CFPB Too Powerful: Federal Court Finds the Agency’s Structure is Unconstitutional

Written by: Lindsay Harden

Ever since the establishment of the Consumer Financial Protection Bureau (CFPB) in 2011, it has become what some argue is the most powerful federal agency in history. The Dodd-Frank Act not only established the CFPB, but transferred to it rulemaking authority previously held by seven different federal agencies, resulting in a significant concentration of power and giving the agency authority over nearly every type of financial product and service in the financial marketplace. Yesterday, that power was curtailed – to some extent – by the federal Court of Appeals for the D.C. Circuit.

In its opinion, the Court of Appeals noted that the Director of the CFPB, Richard Cordray, possesses more unilateral authority than any single commissioner or board member in any other independent agency in the U.S. government. The director alone decides what rules to issue, how to enforce those rules, when to enforce, against whom to enforce, and what sanctions and penalties to impose. Additionally, Dodd-Frank provided that the director can be removed only “for cause.” As a result, the director has an enormous amount of influence over American business, American consumers, and the overall U.S. economy, yet is accountable to no one – neither Congress nor the president.

The challenge the court considered was brought by PHH Corporation, a mortgage lender that argued the single-director model was unconstitutional and sought a shut-down of the entire agency. The court opted, however, for a more narrow approach, striking the phrase “for cause” from the Dodd-Frank provision concerning the grounds for removal of the agency’s director. Thus, the director can now be removed by the president at will; a solution, the court reasoned, that will provide the critical check on the agency which was previously lacking.

The court also made another important finding in its decision, related to whether CFPB administrative actions are limited by statutes of limitations. The agency has repeatedly argued in the past that its administrative enforcement actions are not subject to statutes of limitations, meaning that it could theoretically bring an administrative action based on conduct occurring at any time in the past. However, the court rejected this argument and held that CFPB enforcement actions, whether brought as administrative actions or in court, are subject to the applicable statutes of limitations found within the underlying consumer protection laws the agency enforces.

It is unclear whether this decision will prompt other, more material changes in the agency’s structural organization and regulatory approach. Although the director may now be removed at will, he still holds all the same rulemaking and enforcement power as before. For example, the CFPB administrative appeals process is still heavily weighted in the agency’s favor, as each action brought by the director initially must then be appealed to him before becoming eligible for judicial review.

Though the agency will not be going away in the near future, this change does provide some ability to manage the director’s extraordinary power, at least in the short term. An appeal to either the full D.C. Court of Appeals or to the U.S. Supreme Court is expected, which could (if the case is reversed) return the CFPB back to its status quo, with virtually unlimited power and influence.

For additional information on this case, please see our Dodd-Frank.com blog post.

November 4, 2016 at 8:00 am

CFPB Reissues Guidance on Supervised Bank and Non-Bank Relationship with Third-Party Service Providers

Written by:  George Sand

On October 31, 2016, the Bureau of Consumer Financial Protection (“CFPB”) reissued Bulletin 2012-03 (Service Providers) to clarify certain aspects of the risk management program for service providers. The intention behind the release is to clarify that appropriate risk management can be accomplished through giving flexibility to supervised entities.

The CFPB expects supervised banks and non-banks to properly provide oversight to their respective service providers to ensure compliance with Federal consumer financial law and to prevent consumer harm. Section 1002(26) of the Dodd-Frank Act (12 U.S.C. 5481(14)) defines a service provider as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” The fact that a supervised bank or non-bank enters into a relationship with a service provider does not mean such bank or non-bank is absolved from liability for the service provider’s product. The supervised bank or non-bank may be liable for its service provider’s unfair, deceptive, or abusive acts or practices towards consumers. Circumstances triggering supervised bank or non-bank liability include a service provider’s unfamiliarity with legal requirements applicable to the product provided, inadequate efforts to implement such requirements carefully and effectively, and insufficient internal controls, among others. Title X authorizes CFPB to exercise enforcement authority over supervised service providers, which includes the ability of CFPB to examine supervised service provider operations on site.

