION MADE AVAILABLE

The CFPB proposes covered data providers would make available the following types of information:

1. Periodic statement information for settled transactions and deposits, such as generally appear for asset and credit card accounts;

2. Information regarding prior transactions and deposits that have not yet settled, such as transaction histories commonly made available through online management portals;

3. Other information about prior transactions not typically shown on periodic statements or portals, such as data from payment networks;

4. Online banking transactions that the consumer has set up but that have not yet occurred, such as with bill pay services;

5. Account identity information, but balancing it with concerns about fraud, privacy, and security; and

6. Other information, such as:

• Consumer reports from consumer reporting agencies, such as credit bureaus, obtained and used by the covered data provider in deciding whether to provide an account or other financial product or service to a consumer;
• Fees that the covered data provider assesses in connection with its covered accounts;
• Bonuses, rewards, discounts, or other incentives that the covered data provider issues to consumers; and
• Information about security breaches that exposed a consumer’s identity or financial information.

HOW AND WHEN INFORMATION WOULD BE MADE AVAILABLE

Regarding direct access to information by consumers, the CFPB proposes that “a covered data provider would be required to make available information if it has enough information to reasonably authenticate the consumer’s identity and reasonably identify the information requested.”  Also, with proper authentication, that “covered data providers would be required to allow consumers to export the information covered by the proposals under consideration in both human and machine-readable formats.” 

The CFPB seeks input regarding consumer identity authentication, fees, included data elements, and data formats.

Related proposals regarding third-party access include:

Third-party portals that do not require an authorized third party to possess or retain consumer credentials;

Requirements to promote the availability, security, and accuracy of information made available to authorized third parties, including establishment of a general framework under which industry-set standards and guidelines can further develop;

• Third-party portal requirements related to factors affecting the quality, timeliness, and usability of the information;

• Required policies and procedures or performance standards to ensure that the transmission of information through the covered data provider’s third-party access portal does not introduce inaccuracies;

• Requirements to make information available to a third party only upon receipt of a third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity; and

• Requirements and restrictions regarding the provision of information to third parties that is known to be inaccurate.

THIRD PARTY OBLIGATIONS

Here, the CFPB’s proposals relate to the obligations of third parties, including:

• Prohibiting the collection, use, or retention of consumer information beyond what is reasonably necessary to provide the product or service the consumer has requested;

• Limitations on duration and frequency of information access;

• Limitations on third parties’ secondary use of consumer-authorized information;

• Deletion of consumer information that is no longer reasonably necessary to provide the consumer’s requested product or service, or upon the consumer’s revocation of the third-party’s authorization;

• Compliance with the Safeguards Rule or Safeguards Guidelines, or development and implementation of security programs based on the third party’s size and complexity and the nature of the data;

• Requiring policies and procedures to ensure the accuracy of information collected and used;

• Requiring periodic reminders to consumers on how to revoke authorization; and

• Requiring a mechanism to request information about the extent and purposes of the authorized third party’s access.

RECORD RETENTION OBLIGATIONS

The CFPB is seeking feedback on its proposal for “record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule.”

IMPLEMENTATION PERIOD

The CFPB is seeking “input on an appropriate implementation period for complying with a final rule,” and how the timeframe may need to take into consideration smaller entities’ ability to operationalize the requirements.

POTENTIAL IMPACTS ON SMALL ENTITIES

A major part of this section is devoted to quantifying the number of small entities that may be affected by the proposals. The CFPB provides estimates for the following:

Small Depository Firms

• Commercial Banking and Savings Institutions
• Credit Unions

Small Nondepository Firms

• Software Publishers
• Data Processing, Hosting, and Related Services
• Sales Financing
• Consumer Lending
• Real Estate Credit
• Financial Transactions Processing, Reserve, and Clearinghouse Activities
• Other Activities Related to Credit Intermediation
• Investment Banking and Securities Dealing
• Securities Brokerage
• Commodities Contracts Brokerage
• Payroll Services
• Custom Computer Programming Services
• Credit Bureaus

IMPRESSION

The concepts and proposals in the Outline are similar to the consumer rights contained in the data privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut, with one major difference: there is no exemption for data or entities subject to the Gramm-Leach-Bliley Act.  Thus, businesses that fit the definition of a covered data provider and have previously relied in whole or in part on those GLBA exemptions should monitor this rulemaking closely and consider the new compliance challenges it will pose.

—————–

[1]  12 U.S.C. § 5533.

