The US consumer financial services marketplace is competitive and heavily regulated. Advances in technology and significant capital investment have attracted technology firms, including established firms and start-ups, to compete in the financial services market with traditional providers, including banks and the card networks. The Consumer Financial Protection Bureau (CFPB) has matured into a strong enforcement agency, alongside the federal banking regulators, including the Federal Reserve System (Federal Reserve), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC), as well as state regulatory authorities. The CFPB has considered and adopted significant rule-makings, based on its authority under the Consumer Financial Protection Act of 2010 (CFPA), its founding statute, and other federal consumer financial protection laws. Looking forward, the rate of innovation and evolving regulatory climate have the potential to create an inflection point for the US consumer financial services market and opportunities for both new and established market participants.


i Statutory framework

Consumer payments, deposits and credit are subject to a complex set of federal and state statutes and regulations. With respect to consumer payments, the Electronic Fund Transfer Act (EFTA) establishes the basic rights, responsibilities and liabilities of consumers and the entities that provide electronic fund transfer services. In addition, laws in nearly every state regulate money transmission, generally under a state licensing regime. With respect to deposits, the Federal Deposit Insurance Act (FDIA) establishes comprehensive deposit insurance coverage, while other federal laws, including the Truth in Savings Act, provide consumer protections. Consumer credit also is heavily regulated under federal and state law. The Truth in Lending Act (TILA) and the Equal Credit Opportunity Act (ECOA) provide the backbone for federal consumer protections related to the various forms of consumer credit. State law, including state usury protections, may also apply. Finally, the CFPA and the Federal Trade Commission (FTC) Act set forth prohibitions on unfair, deceptive and, in some cases under the CFPA, abusive acts or practices (UDAP/UDAAP).

In addition to these substantive statutes covering consumer payments, deposits and credit, there is an overlay of federal statutes covering law enforcement objectives (e.g., the Bank Secrecy Act) and consumer financial privacy (e.g., the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (FCRA)), among other key statutes and regulations targeting public policy objectives. This overlay is the subject of extensive review and analysis in other treatises or law journals and is referred to herein only in passing.

ii Regulatory framework

Entities that provide consumer financial products or services are subject to regulation and enforcement by both federal and state authorities. At the federal level, the CFPB has enforcement authority with respect to 'covered persons', including banks with assets over US$10 billion, 'larger participants' in certain consumer financial product or service markets, and 'service providers', as those terms are defined in the CFPA.2 The CFPB also has authority to write rules prohibiting covered persons and service providers from engaging in UDAAPs, and to enforce such rules.3 In addition, the CFPB has rule-making and enforcement authority under the federal consumer financial protection statutes, including those listed above (such as EFTA and TILA), that apply to all persons subject to the laws, without regard to whether they are a covered person or a service provider.4 Finally, the CFPB has authority to enforce against any person who aids or abets a UDAAP, which means 'knowingly or recklessly' providing 'substantial assistance to a covered person' in connection with a violation of the UDAAP prohibition.5

In addition to the CFPB, at the federal level, the banking regulators and the FTC have enforcement authority with respect to certain banks and non-banks, respectively. At the state level, banking departments, licensing authorities and state attorneys general have varying degrees of rule-making and enforcement authority.


i Overview

In the United States, the primary payment methods are cash, debit card, credit card, prepaid card, cheques and ACH transactions. The Federal Reserve estimates that in 2015 alone there were more than 144 billion non-cash retail payment transactions in the US, with a value of almost US$178 trillion.6 According to the Federal Reserve, the most common payment methods are card-based (debit, credit and prepaid), while ACH transactions have the highest dollar value for non-cash retail payments.7

Although there is a great deal of industry interest and activity around online and mobile payments, to date, most online and mobile payments are processed using traditional payment infrastructures. Nevertheless, emerging payment solutions can leverage a number of enhancements over traditional payment methods, including improved customer interfaces, increased use of customer data, and integration with customer loyalty or reward programmes or other third-party services used by consumers. These enhancements have the potential to lessen friction and promote consumer conversion and usage rates. Many of the novel legal and regulatory issues surrounding emerging payments are related to these enhancements.

ii Recent developments

On 16 August 2017, the Department of Justice (DOJ) announced the end of Operation Chokepoint, a 2013 initiative of the DOJ that held banks and payment facilitators liable for dealing with 'high risk' merchants, such as pawnbrokers and payday lenders.8 Nonetheless, other federal agencies, such as the FTC and the CFPB, continue to hold payment service providers responsible for the actions of their merchants.9 For example, on 26 July 2018, the FTC testified before subcommittees of the US House Committee on Oversight and Government Reform that the FTC would continue to focus on payment processors who facilitate consumer fraud.10

On 31 July 2018, the Department of Treasury (the Treasury) released a report identifying potential improvements to the regulatory landscape that could better support nonbank financial institutions, embrace financial technology, and foster innovation.11 The report made key recommendations to improve current US payment systems, specifically recommending that (1) states work to harmonise money transmitter requirements for licensing and supervisory examinations; (2) the CFPB provide more flexibility regarding 'the issuance of remittance disclosures'; and (3) the Federal Reserve facilitate a faster retail payments system, such as through the development of a real-time settlement service. The Treasury cited a report published by the Federal Reserve in 2017, which detailed strategies for improving the US payment system.12 The Treasury also noted that the increasing digitisation of payments is expected to reduce costs in payment processes for businesses and firms.