Under the reissued bulletin, the CFPB clarifies that a supervised bank or non-bank risk management program may vary depending on the service being performed. Factors taken into consideration include the service’s size, scope, complexity, importance and potential for customer harm. The CFPB provides that supervised banks and non-banks should take the following steps with service providers:

  • Conduct a thorough due diligence to ensure service provider has the requisite knowledge and capacity to comply with Federal consumer financial law;
  • Review the service provider’s policies, procedures, internal controls, and training materials to ensure they provide for appropriate operations and oversight;
  • Draft contractual provisions with the service provider that provide “clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices”;
  • Establish internal controls and monitoring procedures for surveillance of the service provider to ensure service provider is abiding by Federal consumer financial law; and
  • “Promptly” react to identified problems, including terminating the relationship when necessary.

November 3, 2016 at 8:00 am

FinCEN Issues Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime

Written by: Jennifer Salisbury

On Tuesday, October 25, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advisory to explain how regulations and requirements of the Bank Secrecy Act (the “BSA”) apply to cyber-events, cyber-enabled crime, and cyber-related information.

Under the BSA, a financial institution must file a Suspicious Activity Report (a “SAR”) in the event of any successful or unsuccessful cyber-event that poses or posed at least a $5,000 risk to such institution. Further, a SAR must be filed for any cyber-event that a financial institution knows or at all suspects was intended to influence a transaction or a series of transactions at such institution.  A cyber-event is an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.  In determining whether to report any cyber-event, a financial institution should take into consideration any information it has that relates at all to the cyber-event and should aggregate any funds and/or assets that were involved or put at all at risk by the cyber-event.  FinCEN also encourages any financial institution that discovers any cyber-event that falls outside of the mandatory SAR threshold to consider voluntarily filing a SAR because the information can still provide value to law enforcement investigations.

When filing a mandatory SAR, a financial institution should include any cyber-related information available to it. FinCEN also encourages any cyber-related information be included in the filing of any voluntary SAR.  Some examples of cyber-related information are IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.  Both mandatory and voluntary SARs should include complete and accurate information including, to the extent available: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; relevant IP addresses and their timestamps; device identifiers; methodologies used; and any other information the financial institution believes is relevant.

In addition, financial institutions should always ensure that they comply with any other cyber-related SAR requirements that might be imposed by their respective functional regulators.

To view the full text of the FinCEN Advisory, click here.

October 28, 2016 at 4:34 pm

Proposal to Streamline Call Reports for Community Banks

 

Written by: Nate Van Emon

On Friday, August 5, the Federal Financial Institutions Examination Council (FFIEC) requested public comment on a proposal to streamline the existing regulatory reporting requirements by eliminating and revising several Call Report data items for certain financial institutions with assets of less than one billion and domestic offices only. The proposal attempts to reduce the reporting burden for the smaller, less complex financial institutions, while still gathering the information required to allow regulators to monitor the safety and soundness of such institutions. The streamlined Call Report would remove approximately 40% of the requested data items, which eliminates 24 pages from the existing Call Report.

Specifically, the changes focus on (i) eliminating certain schedules relating to complex or specialized activities, (ii) removing data items identified as unnecessary for monitoring the safety and soundness of smaller institutions, (iii) reducing the frequency of data collection for certain data items, and (iv) removing data items that are only required for institutions larger than one billion in assets. Comments must be received within 60 days from the date the proposal is published in the Federal Register.

To view the full text of the proposal, please click here:

August 17, 2016 at 8:30 am

Prudent Risk Management of Oil and Gas Exposures

Written bySteven Vetter

On July 27, 2016, the Federal Deposit Insurance Corporation (“FDIC”) issued a Financial Institution Letter regarding Prudent Risk Management of Oil and Gas Exposures. The letter states that due to the complex and highly specialized nature of loans to borrowers in the oil and gas industry, banks should be adequately prepared to deal with the accompanying volatility of this industry.  Conservative underwriting, appropriate structuring, experienced and knowledgeable lending staff and sound loan administration practices were cited as prudent risk management tools to protect the bank against the inherent volatility.

To reduce the risk to FDIC supervised institutions, the letter reminds banks to spread their risk by geography, industry or borrower concentrations, whenever possible.  If a bank cannot spread its risk accordingly, it is recommended that the bank assess whether setting the capital level higher than the regulatory minimum would be prudent.

The letter encourages banks that are affected by significant downturns in commodity prices to work with the afflicted companies towards a mutually-advantageous workout plan, while maintaining effective internal controls to manage such loans.

To view the full text of the FDIC guidance, click here.

August 4, 2016 at 8:15 am

Older Posts Newer Posts


Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo

Categories

A legal resource for Banking & Financial Services

Archives


%d bloggers like this: