Ready or Not, Here Comes COPPA
If youāre a parent, you probably have an opinion on screen time. As we get further and further into the internet age and parents rely on online tools for education and entertainment (and even babysitting), more and more online platforms target children. Because of this, the Federal Trade Commission (FTC) also has an opinion on screen time. The FTC recently proposed changes to the Childrenās Online Privacy Protection Rule (COPPA) that places new restrictions on the use and disclosure of childrenās personal information and further limits the ability of companies to condition services on the collection of childrenās data.
COPPA, which first went into effect nearly 25 years ago, requires certain websites that collect personal information from children under the age of 13 to provide notice to parents and obtain parental consent before collecting, using, or disclosing a childās personal information. The proposed rule also limits the personal data that websites can collect from children, limits how long they can retain such data, and requires them to secure the data.
The FTC has proposed several changes to COPPA, notably:
- Separate Opt-In for Targeted Marketing: Building off the existing consent requirement in COPPA, websites would now be required to obtain separate parental consent to disclose information to third parties, including third-party marketersāunless the disclosure is integral to the nature of the website or online service. Websites cannot condition access to services on the disclosure of personal information to third parties.
- Limits on the support for the internal operations exception: The current rule allows websites to collect persistent identifiers without first obtaining parental consent as long as the website does not collect any other personal information and uses the persistent identifier solely to provide support for the internal operations. The proposed rule would now require websites utilizing this exception to provide an online notice that states the internal operations for which the website has collected a persistent identifier and how they will ensure that such information is not used or disclosed to contact a particular individual, including targeted marketing.
- Strengthening data security requirements: The FTC has proposed strengthening COPPAās data security requirements by mandating that websites establish, implement, and maintain a written childrenās personal information security program that contains safeguards that rise to the sensitivity of the personal information collected from children.
- Limits on data retention: The FTC also would increase COPPAās data retention limits by permitting personal information retention only for as long as necessary to fulfill the purpose for which it was collected. The proposal would also prohibit websites from using collected information for any secondary purpose, and it explicitly states that websites cannot retain the information indefinitely. The Rule would also require websites to establish and publish a written data retention policy.
The fact that this is an FTC rule may have been a giveaway, but you may have noticed that this rule is not tailored to banks; it applies across industries. It is meant to target websites geared towards children or those with actual knowledge that they collect data from children, which many bank websites do not. Instead, online accounts are often only available to those older; because of COPPA, many banks set this mark at 13 years old. Thus, websites are probably not child-directed, nor is there actual knowledge of collection.
However, other parts of the business, beyond those tied to banking, could be pulled into COPPA’s scope. For example, some banks have a travel division, and certain parts of that divisionās online presence may target children. Another item worth considering is any emphasis on financial literacy education and offering products/services such as student banking. This might involve the online collection of childrenās data. This could pose an issue from collecting information passively (e.g., from cookies or web beacons) without first getting parental consent. Still, as this sort of information often cannot be tied to a particular individual without an online account, it may not present an insurmountable problem. Thus, banks should not assume COPPA does not apply to them.
The CFPBās āImpactfulā Enforcement Authority
The CFPB is taking a victory lap on 2023. They recently posted on their blog to highlight their enforcement work last year and the tools at their disposal to reinforce ācompliance with federal consumer financial laws and sending a clear message to entities within [their] authority and the public that the CFPB remains vigilant on behalf of consumers.ā They also provided some hints as to their plans for the year ahead.
In 2023, the CFPB filed 29 enforcement actions and resolved through final orders six previously-filed lawsuits. Those orders required payment of approximately $3.07 billion to compensate harmed consumers and pay approximately $498 million in civil monetary penalties. Some of the key enforcement actions are as follows:
- In July, Bank of America was ordered to pay more than $100 million for systematically ādouble-dippingā insufficient funds fees, withholding reward bonuses owed to credit card customers, and misappropriating sensitive personal information without customer authorization.
- In August, the CFPB took legal action against Heights Finance Holding Company for illegally churning loans to collect hundreds of millions in loan costs and fees, alleging that it coerces ādistressed borrowers into fee-laden cycles of reborrowing, incentivizes its employees to push refinances on consumers, targeting customers for their likelihood of refinancing and falsely marketing refinances as fresh starts.ā
- In August, the CFPB entered into a settlement agreement with a group of credit repair companies who it says had collected illegal advance fees for credit repair services. The agreement imposed a $2.7 billion judgment.
- In November, the CFPB ordered Citibank to pay millions in fines for what it said was a systematic discrimination scheme against Armenian Americans. The CFPB alleged that for years Citibank singled out applicants for certain credit card products based on whether or not they had surnames that implied Armenian descent and that Citibank took efforts to hide their discriminatory practices. It said that Citibank employees then lied about the basis of denial and provided false reasons to denied applicants.
Based on the actions the CFPB chose to highlight we can make a few assumptions about their current priorities. Predictably, there is a focus on what they deem ājunkā fees. That is a noted priority of the Biden administration and federal regulators are definitely increasing scrutiny of bank fees. āJunkā fees have seemingly come to encompass a variety of fees, from NSF to credit repair fees as these enforcement actions demonstrate. There is also a focus on discrimination and coercion of distressed borrowers, using their UDAAP/UDAP and fair lending authorities.