On 14 September 2018, NACHA announced the approval of three rules to improve same-day ACH capabilities of financial institutions: (1) as of 18 September 2020, same-day ACH transactions may be submitted to the ACH network for an additional two hours each business day; (2) as of 20 March 2020, the same-day ACH per-transaction dollar limit is increased to US$100,000; and (3) as of 20 September 2019, the speed of funds availability for certain same-day and next-day ACH credits will be increased by expanding the window of time for which funds from same-day ACH credits are processed.13

On 3 October 2018, the Board of Governors of the Federal Reserve System (the Federal Reserve Board) invited public comment on two potential actions that the Federal Reserve could take to support faster payments in the United States that would 'promote ubiquitous, safe, and efficient faster payments in the United States by facilitating real-time interbank settlement of faster payments'.14 The Federal Reserve Board's request for comment was borne out of the recommendations of the Faster Payments Task Force, which was established in 2015 to support efforts to improve the speed, safety and efficiency of payments; the Task Force made specific recommendations for creating an ecosystem conducive to the development and adoption of faster payments solutions.15 Specifically, the Federal Reserve Board's request for comment asked whether the development of either of two services, which would be available 24 hours a day, seven days a week, 365 days a year, would help achieve this goal: (1) a service for real-time interbank settlement of faster payments; and (2) a liquidity management tool that would enable transfers between Federal Reserve accounts to support services for real-time interbank settlement of faster payments. The Federal Reserve Board noted the growing expectation of consumers and businesses to be able to send and immediately receive payments 'at any time of the day, any day of the year.'16

On 25 January 2018, the CFPB finalised amendments to its prepaid accounts rule (prepaid rule), which was published in November 2016.17 The prepaid rule amends key provisions of the CFPB's Regulation E (Electronic Fund Transfers) and Regulation Z (Truth in Lending).18 It establishes a prescriptive 'pre-acquisition' disclosure regime, provides an alternative to written periodic statements, and contains modified error resolution procedures and cardholder liability limitations. It also extends modified versions of certain requirements under the Credit Card Accountability Responsibility and Disclosure Act (the CARD Act) to prepaid accounts, including a requirement to submit to the CFPB, and to post to a public website, certain prepaid account agreements.19 The prepaid rule will significantly alter the way prepaid card programmes are offered and managed in the United States.

The 2018 amendments addressed certain concerns about the prepaid rule raised by industry and delayed the general effective date for the prepaid rule until 1 April 2019.20 Specifically, the amendments finalise an exception to the requirements for a prepaid account issuer to provide error resolution and liability limitations for certain unverified prepaid accounts, provide additional flexibility with respect to the pre-acquisition disclosure requirements, and create a narrow exception to the credit-related provisions.21 While further amendments may be forthcoming from the CFPB, the prepaid rule is expected generally to take effect on 1 April 2019.


i Overview

Access to deposit accounts for currently 'unbanked' or 'underbanked' consumers and compliance with overdraft rules remain high priorities for US regulatory agencies, including the CFPB. The CFPB has taken action against institutions that have allegedly charged inappropriate overdraft fees and has encouraged alternatives that prevent consumers from overdrafting their accounts. Technological developments such as online banking, mobile banking and text-message alerts for low balances can help consumers better manage their accounts and prevent overdrafts.

ii Recent developments

On 15 November 2017, the CFPB announced a plan to seek the approval of the Office of Management and Budget to conduct online testing of consumer comprehension and decision-making in response to automated teller machine and debit card overdraft disclosure forms with 8,000 individuals.22 The notice follows the CFPB's August 2017 release of four prototype model overdraft disclosure forms, which it is in the process of testing, and an accompanying report on checking account overdraft services.23

On 2 April 2018, the CFPB published its 2017 Consumer Response Annual Report.24 According to the report, the 24,600 checking or savings account complaints received by the CFPB in 2017 represent about 8 per cent of total complaints received. The CFPB also reported that the most common consumer complaints about deposit accounts (71 per cent) involved account management, such as technological innovations in account management displacing traditional practices. Less frequent complaints related to checking and savings products involved problems associated with low funds in a consumer's account, closing a consumer's account, opening an account, and charges posted to an account.

Recent statements from the CFPB signal a shift in regulatory interest in overdrafts. On 10 May 2018, the CFPB published a blog post announcing the agency's 2018 rule-making agenda.25 While the CFPB had been studying overdraft practices and fees since 2012 in preparation for a possible rule-making proceeding, the agenda redesignated its overdraft services rule-making from the pre-rule stage to 'inactive' status. According to the blog post, Acting Director Mulvaney's decision to reclassify the rule-making was made 'in the expectation that final decisions on whether and when to proceed with such projects will be made by the Bureau's next permanent director'.26


i Overview

According to the Federal Reserve, the total revolving consumer credit outstanding in the United States as of October 2018 was more than US$1 trillion.27 By some estimates, credit card debt may make up approximately 80 per cent of all revolving consumer credit outstanding.28 Revolving credit transactions are subject to a variety of statutes and regulations, including TILA and the ECOA, that impose both substantive and disclosure requirements. In addition, credit card issuers and acquirers are contractually obligated to comply with card network rules. These laws and rules focus primarily on consumer protections, such as those related to disclosure of terms, credit balances, billing error resolution, changes in terms, credit reporting and discrimination.

