February 2024 Newsletters

Ready or Not, Here Comes COPPA

If youā€™re a parent, you probably have an opinion on screen time. As we get further and further into the internet age and parents rely on online tools for education and entertainment (and even babysitting), more and more online platforms target children. Because of this, the Federal Trade Commission (FTC) also has an opinion on screen time. The FTC recently proposed changes to the Childrenā€™s Online Privacy Protection Rule (COPPA) that places new restrictions on the use and disclosure of childrenā€™s personal information and further limits the ability of companies to condition services on the collection of childrenā€™s data.

COPPA, which first went into effect nearly 25 years ago, requires certain websites that collect personal information from children under the age of 13 to provide notice to parents and obtain parental consent before collecting, using, or disclosing a childā€™s personal information. The proposed rule also limits the personal data that websites can collect from children, limits how long they can retain such data, and requires them to secure the data.

The FTC has proposed several changes to COPPA, notably:

  • Separate Opt-In for Targeted Marketing: Building off the existing consent requirement in COPPA, websites would now be required to obtain separate parental consent to disclose information to third parties, including third-party marketersā€”unless the disclosure is integral to the nature of the website or online service. Websites cannot condition access to services on the disclosure of personal information to third parties.
  • Limits on the support for the internal operations exception: The current rule allows websites to collect persistent identifiers without first obtaining parental consent as long as the website does not collect any other personal information and uses the persistent identifier solely to provide support for the internal operations. The proposed rule would now require websites utilizing this exception to provide an online notice that states the internal operations for which the website has collected a persistent identifier and how they will ensure that such information is not used or disclosed to contact a particular individual, including targeted marketing.
  • Strengthening data security requirements: The FTC has proposed strengthening COPPAā€™s data security requirements by mandating that websites establish, implement, and maintain a written childrenā€™s personal information security program that contains safeguards that rise to the sensitivity of the personal information collected from children.
  • Limits on data retention: The FTC also would increase COPPAā€™s data retention limits by permitting personal information retention only for as long as necessary to fulfill the purpose for which it was collected. The proposal would also prohibit websites from using collected information for any secondary purpose, and it explicitly states that websites cannot retain the information indefinitely. The Rule would also require websites to establish and publish a written data retention policy.

The fact that this is an FTC rule may have been a giveaway, but you may have noticed that this rule is not tailored to banks; it applies across industries. It is meant to target websites geared towards children or those with actual knowledge that they collect data from children, which many bank websites do not. Instead, online accounts are often only available to those older; because of COPPA, many banks set this mark at 13 years old. Thus, websites are probably not child-directed, nor is there actual knowledge of collection.

However, other parts of the business, beyond those tied to banking, could be pulled into COPPA’s scope. For example, some banks have a travel division, and certain parts of that divisionā€™s online presence may target children. Another item worth considering is any emphasis on financial literacy education and offering products/services such as student banking. This might involve the online collection of childrenā€™s data. This could pose an issue from collecting information passively (e.g., from cookies or web beacons) without first getting parental consent. Still, as this sort of information often cannot be tied to a particular individual without an online account, it may not present an insurmountable problem. Thus, banks should not assume COPPA does not apply to them.

The CFPBā€™s ā€œImpactfulā€ Enforcement Authority

The CFPB is taking a victory lap on 2023. They recently posted on their blog to highlight their enforcement work last year and the tools at their disposal to reinforce ā€œcompliance with federal consumer financial laws and sending a clear message to entities within [their] authority and the public that the CFPB remains vigilant on behalf of consumers.ā€ They also provided some hints as to their plans for the year ahead.

In 2023, the CFPB filed 29 enforcement actions and resolved through final orders six previously-filed lawsuits. Those orders required payment of approximately $3.07 billion to compensate harmed consumers and pay approximately $498 million in civil monetary penalties. Some of the key enforcement actions are as follows:

  • In July, Bank of America was ordered to pay more than $100 million for systematically ā€œdouble-dippingā€ insufficient funds fees, withholding reward bonuses owed to credit card customers, and misappropriating sensitive personal information without customer authorization.
  • In August, the CFPB took legal action against Heights Finance Holding Company for illegally churning loans to collect hundreds of millions in loan costs and fees, alleging that it coerces ā€œdistressed borrowers into fee-laden cycles of reborrowing, incentivizes its employees to push refinances on consumers, targeting customers for their likelihood of refinancing and falsely marketing refinances as fresh starts.ā€
  • In August, the CFPB entered into a settlement agreement with a group of credit repair companies who it says had collected illegal advance fees for credit repair services. The agreement imposed a $2.7 billion judgment.
  • In November, the CFPB ordered Citibank to pay millions in fines for what it said was a systematic discrimination scheme against Armenian Americans. The CFPB alleged that for years Citibank singled out applicants for certain credit card products based on whether or not they had surnames that implied Armenian descent and that Citibank took efforts to hide their discriminatory practices. It said that Citibank employees then lied about the basis of denial and provided false reasons to denied applicants.

Based on the actions the CFPB chose to highlight we can make a few assumptions about their current priorities. Predictably, there is a focus on what they deem ā€œjunkā€ fees. That is a noted priority of the Biden administration and federal regulators are definitely increasing scrutiny of bank fees. ā€œJunkā€ fees have seemingly come to encompass a variety of fees, from NSF to credit repair fees as these enforcement actions demonstrate. There is also a focus on discrimination and coercion of distressed borrowers, using their UDAAP/UDAP and fair lending authorities.