Importantly, the CFPB also looked to the year ahead, saying that it is “significantly” “growing [its] capacity” in 2024. They now have “a team of technologists dedicated to enforcement” and they’re hiring “enforcement attorneys as well as non-attorney positions, including analysts, paralegals, e-litigation support specialists, economists, and more.ā This implies an expectation of increased enforcement actions and, given how closely regulators work together, it may indicate a potential uptick of enforcement actions across regulators.
CFPB Flexes its Authority on NSF Fees
In furtherance of the crusade against ājunk fees,ā the CFPB proposed a new rule on non-sufficient funds (NSF) fees shortly after releasing their overdraft feeĀ proposalĀ last month. As you know, NSF fees are typically charged when items submitted for payment against a consumerās account are returned unpaid due to insufficient funds. The CFPBās proposal flexes the agencyās authority to prohibit unfair, deceptive, and abusive acts and practices to forbid NSF fees on debit card transactions and some person-to-person (P2P) payments that are declined instantaneously or ānear-instantaneously.ā While the CFPB freely admits that this ājunk feeā is ārarely charged,ā it believes this is a proactive step to head off, in CFPB Director Rohit Choprasās words, ālarge banks and their consultants [who] have concocted new junk fees for fake services that cost almost nothing to deliver.ā
The CFPBās position is that charging fees for transactions declined in real-time is an abusive practice. A year ago, the CFPB issued a policy statement defining abusive acts or practices that indicated two categories of conduct it generally considers abusive: (1) actions that obscure important features of a product or service and (2) actions taking unreasonable advantage of consumers in certain circumstances. For instantaneous transactions, the CFPB finds that a consumer who would be charged an NSF fee would lack awareness of their available account balance and lack understanding of their accountās risk and condition when the transaction is initiated.
Instead of amending a current regulation to add the proposed rule, if finalized, the CFPB is proposing to create a new regulation (12 CFR Part 1042) while borrowing specific definitions, like āaccountā and ācovered financial institution,ā from Regulation E. The proposed rule would ban any fees charged on a ācovered transaction,ā defined as āan attempt by a consumer to withdraw, debit, pay, or transfer funds from their account that is declined instantaneously or near-instantaneously by a covered financial institution due to insufficient funds.ā A ācovered financial institutionā would be defined as āa bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services ā¦.ā NSF fees charged for check and ACH transactions are not covered by the rule. Therefore, the proposed rule intends to cover ATM and one-time debit card transactions for which an opt-in is required to charge an overdraft fee. The NSF fee prohibition would apply regardless of the label used by the financial institution to charge the fee.
As the CFPB readily admits, it expects this proposed rule will have a limited impact on current practices as these fees are not routinely charged and, more than likely, few, if any, banks are considering charging new NSF fees in this regulatory environment. However, despite its current limited application, banks should likely still be cautious. The argument for these NSF fees being abusive could act as a precedent to expand the rule in future enforcement actions or rulemaking. Comments are due by March 25, 2024.
CFPB Ramps Up Pressure on Overdraft Fees
As of late, ājunkā fees have been bank regulatorsā favorite punching bag. The most frequent ājunkā fee target has been overdraft services and the CFPB just issued a haymaker of a proposed rule that could decrease overdraft fees throughout the industry.
Traditionally, overdraft fees are considered service charges rather than finance charges, meaning they are traditionally treated as a deposit account feature rather than an extension of credit. As a result, honoring an overdraft does not make a bank a ācreditorā subject to Regulation Z. Regulation Z also makes clear that debit cards are generally not ācredit cards,ā even if their use results in an overdraft so allowing consumers to overdraw their account with a debit card and honoring any such overdrafts does not make a bank a ācard issuerā subject to Regulation Z.
The CFPBās new proposed rule would fundamentally change that for larger banks. If finalized in its present form, the proposed rule would treat overdraft fees as finance charges under certain conditions. The proposal would subject overdraft services provided by banks with over $10 billion in assets to Regulation Zās disclosure provisions that apply to consumer credit cards, but only when overdraft fees exceed the direct cost of providing the service.Ā A large bankās overdraft fees would not be considered a āfinance charge,ā and would not trigger coverage under Regulation Z, if the fees do not exceed the average direct costs and charge-off losses associated with providing overdraft services. This can be calculated in one of two ways:
- Banks could rely on a ābenchmarkā fee established by the CFPB. The proposed rule sets fourth four possible benchmark fees — $3, $6, $7 and $14 ā arrived at using different methodologies; or
- Banks could calculate the fee on their own by adding together all the direct costs (such as direct operational costs of providing the service) and charge-off losses from the previous year, and then dividing that amount by the number of overdrafts it honored in the past year for a fee was charged.
If more is charged for honoring an overdraft fee than a bankās average costs and charge-off losses then the charge would be considered a āfinance chargeā and covering the overdraft would be an extension of credit covered by Regulation Z. This would seem to create significant pressure for covered banks to cap overdraft fees at the benchmark rate or lower.
Smaller banks underneath the $10 billion threshold can continue offering overdraft protection without any changes but the CFPB noted that they will continue monitoring the market which at least opens the door for the potential for the ruleās coverage to expand in the future. It should also be noted that more and more institutions reducing their overdraft fees may create market pressures on smaller institutions to similarly reduce fees over time.