ii Recent developments

On 27 December 2017, the CFPB released its biennial report on the credit card market, as required by the CARD Act.29 The report, entitled 'The Consumer Credit Card Market', is informed by public responses to a March 2017 request for information, in which the CFPB solicited information about a number of aspects of the consumer credit card market. The report summarises key findings on topics including the cost and availability of credit, credit card issuer practices related to digital account servicing and credit score access, balance transfers and the complexity of credit cards, rewards programmes, deferred interest products, products marketed to non-prime borrowers, third-party comparison sites, credit card debt collection, and product innovation. In the report, the CFPB notes that 'quantitative and qualitative indicators . . . suggest a positive picture for consumers in the credit card market'.30

On 29 June 2018, the CFPB announced a settlement with a large bank for allegedly failing to re-evaluate and reduce the annual percentage rate ('APR') for about 1.75 million customer credit card accounts as required by the CARD Act and Regulation Z; and failing to maintain reasonable written policies and procedures to conduct the APR re-evaluations consistent with the regulations.31 Under the terms of the consent order, the bank must correct these practices and pay US$335 million in restitution to consumers affected by improper credit card account management practices. The CFPB did not assess civil money penalties, in part because the card issuer had identified and reported the issues, and had initiated remediation to affected consumers.


i Overview

Residential mortgages are heavily regulated products in the United States. A complex web of state and federal statutes and regulations governs nearly every aspect of the residential mortgage loan lifecycle, including underwriting, origination, closing, servicing, loss mitigation and foreclosure. While non-mortgage instalment credit products, including auto loans, student loans and personal loans, are not subject to the volume and degree of end-to-end regulatory requirements seen in the mortgage market, they too are regulated at the federal and state levels. Moreover, the CFPB's enforcement arm has recently focused on the student lending, loan servicing and small-dollar lending markets, while its rule-making arm is reconsidering the agency's sweeping rule to regulate the short-term instalment loan market.32

Beyond traditional instalment loan products, online lending platforms, or 'marketplace lenders', have proliferated rapidly in the US. Marketplace lenders, which are generally non-bank platform providers, typically partner with banks, which originate loans and sell either the loans or the receivables to the marketplace lender, private investors, or both. Alternatively, marketplace lenders may independently originate loans under state lending licences and sell the loans or the receivables to investors. Federal and state regulators have been intently focused on marketplace lending.33

ii Recent developments

On 17 November 2017, the CFPB published a rule to regulate the short-term instalment loan market.34 While the rule was to take effect on 16 April 2018 for certain provisions, the CFPB delayed the effective date of the entire rule until 19 August 2019. Subsequently, on 26 October 2018, the CFPB stated that it would reconsider the rule and address the rule's compliance date.35 On 6 November 2018, a Texas federal court stayed the rule's August 2019 compliance date pending further order of the court.36 The future of this rule is uncertain; however, the subject remains on the CFPB's regulatory agenda.

On 30 September 2018, the California governor signed into law an act that requires disclosure of key terms in connection with certain commercial financing by non-banks.37 The law is the first US state law to require consumer-style disclosures for commercial financing and is intended to facilitate comparisons of financing options by recipients of covered financing offers. The law applies to commercial financing offers of US$500,000 or less to entities in California by any entity that extends a specific offer of commercial financing, including non-depository institutions that arrange commercial financing as part of a bank partnership arrangement. 'Commercial financing' includes commercial loans of US$5,000 or more, commercial open-end credit plans, lease financing transactions, account receivable purchase transactions, asset-based lending transactions, and factoring. While the law establishes a general framework for the disclosure requirements, it requires the California Department of Business Oversight (DBO) to establish details through the adoption of implementing regulations. There remain open issues that will need to be addressed by regulation, and whether the DBO takes an approach similar to that of the federal Truth in Lending Act or opts to take a different approach remains to be seen.

On 11 July 2018, the New York Department of Financial Services (NYDFS) released a report on online lenders, which stemmed from a recently enacted state law that required the NYDFS to study and prepare a report on online lending in New York.38 The report compiles survey responses from 35 online lenders addressing topics that include the business models and operations of online lenders, the number of consumers and small businesses in New York served by online lenders, loan terms, and complaints and investigations. Based on the online lenders' responses, the NYDFS recommended that consumer protection laws should apply equally to all consumer lending and small business lending activities; that state usury limits must apply to all New York lenders; and that online lenders should be subject to direct supervision and oversight.

