Invocation of personal liability signals CFPB bite matches its bark

The following is a guest post by Lauren Sartwell and Paul Marker, directors at Klaros Group.

Just over two weeks after a March 28 speech in which Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra made it clear that repeat offenders of consumer protection laws will face harsher penalties than ever before, the CFPB filed a complaint against TransUnion and two of its subsidiaries for “deceptive marketing practices” and failure to comply with a 2017 Consent Order.

Notably, the complaint against this major credit reporting agency also seeks to hold TransUnion executive John Danaher jointly and severally liable for damages, restitution, disgorgement of unjust enrichment, and civil money penalties.

In a statement announcing this new action, Chopra made his disposition toward repeat offenders clear: “TransUnion is an out-of-control repeat offender that believes it is above the law.” 

The 2017 Consent Order required TransUnion to warn consumers that lenders are not likely to use the identical scores they supply directly to consumers; required that they obtain the express, informed consent of consumers for recurring payments for subscription products or services; and that TransUnion provide an easy way for consumers to cancel subscriptions. 

Subsequent examinations in 2018, 2019, and 2020 revealed lingering non-compliance with the Order, leading to the CFPB’s recent complaint filed in federal court. 

The Bureau’s renewed focus on repeat offenders

In the March 28 speech, Chopra doubled down on his commitment to adopt an aggressive enforcement position, saying banks and other prominent market players that break the same law(s) multiple times could be precluded from certain strategic activities, such as M&A and could face other restrictions such as caps on growth or bans on certain types of products or business practices.

Rohit Chopra

The worst offenders could have operating licenses and special government privileges revoked.

While many of the potential actions Chopra cited fall outside of the CFPB’s authority, he made it clear that the Bureau plans to take decisive action to hold repeat offenders more accountable.

The CFPB intends to establish dedicated units in its supervision and enforcement divisions to enhance its ability to identify repeat offenders and corporate recidivists and ensure greater coordination and more consistent enforcement by and between partner agencies. 

The Bureau does have enforcement authority to grant “any appropriate legal or equitable relief” (including limits on activities or functions) for violations of federal consumer financial laws, which could stretch pretty far.

To take many of the steps Chopra laid out, however, other regulators — including the Federal Reserve, the Federal Deposit Insurance Corporation, and the Securities and Exchange Commission — would have to be willing to embrace Chopra’s approach and use their respective authorities to exact harsher penalties, including taking the rare steps of revoking licenses or imposing novel restrictions on repeat offenders.

Although Chopra did not expressly invoke the potential use of FIRREA (Financial Institutions Reform, Recovery, and Enforcement Act) authority in his recent speech, one can’t help but wonder if that’s one of the tools he’s envisioning more liberal use of in the future.

Those more aggressive tactics have rarely been applied in bank supervision historically. They will undoubtedly get the attention of any regulated entity that might have been taking a wait-and-see approach to the current regulatory environment.

So, what does all this mean for the industry? What can we learn from the TransUnion lawsuit and other past actions? Which entities are genuinely at risk, and how should entities of all types and sizes think about their risk and compliance functions in light of these developments?

Past as prologue

TransUnion is not the first example of the CFPB’s focus on repeat offenders. In at least two other recent cases, the CFPB has provided a glimpse of what this new, more aggressive posture toward repeat offenders might look like:

On March 9, 2020, the CFPB filed a complaint against Fifth Third Bank alleging compliance failures based on evidence suggesting bank employees opened accounts without customer knowledge to meet aggressive cross-sell goals.

On June 16, 2021, the CFPB amended its complaint to allege that Fifth Third’s failure to identify and remediate consumer harm promptly was itself abusive conduct under UDAAP. “Abusive” acts materially interfere with the ability of a consumer to understand a term or condition of a consumer financial product or service.

The amended complaint alleges “Fifth Third has taken insufficient steps to identify and remediate affected consumers”……and “focused on its own financial interests to the detriment of consumers.” 

Another example is the CFPB’s actions against LendUp, which essentially put the startup out of business.

The CFPB first took notice of LendUp Loans in 2016. LendUp offered single-payment and installment loans to consumers, positioning itself as an alternative to payday lenders.

The Bureau alleged LendUp was not delivering on its promise to lower interest rates, increase credit scores and offer more significant loan amounts if customers continued borrowing from the company.

The CFPB’s enforcement action ordered LendUp to stop misrepresenting the benefits of borrowing from the company. The CFPB also sued the company in 2020 for allegedly violating the Military Lending Act and again in September 2021, alleging LendUp was still engaging in the same deceptive practices that led to the 2016 action.

Chopra had harsh words for these repeat offenses: “LendUp was backed by some of the biggest names in venture capital. We are shuttering the lending operations of this fintech for repeatedly (emphasis added) lying and illegally cheating its customers.”

This example demonstrates the depth and conviction of the CFPB’s enforcement actions against repeat offenders under Chopra’s leadership. 

Prepare now for your next exam

Everything Chopra says and does clarify that we are entering into uncharted regulatory territory, and at this point, it seems virtually anything is possible.

The FTC and the Attorney General of the State of Illinois recently took joint action against a multistate auto dealer for charging “illegal junk fees” and discriminating against Black consumers.

Not only does that demonstrate the agencies’ willingness to issue joint enforcement actions, but FTC Chair Lina Khan also seemed to be embracing Chopra’s extensive use of UDAAP authority to combat discrimination, as the CFPB has signaled it will do in its revised UDAAP Exam Manual, which was just issued last month.

This means that Chopra is likely not going to struggle to get at least some of his agency peers on board with his approach to supervision and enforcement. That’s already happening.

So, while Chopra’s recent comments focused on some of the largest institutions, institutions of all sizes should prepare for a focus on recurring issues and regulatory violations.  

In light of this new emphasis on repeat offenders, financial institutions should review all observations, findings, Matters Requiring Attention (MRAs), and self-identified issues (including those you’ve successfully closed) and ensure:

  • For open issues, you are fully addressing all deficiencies identified, and you are proactively updating the regulators on the status of those improvements. 
  • The issue cited hasn’t recurred for closed cases, and controls are in place to proactively identify that issue or other issues in that area.
  • If additional issues have occurred that you identify and quickly address, including remediation of any consumer harm, be prepared to discuss and show your remediation rationale through proper analysis and documentation.
  • Lauren Sartwell

    Lauren Sartwell joined Klaros from Intuit Inc. where she oversaw product compliance and consumer protection for several of Intuit's regulated financial services products. In her time at Intuit, Lauren worked closely with business partners and stakeholders to assess risks, define compliance requirements, and implement controls to launch new and innovative consumer and small business offerings, including several partner-based products. Before leaping to Fintech, Lauren built her career at community, regional, and large financial institutions in various compliance and internal audit roles. She established compliance audit functions, coordinated and responded to state and Federal examinations, and conducted second-line compliance testing.Lauren received her BAs in English and Political Science from Iowa State University and is a Certified Regulatory Compliance Manager.