By Matt Applebaum & Scott Kleekamp , Bingham McCutchen LLP
Still in its formative stages, the Consumer Financial Protection Bureau (“CFPB”) has had an active year since the recess appointment of Richard Cordray as its first Director on January 4, 2012. With recent rulemaking and enforcement actions, the CFPB has begun to exercise its sweeping authority to regulate certain banks and nonbanks that offer or provide “consumer financial services and products.” As the agency heads into its second full year under Director Cordray, no longer facing the prospect of a new administration, this is an opportune time to review some key recent developments and consider takeways for regulated entities.
B. Who and What the CFPB Regulates; the CFPB’s Developing Supervisory Authority
The CFPB was established by Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, known as the Consumer Financial Protection Act of 2010 (the “Act”). It is tasked with implementing and enforcing “Federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services” and that such markets “are fair, transparent, and competitive.” Consumer financial products or services include, among other things, residential mortgage lending and related services; deposit-taking activities; debt collection; consumer reporting; consumer credit and related activities; money transmitting; check cashing and related activities; prepaid cards; and certain “financial advisory services,” such as credit counseling or other debt relief services (but excluding financial advisory services relating to securities when provided by a person regulated by the SEC or a State securities commission). The “Federal consumer financial laws” under the CFPB’s purview include over a dozen pre-existing laws (such as the Equal Credit Opportunity Act, SAFE Act, and Truth in Lending Act). They also include the Act itself, which broadly prohibits “unfair, deceptive or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service.”
In general, firms that offer a “consumer financial product or service” are “covered persons” subject to CFPB rulemaking and enforcement, as distinct from the CFPB’s examination authority. Notably, “service providers” to covered persons are also within the CFPB’s purview. The CFPB can also bring enforcement actions against persons who “knowingly or recklessly provide substantial assistance” to a covered person or its service provider with respect to violative conduct.
The CFPB’s ongoing supervisory authority -- including authority to require reports and conduct examinations -- is more delimited and, in important respects, is still being worked out through rulemaking. In general, the CFPB supervises what the Act calls “very large” banks, savings associations and credit unions, meaning insured depository institutions with more than $10 billion in assets. It also supervises certain nonbank entities, depending on the consumer market in question. Specifically, the CFPB supervises nonbanks, regardless of size, that provide residential mortgage loans and related services (including brokerage and servicing), private education loans and payday loans. It also supervises nonbank covered persons that are “larger participant[s] of a market for other consumer financial products or services”; or whom the CFPB has “reasonable cause to determine,” after notice and an opportunity to respond, “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” For many nonbank entities in these markets, this will be the first time that they are subject to regular federal supervision.
The CFPB has recently issued two final rules to define “larger participants” of the consumer reporting market (e.g., credit reporting firms) and consumer debt collection market, respectively. The rules set forth the activities that constitute each market, and set the “larger participant” threshold based on annual receipts from that market ($7 million for consumer reporting and $10 million for debt collection), also addressing matters such as how to measure “receipts” and when to include affiliate receipts. There is also a procedure for contesting supervisory jurisdiction. Specifically, persons who receive a notice from the CFPB initiating a supervisory activity (such as a request for a report or notice of an examination) have 45 days to respond by asserting that they are not a “larger participant” within the market. The response must include, at a minimum, an affidavit. The CFPB’s Assistant Director then makes an administrative determination, which is not subject to administrative appeal. The agency has said that it intends to use “various data sources,” such as SEC filings, public shareholder information, or proprietary data to identify entities that appear to qualify as larger participants.
Of course, the CFPB’s authority is subject to important exclusions and limitations for certain entities or activities, such as retailers who extend credit for the purchase of “nonfinancial goods or services;” auto dealers; real estate brokers; accountants and tax preparers; insurance companies; attorneys when they practice law; and SEC-registered securities firms. But in some cases these entities may be subject to CFPB authority to the extent they provide consumer financial products or services, act as service providers, or are subject to any of the enumerated Federal consumer financial laws under the CFPB’s purview.
Finally, regulated firms should bear in mind that the CFPB enjoys a striking degree of autonomy from congressional, presidential or even internal oversight. Among other things, the CFPB has only one Director, as opposed to the commission structure at many other federal agencies, and who may be removed by the President only for cause. CFPB regulations can be stayed or set aside by the Federal Stability Oversight Council, but only upon a two-thirds vote. In addition, Congress does not have the “power of the purse”; the CFPB receives automatic funding from the earnings of the Federal Reserve System, in an amount determined by the Director, up to a statutory cap of 12% of the Federal Reserve System’s annual operating expenses. These features position the agency to be a particularly aggressive, fast-moving regulator.
C. Recent Enforcement Actions
The CFPB has announced three consent orders since July 2012. In the first action, Capital One Bank (USA) N.A. consented to pay a $25 million fine and $140 million plus interest in customer restitution to resolve allegations that it had engaged in improper conduct to sell add-on products to credit card customers, particularly those with low credit scores. One of these products was a “Payment Protection Product” that allowed cardmembers to cancel up to twelve months of minimum payments in the event of unemployment or disability. According to the findings, representatives at third-party call centers used by Capital One “frequently engaged in improper sales practices,” such as misrepresenting the product’s cost; failing to tell cardmembers that they could not make claims based upon a present unemployment or disability; and making “misleading and incorrect assertions” to dissuade cardmembers from cancelling the product. Capital One had issued scripts to the third-party call centers, but call center representatives frequently deviated from or misinterpreted the scripts, and Capital One did not exercise sufficient oversight to detect and prevent such conduct. In addition to the fines and restitution, Capital One agreed to reform its compliance policies and procedures, including those relating to service provider oversight, and to submit those revised policies to the CFPB for approval. The mandated compliance reforms are broad, requiring Capital One to develop a “written enterprise-wide program designed to ensure that all consumer products and services sold by [Capital One], or through [its] Service providers” comply with the Act.
The second enforcement action was a joint action with the FDIC against Discover Bank (“Discover”). It also involved the sale of add-on credit card products through third party call centers. The CFPB found, among other things, that Discover’s telemarketing scripts “contained material misrepresentations and omissions likely to mislead reasonable consumers about whether they were purchasing” a product, such as characterizing outbound sales calls as “courtesy” calls and implying that a product was a free “benefit;” or asking cardmembers if they agreed to “be enrolled” in or “become a member” of a program without telling the customer that this would constitute a purchase. In addition, telemarketers “frequently . . . spoke more rapidly during the mandatory disclosure portion of the sales call” that included information about price and other material terms, and “also frequently downplayed” the importance of the mandatory disclosure. Discover agreed to pay a $14 million civil penalty and $200 million in customer restitution, and to several undertakings, such as enhancements to its “internal control systems” and “compliance audit program.”
Finally, on October 1, 2012, the CFPB announced a settled action against American Express Bank, FSB (“American Express Bank”) and two affiliates, alleging conduct such as deceptive marketing of credit cards that misled customers to believe that they would receive $300 for signing up for a card; a credit scoring system that unlawfully treated card applicants differently on the basis of age; and unlawful billing of late fees on certain charge cards. According to the order, American Express Bank exercised deficient oversight of its affiliates and service providers in connection with these violations. The consent orders required the American Express subsidiaries to pay a combined $27.5 million penalty and $85 million in customer refunds, and imposed detailed undertakings relating to firm-wide compliance systems, policies and procedures, including those relating to oversight of service providers.
There are several key takeways from these settled enforcement actions. First, each case involved third-party service providers, particularly, in the Capital One and Discover matters, third-party call centers. Firms are therefore well-advised to review both their internal and third-party call center operations, as well as vendor oversight more generally, in light of the conduct cited in each case. Second, consistent with the agency’s stated priorities, the CFPB actions emphasize not only “point of sale” violations, but a lack of adequate compliance policies and procedures to detect and prevent violations, and imposed extensive remedial measures in that regard. Firms can expect their firm-wide compliance regimes to receive searching review from the CFPB in the supervisory or enforcement context. Finally, each action was based, at least in part, on the provisions of the Act that prohibit “unfair, deceptive or abusive” acts or practices, rather than more particularized provisions of Federal consumer financial law -- although the three actions cite “deceptive” rather than “abusive” conduct. These actions thus provide important initial guideposts with respect to CFPB enforcement of these amorphous provisions. .
D. Recent Final and Proposed Rules
Much of the CFPB’s rulemaking to date addresses the “nuts and bolts” of making the bureau fully operational, such as the rules discussed above relating to the scope of its supervisory authority, and rules establishing its enforcement mechanisms (which are similar to those of the SEC and FTC). In addition, the CFPB has submitted a variety of proposed rules that are mandated by the Dodd-Frank Act, including rules relating to new disclosure requirements and other matters in connection with mortgage lending and servicing.
The most significant “substantive” final rule issued to date is the Remittance Transfer Rule, which imposes disclosure and other consumer protection requirements in connection with certain consumer-initiated money transfers (such as ACH wire transfers) to recipients in foreign countries, such as a family member or business located abroad. The rule is designed to, among other things, provide consumers with an opportunity to shop for lower-cost transfer services and to have certainty as to the amount of currency that will be delivered to the recipient. Remittance transfer providers, which can include a range of companies, must make advance disclosure to customers of items such as fees, taxes and the applicable exchange rate; and provide a post-transfer receipt that explains, among other things, the customer’s error resolution and cancellation rights (aspects of which are also mandated by the rule). The rule addresses the required “prominence and size” of the disclosures and their “proximity” to one another, and is accompanied by model disclosure forms -- a practice that one can expect to see in future rules. Indeed, the Act specifically authorizes the CFPB to issue such “model disclosures.”
The Remittance Transfer Rule, enacted under the Electronic Funds Transfer Act as amended by Dodd Frank, applies to virtually any company that offers foreign remittance transfers to consumers, including banks, thrifts, credit unions, money transmitters and broker-dealers, but only if they do so “in the normal course of business.” Under a safe harbor provision, companies that provide 100 or fewer remittance transfers in both the current and previous calendar year are deemed not to be doing so as part of the normal course of business. Remittance transfers in excess of the safe harbor limits do not necessarily constitute normal course of business, depending on “facts and circumstances” such as whether remittance transfers are provided only occasionally as a customer accommodation, as opposed to being a generally available service.