A series of cases have questioned whether a bank is the 'true lender' in a partnership with a marketplace lender. If the marketplace lender is the 'true lender' instead of the bank, it could be required to obtain state licences and conform its loans to state usury laws. Outcomes of these cases have varied. One federal district court held that federal law expressly pre-empts state usury laws for bank-partner programmes where the bank initially holds the loan.39 In contrast, other federal district courts have refused to dismiss 'true lender' actions on pre-emption grounds,40 and have analysed whether a marketplace lender holds the 'predominant economic interest' in the loan and, thus, is the 'true lender'.41 California district courts have come to divergent conclusions on the issue.42

While distinguishable from the 'true lender' line of cases, and a revolving credit case on the facts, the question of whether a loan is subject to state usury laws after it is sold to a non-bank lender, remains relevant for lenders in the Second Circuit (which includes Connecticut, New York and Vermont) in the wake of the US Supreme Court's 2016 denial of certiorari in Midland Funding LLC et al v. Madden.43 By declining to review Madden, the Supreme Court let stand the Second Circuit's controversial holding that Section 85 of the National Bank Act,44 which pre-empts state laws governing the rate of interest a national bank may charge on a loan, does not have pre-emptive effect after a national bank sells a loan to a non-bank.45 A federal district court has considered whether the National Bank Act pre-empted state usury law when applied to a non-bank assignee of loans originated by a national bank; while the court recognised that state law would be pre-empted as to the national bank that originated the loan, it cited Madden in dicta in noting that it was 'not persuaded' that National Bank Act pre-emption applied to assignees of national banks.46

On 8 June 2017, the US House of Representatives passed legislation that would add the following language to Section 85 of the National Bank Act: 'A loan that is valid when made as to its maximum rate of interest . . . shall remain valid with respect to such rate regardless of whether the loan is subsequently sold, assigned, or otherwise transferred to a third party . . . notwithstanding any State law to the contrary.'47 On 14 February 2018, the House of Representatives passed additional legislation that would amend the National Bank Act with language virtually identical to the 'valid when made' language.48 While a similar bill was introduced in the US Senate in July 2017,49 no further action was taken prior to the adjournment of the 115th Congress at the end of 2018.


Regulators and courts have focused on other areas related to consumer financial services, including fair access, privacy and cybersecurity, credit reporting, anti-money laundering and use of third-party service providers. The developments identified below are representative, not exhaustive.

i Fair access to financial services

On 30 January 2018, CFPB Acting Director Mulvaney announced the transfer of the agency's Office of Fair Lending and Equal Opportunity (the Fair Lending Office) from the Division of Supervision, Enforcement and Fair Lending to the Office of Equal Opportunity and Fairness, which is housed in the Office of the Director.50 The Fair Lending Office now has no independent supervisory or enforcement authority, and focuses on advocacy, coordination and education. Fair lending supervision and enforcement activities remain in that Division. It is anticipated that the CFPB and state attorneys general will continue to enforce fair lending violations, as well as private litigants.

On 21 May 2018, the President signed into law a congressional resolution to nullify a 2013 CFPB bulletin regarding compliance with the ECOA and Regulation B by certain entities.51 Members of Congress were of the view that the bulletin exceeded the CFPB's statutory authority. In a subsequent statement, Acting Director Mulvaney said: 'I want to make it abundantly clear that the Bureau will continue to fight unlawful discrimination at every turn. We will vigorously enforce fair lending laws in our jurisdiction, and will stand on guard against disparate treatment of borrowers.'52

The Community Reinvestment Act (CRA) and its implementing Regulation BB require periodic evaluations of each insured depository institution's record related to the investments in the communities in which the institution conducts business. On 28 August 2018, the OCC issued an advance notice of proposed rule-making on modernising the CRA regulations, including: (1) encouraging increased lending and services to people in low- and moderate-income areas; (2) clarifying and expanding the types of CRA-eligible activities; (3) making bank CRA performance more transparent; and (4) establishing metric-based thresholds for CRA ratings.53

ii Privacy and cybersecurity

The US privacy regime is generally based on principles of notice and choice, while cybersecurity is based on a standard of 'reasonableness'.

With respect to privacy, on 28 June 2018, the California governor signed into law what is arguably the most expansive privacy legislation in US history.54 Effective 1 January 2020, the California Consumer Privacy Act (CCPA) provides California residents with four core individual rights: (1) the right to request deletion of personal information that a business has collected from the consumer; (2) the right to request that a business provide information about, and copies of, personal information; (3) the right to opt out of the sale of personal information; and (4) the right to be free from discrimination (in other words, businesses are prohibited from charging different prices or rates to consumers, providing different services, or denying goods or services to consumers who exercise their rights under the CCPA).

For cybersecurity, the trend is towards more prescriptive requirements, as well as aggressive enforcement. For instance, on 28 August 2017, the primary provisions of the new NYDFS cybersecurity rule went into effect.55 These provisions include requirements that covered entities subject to NYDFS jurisdiction designate a chief information security officer, maintain a cybersecurity programme and implement a written cybersecurity policy.56 The first certification of compliance with the rule was required by 15 February 2018 and additional requirements were phased in on 1 March 2018 and 3 September 2018.57

The 7 September 2017 announcement by Equifax Inc., one of the Big Three credit reporting agencies (CRAs) in the United States, that criminals had gained access to certain files in a cybersecurity incident that the company said affected approximately 143 million US consumers58 has led to a number of lawsuits and legislation before Congress to further regulate CRAs. In addition, the NYDFS finalised a regulation, discussed below, that subjects CRAs to New York's cybersecurity rule, giving the NYDFS the power to examine CRAs and refuse to renew, revoke or suspend their registration for failure to comply with the cybersecurity rule.59

iii Credit reporting

Regulatory agencies and courts are actively considering matters related to credit reporting. As discussed above, the data breach of record-breaking proportions suffered by Equifax has resulted in increased scrutiny of the industry. On 25 June 2018, the NYDFS issued a rule that requires CRAs that handle consumer report information relating to New York residents (Covered CRAs) to comply with a host of requirements, including the New York cybersecurity rule, and otherwise regulates the credit reporting business in New York.60 Under the rule, a Covered CRA must register with the NYDFS beginning on 15 September 2018, and annually beginning on 1 February 2019, and is subject to examination by the NYDFS.61

On 13 June 2018, the CFPB announced a settlement finding that a company and its subsidiaries violated the FCRA and its implementing Regulation V.62 It alleged that the companies, which regularly furnished consumer credit information to CRAs, failed to establish reasonable policies and procedures regarding either credit reporting or the accuracy and integrity of the information furnished.63 In addition, it alleged that the companies failed to update and correct inaccurate furnished information or made updates and corrections very slowly, re-furnishing the inaccurate information to CRAs.64

iv Anti-money laundering

Legislation to modernise the Bank Secrecy Act regime has been under consideration in Congress because the current anti-money laundering (AML) system is viewed as not keeping pace with the evolving challenges presented by terrorist organisations, international traffickers and criminal enterprises.65 A number of provisions are aimed at increasing the dollar thresholds that trigger financial institutions' obligations to file suspicious activity reports and currency transaction reports with the Financial Crimes Enforcement Network (FinCEN). However, FinCEN has testified before Congress that this information is very valuable to law enforcement and that raising the reporting thresholds would reduce its availability.66

On 23 October 2018, the OCC announced an assessment of a US$100 million penalty against a bank for alleged deficiencies in its AML programme.67 The OCC found that the bank 'failed to achieve timely compliance' with the provisions of a 2015 OCC consent order, which outlined shortcomings in the bank's AML programme.68 These alleged shortcomings included weaknesses in the bank's compliance programme and related controls; deficiencies in its risk assessment, remote deposit capture and correspondent banking processes; and failure to file suspicious activity reports.

Finally, on 8 November 2018, the DOJ and the FTC announced that a major international money transmitter agreed to extend its 2012 deferred prosecution agreement (DPA) with the DOJ and forfeit US$125 million because of alleged significant weaknesses in the company's AML programme during the term of its DPA, putting the company in breach of the DPA.69 The DOJ found that while the company had made progress, it 'has not implemented all of the required enhanced compliance undertakings [and] experienced significant weaknesses in its [AML] and anti-fraud program . . . which caused a substantial rise in consumer fraud transactions'.70 The FTC found that the company failed to take steps required under a 2009 FTC order to reduce fraudulent money transfers.71

v Use of partners and third-party service providers

Bank regulators have increased their scrutiny of the use of partners and third-party service providers. Both the OCC and the CFPB have issued guidance on the use of service providers, including the expectation of comprehensive and rigorous service provider oversight and management, and continue to take related enforcement actions.72 On 7 June 2017, the OCC issued frequently asked questions (FAQs) that supplement the OCC's 2013 guidance, setting forth its expectation for banks' due diligence and ongoing monitoring of third-party service providers, including enhanced diligence and monitoring for third parties that support critical activities.73 While the FAQs affirm the prior guidance, they provide more flexibility for banks to adjust their approach to third-party risk management based on the level of risk and complexity of the third-party relationship. The FAQs also provide for flexibility with respect to banks' structuring of their third-party risk management process; indicate that a bank, while maintaining its own effective third-party risk management process tailored to its specific needs, can collaborate with other banks to address the OCC's expectations for managing third-party relationships; state that banks may engage in information sharing to better understand cyber threats to the bank itself or to service providers; and state that a bank may 'outsource some or all aspects of their compliance management systems to third parties, so long as the bank monitors and ensures that third parties comply with current and subsequent changes to consumer laws and regulations'.74

On 11 September 2018, five federal financial regulatory agencies issued a joint statement on the role of supervisory guidance for regulated institutions.75 The agencies (the Federal Reserve, FDIC, National Credit Union Administration, OCC and CFPB) emphasised that supervisory guidance 'does not have the force and effect of law' and that 'the agencies do not take enforcement actions based on supervisory guidance'.76 Instead, the role of supervisory guidance is to outline the agencies' supervisory expectations or priorities or to articulate the agencies' general views regarding appropriate practices in a given subject area, including in response to industry requests for such guidance. Supervisory guidance may also provide 'examples of practices that the agencies generally consider consistent with safety-and-soundness standards or other applicable laws and regulations, including those designed to protect consumers'.77 The agencies contrast supervisory guidance with regulations, which 'generally have the force and effect of law [and] generally take effect only after the agency proposes the regulation to the public and responds to comments on the proposal in a final rulemaking document'.78


The CFPB has continued to issue public consent orders related to a broad range of consumer financial products and services, including debt collection, deposit accounts, auto loans and loan origination. CFPB enforcement actions have slowed somewhat in the past year under the leadership of Acting Director Mulvaney. A brief review of UDAAP standards and key orders is provided below.