Importantly, the CFPB also looked to the year ahead, saying that it is “significantly” “growing [its] capacity” in 2024. They now have “a team of technologists dedicated to enforcement” and they’re hiring “enforcement attorneys as well as non-attorney positions, including analysts, paralegals, e-litigation support specialists, economists, and more.ā€ This implies an expectation of increased enforcement actions and, given how closely regulators work together, it may indicate a potential uptick of enforcement actions across regulators.

CFPB Flexes its Authority on NSF Fees

In furtherance of the crusade against ā€œjunk fees,ā€ the CFPB proposed a new rule on non-sufficient funds (NSF) fees shortly after releasing their overdraft feeĀ proposalĀ last month. As you know, NSF fees are typically charged when items submitted for payment against a consumerā€™s account are returned unpaid due to insufficient funds. The CFPBā€™s proposal flexes the agencyā€™s authority to prohibit unfair, deceptive, and abusive acts and practices to forbid NSF fees on debit card transactions and some person-to-person (P2P) payments that are declined instantaneously or ā€œnear-instantaneously.ā€ While the CFPB freely admits that this ā€œjunk feeā€ is ā€œrarely charged,ā€ it believes this is a proactive step to head off, in CFPB Director Rohit Choprasā€™s words, ā€œlarge banks and their consultants [who] have concocted new junk fees for fake services that cost almost nothing to deliver.ā€

The CFPBā€™s position is that charging fees for transactions declined in real-time is an abusive practice. A year ago, the CFPB issued a policy statement defining abusive acts or practices that indicated two categories of conduct it generally considers abusive: (1) actions that obscure important features of a product or service and (2) actions taking unreasonable advantage of consumers in certain circumstances. For instantaneous transactions, the CFPB finds that a consumer who would be charged an NSF fee would lack awareness of their available account balance and lack understanding of their accountā€™s risk and condition when the transaction is initiated.

Instead of amending a current regulation to add the proposed rule, if finalized, the CFPB is proposing to create a new regulation (12 CFR Part 1042) while borrowing specific definitions, like ā€œaccountā€ and ā€œcovered financial institution,ā€ from Regulation E. The proposed rule would ban any fees charged on a ā€œcovered transaction,ā€ defined as ā€œan attempt by a consumer to withdraw, debit, pay, or transfer funds from their account that is declined instantaneously or near-instantaneously by a covered financial institution due to insufficient funds.ā€ A ā€œcovered financial institutionā€ would be defined as ā€œa bank, savings association, credit union, or any other person that directly or indirectly holds an account belonging to a consumer, or that issues an access device and agrees with a consumer to provide electronic fund transfer services ā€¦.ā€ NSF fees charged for check and ACH transactions are not covered by the rule. Therefore, the proposed rule intends to cover ATM and one-time debit card transactions for which an opt-in is required to charge an overdraft fee. The NSF fee prohibition would apply regardless of the label used by the financial institution to charge the fee.

As the CFPB readily admits, it expects this proposed rule will have a limited impact on current practices as these fees are not routinely charged and, more than likely, few, if any, banks are considering charging new NSF fees in this regulatory environment. However, despite its current limited application, banks should likely still be cautious. The argument for these NSF fees being abusive could act as a precedent to expand the rule in future enforcement actions or rulemaking. Comments are due by March 25, 2024.

CFPB Ramps Up Pressure on Overdraft Fees

As of late, ā€œjunkā€ fees have been bank regulatorsā€™ favorite punching bag. The most frequent ā€œjunkā€ fee target has been overdraft services and the CFPB just issued a haymaker of a proposed rule that could decrease overdraft fees throughout the industry.

Traditionally, overdraft fees are considered service charges rather than finance charges, meaning they are traditionally treated as a deposit account feature rather than an extension of credit. As a result, honoring an overdraft does not make a bank a ā€œcreditorā€ subject to Regulation Z. Regulation Z also makes clear that debit cards are generally not ā€œcredit cards,ā€ even if their use results in an overdraft so allowing consumers to overdraw their account with a debit card and honoring any such overdrafts does not make a bank a ā€œcard issuerā€ subject to Regulation Z.

The CFPBā€™s new proposed rule would fundamentally change that for larger banks. If finalized in its present form, the proposed rule would treat overdraft fees as finance charges under certain conditions. The proposal would subject overdraft services provided by banks with over $10 billion in assets to Regulation Zā€™s disclosure provisions that apply to consumer credit cards, but only when overdraft fees exceed the direct cost of providing the service.Ā  A large bankā€™s overdraft fees would not be considered a ā€œfinance charge,ā€ and would not trigger coverage under Regulation Z, if the fees do not exceed the average direct costs and charge-off losses associated with providing overdraft services. This can be calculated in one of two ways:

  • Banks could rely on a ā€œbenchmarkā€ fee established by the CFPB. The proposed rule sets fourth four possible benchmark fees — $3, $6, $7 and $14 ā€“ arrived at using different methodologies; or
  • Banks could calculate the fee on their own by adding together all the direct costs (such as direct operational costs of providing the service) and charge-off losses from the previous year, and then dividing that amount by the number of overdrafts it honored in the past year for a fee was charged.

If more is charged for honoring an overdraft fee than a bankā€™s average costs and charge-off losses then the charge would be considered a ā€œfinance chargeā€ and covering the overdraft would be an extension of credit covered by Regulation Z. This would seem to create significant pressure for covered banks to cap overdraft fees at the benchmark rate or lower.

Smaller banks underneath the $10 billion threshold can continue offering overdraft protection without any changes but the CFPB noted that they will continue monitoring the market which at least opens the door for the potential for the ruleā€™s coverage to expand in the future. It should also be noted that more and more institutions reducing their overdraft fees may create market pressures on smaller institutions to similarly reduce fees over time.