[2] “Covered data provider means a financial institution, as defined in Regulation E (EFTA), or a card issuer, as defined in Regulation Z (TILA), who is a data provider.”  Outline, p. 66

[3] “The term ‘covered person’ means: (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.”  12 U.S.C. § 5481(6).

[4] A “data provider” means a covered person, as defined under the Dodd-Frank Act (12 U.S.C. 5481(6)), with control or possession of consumer financial information. Outline, p. 66.

[5] “Third party refers, generally, to data recipients or data aggregators.” Outline, p. 68.

[6] “Data recipient means a third party that uses consumer-authorized information access to provide (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer.” Outline, p. 66.

[7] “Data aggregator (or aggregator) means an entity that supports data recipients and data providers in enabling consumer-authorized information access.” Outline, p. 66.

[8] “Authorized third party means a third party who has followed the procedures for authorization described in part III.B.2.” Outline, p. 66.

[9] “’Account’ means a demand deposit (checking), savings, or other consumer asset account (other than an occasional or incidental credit balance in a credit plan) held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes.” 12 C.F.R. § 1005.2(b)(1).

[10] “Card issuer means a person that issues a credit card or that person’s agent with respect to the card.” 12 C.F.R. § 1026.2(a)(7).

In Wakefield v. ViSalus, Inc., the Ninth Circuit considered whether a jury verdict of $925,200,000 for cumulative statutory damages under the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) was constitutional in light of its harsh severity.  After a three-day trial, the jury delivered a verdict against ViSalus, finding that it sent over 1.8 million prerecorded calls to class members without prior express consent, in violation of the TCPA.   As the TCPA sets the minimum statutory damages at $500 per call, the total damage award against ViSalus was a staggering $925,220,000.

On appeal, the Ninth Circuit vacated and remanded the district court’s denial of ViSalus’s post-trial motion challenging the constitutionality of the statutory damages award under the Due Process Clause of the Fifth Amendment to permit reassessment of that question.  Turning to Supreme Court precedent from over a century ago, the Ninth Circuit reasoned that in certain extreme circumstances, a statutory damages award violates due process if it is so severe and oppressive as to be wholly disproportionate to the offense and obviously unreasonable.  The Court of Appeals held that this constitutional due process test should apply to aggregated statutory damages awards even where the statutory per-violation award is constitutional, which has been the case in individual TCPA actions. 

Providing a roadmap for district courts, the Ninth Circuit cited the factors it considered over three decades ago in Six Mexican Workers v. Arizona Citrus Growers, 904 F.2d 1301 (9th Cir. 1990), to determine whether an aggregated statutory damages award is disproportionately punitive:

• The amount of award to each plaintiff,
• The total award,
• The nature and persistence of the violations,
• The extent of the defendant’s culpability,
• Damage awards in similar cases,
• The substantive or technical nature of the violations, and
• The circumstances of each case.

Wakefield demonstrates that due process considerations are increasingly receiving traction from the Courts of Appeals.  In Parker v. Time Warner Entm’t Co., 331 F.3d 13, 22 (2nd Cir. 2003), the Second Circuit addressed this issue but only as a hypothetical in the context of a prospective aggregate statutory damages award under the Cable Communications Policy Act.  More recently, the Eighth Circuit, in Golan v. FreeEats.com, Inc., 930 F.3d 950 (8th Cir. 2009), affirmed a district court’s reduction of a $1.6 billion aggregate statutory damages award under the Due Process Clause. 

In light of this increasing trend, Wakefield may have powerful implications for putative class actions based on statutes, which permit large aggregate awards, in particular the TCPA.  A few of those implications are set forth below. 

New Challenge to Class Certification

If aggregate statutory damages have a potential to become unconstitutional, a class action cannot be viewed as a superior vehicle to litigating individual claims if the class members cannot get the full amount of statutory damages. 

Restructuring Settlement Leverage

Hypothetical aggregated jury statutory damage awards often drive outrageous settlement demands and results in less room for negotiation post class certification.  The risk of a challenge to an unfairly punitive damages award provides new settlement leverage. 

Traction for Constitutionality Defenses

Companies have been raising affirmative defenses that damages on a class wide basis are unconstitutional for years.  However, those companies have found little success until the Wakefield ruling.  This case may signal that affirmative defenses contesting constitutionality have some teeth.

Reconsideration of Statutory Damages By Congress

The TCPA, which provides statutory damages of $500 to $1,500 per call was enacted in 1991—a much less automated time.  In Wakefield, the Ninth Circuit recognized that “modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.”  Wakefield at 34.  The Ninth Circuit implicitly suggests that Congress may want to revisit the damages it assigned to more antique statutes.