Generally, 'unfairness' means substantial injury to the consumer that the consumer could not have reasonably avoided, which is not outweighed by consumer or competitive benefits.79 'Deception' generally exists where there is a material representation, omission, or practice that is likely to mislead the consumer acting reasonably in the circumstances.80 Finally, 'abusiveness', which was established under the CFPA, means material interference with a consumer's ability to understand a term or condition of a consumer financial product or service, or taking unreasonable advantage of a lack of the consumer's understanding, the consumer's inability to protect his or her own interests, or the consumer's reasonable reliance on a covered person to act in the interests of the consumer.81

i Unfair practices

The following are examples of recent CFPB allegations of unfair practices:

  1. Forwarding of payments. The CFPB found that a retailer who, due to operational errors, had substantially delayed transmission of payments made directly to the retailer to third-party debt buyers after having sold the accounts, had engaged in an unfair practice.82
  2. Debt collection. The CFPB found that a company had engaged in unfair debt collection practices by making (1) in-person collection visits to consumers' homes and workplaces, (2) collection calls to work, and (3) calls to third parties with some relation to the consumer.83
  3. Auto loans. The CFPB found that a bank had acted in an unfair manner by forcibly placing unnecessary auto insurance on the vehicles of certain borrowers or failing to remove such insurance when the bank's service provider had incorrectly determined that borrowers had inadequate insurance on their vehicles.84
  4. Mortgage loans. The CFPB found that a bank unfairly charged borrowers for time extensions on the interest rate locks for their pending mortgages in situations where the bank should have absorbed the fees.85

ii Deceptive practices

The following list includes examples of recent CFPB allegations of deceptive practices:

  1. Auto loans. The CFPB found that an auto lender deceptively overstated to borrowers the amount of coverage that its gap insurance product would provide in certain situations and understated the impact of obtaining a loan extension.86
  2. Debt collection. The CFPB found that a debt purchaser used a group of debt collection companies to collect debt using practices that were deceptive.87 The CFPB alleged that the companies falsely told consumers that their debt was higher than was the case and threatened legal action that they had no intention or authority to take.
  3. Loan origination. The CFPB alleged that a loan servicer acted in a deceptive manner by misrepresenting that, and drafting loan agreements with language stating that, tribal law applied to loans to consumers in states where state law rendered the loans void.88
  4. Debt settlement services. The CFPB alleged that a debt settlement services provider engaged in deceptive behaviour by misrepresenting its ability to negotiate with creditors and charging fees to consumers without settling their debts as promised.89

iii Abusive practices

Below are examples of recent CFPB allegations of abusive practices:

  1. Check-cashing services. The CFPB found that a small-dollar lender abusively withheld funds during check-cashing transactions to satisfy outstanding amounts on prior loans, without disclosing this practice to the consumer during the initiation of the transaction.90
  2. Deposit accounts. A bank agreed to settle CFPB claims that the bank engaged in abusive conduct because the bank's account-opening process allegedly interfered with the ability of consumers to consider disclosures regarding overdraft services and included oral disclosures that made overdraft services seem mandatory.91
  3. Loan origination. The CFPB alleged that a loan servicer acted in an abusive manner by administering the origination and collection of loans to consumers in states where state law rendered the loans void or uncollectable.92
  4. Debt settlement services. The CFPB alleged that a debt settlement services provider abusively made some customers negotiate their own settlements and instructed borrowers to mislead lenders by concealing the fact of their enrolment in the debt settlement programme in order to negotiate their debt.93


The climate of deregulation and the influence of non-traditional financial services providers on the US consumer financial services market will continue to be the dominant forces shaping the country's consumer financial services regulatory landscape in the coming year. Financial technology firms continue to deploy innovative technological solutions and develop new uses for a rapidly expanding universe of consumer data, and supervisory and regulatory authorities continue to try to keep pace.94 The coming year will also see continued evolution of the body of case law surrounding the 'true lender' and credit card surcharging issues, and perhaps resolution of the Madden issue, whether through judicial or legislative action.


1 Rick Fischer is a senior partner, Obrea Poindexter is a partner and Jeremy Mandell is of counsel at Morrison & Foerster LLP.

2 12 U.S.C. Section 5481.

3 id. Section 5531.

4 id. Sections 5512, 5561 to 5567.

5 id. Section 5536.

6 See Federal Reserve, The Federal Reserve Payments Study 2016 at 2 (22 Dec. 2016) (triennial study).

7 id. at 3.

8 Letter from Stephen E Boyd, Assistant Attorney General, U.S. Department of Justice, to the Honorable Bob Goodlatte, Chairman, Committee on the Judiciary, U.S. House of Representatives (16 Aug. 2017).

9 For example, the CFPB's Compliance Management System Examination Manual, updated August 2017, instructs supervision personnel to ensure that financial services providers maintain robust systems for vetting third-party service providers who may cause harm to consumers.

10 Press Release, Federal Trade Commission, FTC Testifies Before Two House Oversight and Government Reform Subcommittees About the Agency's Work to Combat Payment Processors Who Facilitate Fraud (26 July 2018).

11 U.S. Dep't of the Treasury, A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovations (July 2018).

12 See Federal Reserve, Strategies for Improving the U.S. Payment System: Federal Reserve Next Steps in the Payments Improvement Journey (8 Sept. 2017).

13 Press Release, NACHA–The Electronic Payments Association, Same Day ACH Will Be Enhanced to Meet ACH End-User Needs (14 Sept. 2018).

14 Potential Federal Reserve Actions to Support Interbank Settlement of Faster Payments, Request for Comments, 83 Fed. Reg. 57,351 (15 Nov. 2018).