As to future rulemaking, the CFPB has issued a Semiannual Regulatory Agenda that identifies matters it expects to consider during the period June 1, 2012 to May 2013. Potential rulemaking under consideration includes rules to require registration of certain nonbank covered persons. Such a registration program would likely be similar to the registration system that the CFPB currently administers for mortgage loan originators under the SAFE Act (which in turn is modeled on the CRD system for broker-dealers).
The CFPB, particularly following President Obama’s reelection, promises to be an active and significant regulator of a broad range of companies, including many nonbank entities that have not previously been subject to ongoing federal supervision. The pace and scope of its activities will undoubtedly increase in the coming year. Regulated entities can now consult a growing body of enforcement precedent, rulemaking and guidance that flesh out the CFPB’s priorities, procedures and techniques. As discussed above, the three settled enforcement actions to date have not only resulted in very large fines and restitution, but also highlight the agency’s emphasis on adequate customer disclosure, particularly in the call center context; its focus on effective firm-wide compliance systems; and the importance of supervising third-party vendors. Bank and non-bank firms that offer consumer financial services or products would be well-advised to keep abreast of the CFPB’s activities and guidance in 2013.
 12 U.S.C.A. § 5511 (emphasis added).
 § 5481(5), (15); Federal Register / Vol. 76, No. 125 / Wednesday, June 29, 2011.
 § 5481(12), (14). Responsibility for administering these laws was generally transferred to the CFPB from other federal agencies on July 21, 2011, the one-year anniversary of Dodd Frank’s enactment.
 §§ 5531, 5536. The term “abusive” is new to the regulatory lexicon, raising concerns that hitherto accepted practices could be targeted for enforcement. Indeed, Director Cordray acknowledged in testimony before the House Oversight Committee on January 24, 2012, that the term is “a little bit of a puzzle because it is a new term,” and that it “is going to have to be a fact and circumstances issue; it is not something we are likely to be able to define in the abstract.” The Act does, however, attempt to provide guidance concerning the terms “abusive” and “unfair”. § 5531.
 §§ 5531, 5536(3). “Service provider” is defined to include firms that offer a “material service” to a covered person in connection with a covered activity, with exceptions for, among other things, a “support service of a type provided to businesses generally.” § 5481(26).
 § 5515. Depository institutions with $10 billion or less in assets are subject to the CFPB’s rulemaking authority, but enforcement and supervisory authority is reserved to the prudential regulator for these institutions. The CFPB can, however, participate in examinations conducted by the prudential regulator and recommend that the prudential regulator take enforcement actions. § 5516.
 See 12 C.F.R. 1090 et seq.
 A proposed rule published on May 25, 2012, would provide a somewhat more robust procedure for contesting a determination that a nonbank covered person is subject to supervision because its activities pose a risk to consumers in connection with consumer financial products or services. For instance, a target entity may request the opportunity for a supplemental oral response.
 § 5517, 5519. The definition of “financial product or service” also excludes securities-related services provided by registered securities firms, and “the business of insurance.” § 5481(15)(A)(viii), (C).
 For example, law firms can be regulated as “debt collectors” to the extent that debt collection is their “principal business” or they “regularly” engage in debt collection. Bar groups had sought a categorical exclusion of attorneys, to no avail. And, as discussed below, a recent rulemaking regarding certain remittance transfers can apply to registered broker-dealers under certain circumstances.
 Under the Act, the Director normally serves a five-year term; but Cordray’s recess appointment expires in 2013, at the end of the next Senate session.
 These and other features are challenged as unconstitutional in a pending lawsuit, which alleges that the concentration of authority in a single Director and lack of congressional or executive oversight eliminates “fundamental checks and balances” and “violates the Constitution’s separation of powers.” State National Bank of Big Spring v. Geithner, 1:12-cv-01043 (U.S.D.C. ESH).
 The CFPB recently issued guidance to firms concerning its expectations for firms regarding “compliance management systems.” Supervisory Highlights: Fall 2012, at cfpb.gov. According to the report, “the CFPB’s non-public supervisory actions against financial institutions participating in the credit card, credit reporting, and mortgage markets have confirmed remedial relief to 1.4 million customers.” In October 2011, it issued a Supervision and Examination Manual describing in greater detail the agency’s view of the “common elements of an effective consume compliance management system” -- with a focus on the involvement of a company’s board and senior management.
 A Compliance Bulletin issued simultaneously with the Capital One action provides guidance concerning the marketing of credit card add-on products, and more generally the factors the CFPB considers when evaluating the effectiveness of disclosures. CFPB Bulletin 2012-06 (July 18, 2012).
 A final rule was published on February 7, 2012, and amended in certain respects in a final rule published on August 20, 2012. See “Electronic Fund Transfers (Regulation E), Final Rule; Official Interpretation.” Federal Register, 77 (August 20, 2012) 50243-50288. The CFPB recently announced its intention to amend the rule yet again in certain limited respects, and has delayed the effective date accordingly, with the intent that the rule will become effective in the spring of 2013.