15 Faster Payments Task Force, The U.S. Path to Faster Payments, Final Report Part Two: A Call to Action 36 (July 2017).

16 Press Release, Federal Reserve Board, Federal Reserve Board Seeks Public Comment on Potential Actions to Facilitate Real-Time Interbank Settlement of Faster Payments (3 Oct. 2018).

17 Rules Concerning Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth In Lending Act (Regulation Z), 83 Fed. Reg. 6,364 (13 Feb. 2018); see also 81 Fed. Reg. 83,934 (22 Nov. 2016).

18 12 C.F.R. pts. 1005 and 1026.

19 Pub. L. No. 111-24, 123 Stat. 1734 (2009).

20 Rules Concerning Prepaid Accounts Under the Electronic Fund Transfer Act (Regulation E) and the Truth In Lending Act (Regulation Z), 83 Fed. Reg. 6,364 (13 Feb. 2018).

21 id.

22 Information Collection Activities: Comment Request, New Collection—Web-based Quantitative Testing of Point of Sale/ATM Overdraft Disclosure Forms, 82 Fed. Reg. 52,894 (15 Nov. 2017).

23 See Press Release, Consumer Financial Protection Bureau, CFPB Unveils Prototypes of 'Know Before You Owe' Overdraft Disclosure Forms Designed to Make Costs and Risks Easier to Understand (4 Aug. 2017).

24 See Consumer Financial Protection Bureau, Consumer Response Annual Report (Mar. 2018).

25 See Blog Post, Consumer Financial Protection Bureau, Spring 2018 Rulemaking Agenda (10 May 2018).

26 id.

27 See Federal Reserve Board, G.19 Consumer Credit, October 2018 (7 Dec. 2018).

28 See, e.g., Consumer Financial Protection Bureau, The Consumer Credit Card Market 32 (27 Dec. 2017).

29 Consumer Financial Protection Bureau, The Consumer Credit Card Market (27 Dec. 2017).

30 Id. at 14.

31 Consent Order, In re Citibank, N.A., No. 2018-BCFP-0003 (29 June 2018).

32 See Payday, Vehicle Title, and Certain High-Cost Installment Loans, 82 Fed. Reg. 54,472 (17 Nov. 2017).

33 See, e.g., U.S. Dep't of the Treasury, Opportunities and Challenges in Marketplace Lending (10 May 2016); Press Release, Cal. Dep't of Bus. Oversight, California Online Lending Grows by More Than 930% Over Five Years (4 Apr. 2015); Press Release, New York Dep't of Financial Services, DFS Issues Online Lending Report (11 July 2018).

34 Payday, Vehicle Title, and Certain High-Cost Installment Loans, 82 Fed. Reg. 54,472 (17 Nov. 2017).

35 Consumer Financial Protection Bureau, Public Statement Regarding Payday Rule Reconsideration and Delay of Compliance Date (26 Oct. 2018).

36 Order, Community Financial Services Association v. Consumer Financial Protection Bureau, No. A-18-CV-0295 (6 Nov. 2018).

37 Cal. Stats. 2018, Ch. 1011, Sec. 2 (adding Cal. Fin. Code Div. 9.5, §§ 22800–22805).

38 Press Release, New York Dep't of Financial Services, DFS Issues Online Lending Report (11 July 2018).

39 Sawyer v. Bill Me Later Inc., 23 F. Supp. 3d 1359 (D. Utah 2014).

40 See, e.g., Meade v Marlette Funding LLC, No. 1:17-cv-00575 (D. Colo. 21 Mar. 2018); Meade v. Avant of Colorado LLC, 307 F. Supp. 3d 1134 (D. Colo. 1 Mar. 2018).

41 Commonwealth of Pennsylvania v. Think Finance, Inc., et al., No. 14-cv-7139 (E.D. Pa. 14 Jan. 2016).

42 Compare Consumer Financial Protection Bureau v. CashCall Inc., No. 2:15-cv-07522 (C.D. Cal. 31 Aug. 2016), with Beechum v. Navient Solutions Inc., No. 2:15-cv-08239 (C.D. Cal. 20 Sept. 2016).

43 Midland Funding, LLC v. Madden, 136 S. Ct. 2505, 579 U.S. __ (2016).

44 12 U.S.C. Section 85.

45 Madden v. Midland Funding, LLC, 786 F.3d 246 (2d Cir. 2015).

46 Eul v. Transworld Systems, Inc., No. 1:15-cv-7755 (N. D. Ill. Mar. 30, 2017).

47 Financial CHOICE Act of 2017, H.R. 10, 115th Cong. Subtit. Q, § 581 (2017).

48 Protecting Consumers' Access to Credit Act of 2017, H.R. 3299, 115th Cong. (2018).

49 Protecting Consumers' Access to Credit Act of 2017, S. 1642, 115th Cong. (2017).

50 Email from Mick Mulvaney, Acting Director, Consumer Financial Protection Bureau, to all Bureau staff (30 Jan. 2018).

51 Pub. L. No. 115-172, 132 Stat. 1290 (21 May 2018).

52 Consumer Financial Protection Bureau, Statement on enactment of S.J. Res. 57 (21 May 2018).

53 Reforming the Community Reinvestment Act Regulatory Framework, 83 Fed. Reg. 45,053 (5 Sept 2018).

54 Cal. Civ. Code §§ 1798.100–1798.199.

55 See N.Y. Comp. Codes R. & Regs. tit. 23, pt. 500.

56 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.02-.04, .07, .10,. 16, .17.

57 See N.Y. Comp. Codes R. & Regs. tit. 23, § 500.22.

58 Press Release, Equifax, Inc., Equifax Announces Cybersecurity Incident Involving Consumer Information (7 Sept. 2017).

59 N.Y. Comp. Codes R. & Regs. tit. 23, pt. 201.

60 Press Release, New York Governor Andrew M. Cuomo, Governor Cuomo Announces Action to Protect New Yorkers' Private Information Held by Credit Reporting Companies (25 June 2018).

61 N.Y. Comp. Codes R. & Regs. tit. 23, pt. 201.

62 Consent Order, In re Security Group, Inc., No. 2018-BCFP-0002 (13 June 2018).

63 id. at 12 and 13.

64 id. at 13 and 14.

65 See, e.g., the Counter Terrorism and Illicit Finance Act, H.R. 6068, 115th Cong. (2018); the Bank Secrecy Innovation Act, H.R. 6849, 115th Cong. (2018).

66 Testimony for the Record, Kenneth A Blanco, Director, Financial Crimes Enforcement Network before the Committee on Banking, Housing and Urban Affairs, United States Senate (29 Nov. 2018).

67 Press Release, Office of the Comptroller of the Currency (OCC), OCC Assesses $100 Million Civil Money Penalty Against Capital One (23 Oct. 2018).

68 Consent Order, In re Capital One, N.A., No. AA-EC-2018-62 (23 Oct. 2018); Consent Order, In re Capital One, N.A., No. AA-EC-2015-48 (10 July 2015).

69 Press Release, U.S. Dep't of Justice, MoneyGram International Inc. Agrees to Extend Deferred Prosecution Agreement, Forfeits $125 Million in Settlement with Justice Department and Federal Trade Commission (8 Nov. 2018).

70 Joint Motion to Amend and Extend the Deferred Prosecution Agreement, United States v. MoneyGram International, Inc., No. 1:12-cr-291 (M.D. Pa. 8 Nov. 2018).

71 Press Release, Federal Trade Commission, Moneygram Agrees to Pay $125 Million to Settle Allegations that the Company Violated the FTC's 2009 Order and Breached a 2012 DOJ Deferred Prosecution Agreement (8 Nov. 2018).

72 See OCC Bulletin 2013-29, Third Party Relationships: Risk Management Guidance (30 Oct. 2013); CFPB Bulletin 2012-3, Service Providers (13 Apr. 2012).

73 OCC Bulletin 2017-21, Frequently Asked Questions to Supplement OCC Bulletin 2013-29 (7 June 2017).

74 id.

75 Joint Press Release, Agencies Issue Statement Reaffirming the Role of Supervisory Guidance (11 Sept. 2018).

76 Interagency Statement Clarifying the Role of Supervisory Guidance (11 Sept. 2018).

77 id.

78 id.

79 12 U.S.C. Section 5531(c).

80 Federal Trade Commission, Policy Statement on Deception (14 Oct. 1983), appended to Cliffdale Associates, Inc., 103 F.T.C. 110, 174 (1984).

81 12 U.S.C. Section 5531(d).

82 Consent Order, In re Bluestem Brands, Inc., No. 2018-BCFP-0006 (4 Oct. 2018).

83 Consent Order, In re Security Group, Inc., No. 2018-BCFP-0002 (13 June 2018).

84 Consent Order, In re Wells Fargo Bank, N.A., No. 2018-BCFP-0001 (20 Apr. 2018).

85 id.

86 Consent Order, In re Santander Consumer USA Inc., No. 2018-BCFP-0008 (20 Nov. 2018).

87 Consent Order, In re National Credit Adjusters, LLC, No. 2018-BCFP-0004 (13 July 2018).

88 First Amended Complaint, Consumer Financial Protection Bureau v. Think Finance, LLC, No. 4:17-cv-00127 (D. Mont. 28 Mar. 2018). See also FTC v. WV Universal Management, LLC, 877 F.3d 1234 (11th Cir. 2017) (holding that a payment processor that processed transactions related to fraudulent debt servicing was jointly and severally liable with the merchant for deceptive practices in the amount of the total fraud perpetrated).

89 Complaint, Consumer Financial Protection Bureau v. Freedom Debt Relief, LLC, No. 3:17-cv-6484 (N.D. Cal. 8 Nov. 2017).

90 Consent Order, In re Cash Express, LLC, No. 2018-BCFP-0007 (24 Oct. 2018).

91 Order, Consumer Financial Protection Bureau v. TCF National Bank, No. 17-166 (D. Minn. 1 Aug. 2018).

92 First Amended Complaint, Consumer Financial Protection Bureau v. Think Finance, LLC, No. 4:17-cv-00127 (D. Mont. 28 Mar. 2018).

93 Complaint, Consumer Financial Protection Bureau v. Freedom Debt Relief, LLC, No. 3:17-cv-6484 (N.D. Cal. 8 Nov. 2017).

94 As an example, the OCC announced that it will begin accepting applications from financial technology companies, including marketplace lenders and non-bank payment providers, to become special purpose national banks. OCC, OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies (July 2018).