November 2022 Newsletters

CFPB Targets Fees: Overdrafts & Returned Deposited Items

There’s a reason why people keep talking about banking fees: the Consumer Financial Protection Bureau (CFPB) keeps bringing it up. Most recently, the CFPB issued guidance on Overdraft fees and Returned Check Fees. The implications of the recently published guidance is significant enough to warrant another newsletter in which we address banking fees.

Regarding overdraft fees, the CFPB recently published Circular 2022-06 titled “Unanticipated overdraft fee assessment practices.” An overdraft occurs when consumers do not have enough in their account to cover a transaction, but the bank pays it anyway. Unlike non-sufficient funds (NSF) fees where a bank does not incur a credit risk when returning a transaction unpaid, clearing an overdraft transaction is extending credit that creates risk for the bank. Most institutions charge a flat fee for overdraft transactions regardless of the amount.

In this Circular, the CFPB indicates that overdraft fees which the consumer cannot reasonably anticipate could violate UDAAP provisions in the Consumer Financial Protection Act (CFPA). Even if these overdraft fees comply with regulatory requirements, they would still likely be considered unfair under the CFPA. The standard for UDAAP unfairness is that these fees cause substantial injury to consumers that the consumer cannot reasonably avoid, and the injury is not outweighed by offsetting benefits to consumers or competition.

As the guidance indicates, this can happen several ways including what’s referred to as “Authorize Positive, Settle Negative” (APSN). For example, ASPN occurs when a customer has enough in their available balance when the transaction was authorized but did not have enough in their available balance when the transaction settled. This commonly happens at gas stations, and banks often cover the transaction (for a fee) when there isn’t enough in the account at the time of settlement.  According to CFPB, this practice is likely a UDAAP: “…consumers generally cannot reasonably be expected to understand and thereby conduct their transactions to account for the delay between authorization and settlement…” In the view of the CFPB, mobile banking could create a consumer expectation that account balances can be monitored closely enough to avoid fees, and it is reasonable that consumers would not expect that a transaction that is authorized at the point of sale with sufficient funds would later incur overdraft fees.

Regarding returned deposited item fees, the CFPB recently published Bulletin 2022-06 titled “Unfair Returned Deposited Item Fee Assessment Practices.” There are many reasons deposited items are returned. For example, the maker may not have sufficient funds in their account, or the maker may have stopped payment of the check, or the account may be closed, or various other reasons. In this bulletin the CFPB indicates that when a bank charges fees for returned deposited items without taking into consideration the circumstances or patterns of behavior on the account, these fees are likely unfair under the UDAAP provisions in the CFPA. The depositor normally has no reason to anticipate that there’s anything wrong with the check, and it is no longer a common practice for banks to verify whether or not an account has sufficient funds to cover the check deposited, and it could then be considered unfair to impose a fee in that situation, as the consumer could be caused substantial injury that they could not reasonably avoid and the injury is not outweighed by any offsetting benefits. The bulletin provides two examples of when a blanket policy such as charging returned deposited item fees might not be unfair under the CFPA: 1) if an institution only charges a fee if they repeatedly deposit bad checks from the same maker, and 2) if an institution only charges a fee when checks are unsigned.

As we move forward, should you have any questions about overdrafts and returned deposit items, you can always reach C/A on the Hotline.

Coming Soon: Dodd-Frank’s Consumer Data-Sharing Rule (Section 1033)

The 2010 Dodd-Frank Act really is the gift that keeps on giving. What’s it giving us this time? The regulations to enforce Section 1033 of Dodd-Frank, which will likely burden banks with responding to consumer and third-party requests. Section 1033, in case you have forgotten is a consumer data-sharing rule. According to the CFPB, Section 1033 requires banks to make information available regarding products or services that a consumer obtained from the bank, including information relating to transactions (including costs, charges, and usage data). In the view of the CFPB, the Section 1033 rule should empower customers to move away from banks that are not meeting their needs and create more competition in the market. Based on current estimates, expect a proposed rule sometime in 2023 and a final rule sometime in 2024.

The CFPB published a lengthy high-level summary (22 pages) and even lengthier outline of proposals and alternatives (71 pages) of what they’re considering for the proposed rule to implement Section 1033. In these publications are discussions of which institutions would be covered by the proposed rule, which accounts would be covered, who may make requests of covered institutions, and what information may be requested…among other things.

Covered Institutions

Referred to as “covered data providers,” the publications lean heavily on definitions in Regulation E and Regulation Z. Both regulations apply only to consumers, and Section 1033 is no different. Covered data providers will be comprised of “financial institutions” as defined in Regulation E (e.g., anyone that holds consumer accounts or issues access devices and agrees to provide EFT services), as well as “card issuers” as defined in Regulation Z (e.g., anyone that issues a credit card).

Covered accounts

Covered data providers would provide information regarding an “account” as defined in Regulation E (e.g., a demand deposit, savings, or other consumer account), or a “credit card account under an open-end (not home-secured) consumer credit plan” as defined in Regulation Z (e.g., any open-end account accessed by a card, other than a HELOC or overdraft line).

Requestors of Information

Under the current proposal, both consumers and third parties will be able to make information requests from covered data providers. Consumer requests should be straightforward, but third parties will be required to provide some sort of authorization disclosure to the consumer for which the third party will need to obtain express consent. The third party will also need to certify to the consumer that the third party will abide by certain rules regarding the collection, use and retention of the consumer’s information.

Information Requested

There are six categories of information the CFPB is considering requiring be made available:

1) Transactions and deposits that have settled, fees, account terms and conditions, the annual percentage yield, and the annual percentage rate (as applicable)

2) Prior transactions and deposits that have not yet settled

3) Prior transactions not typically shown on periodic statements or online account portals

4) Online banking transactions that the consumer has set up but that have not yet occurred

5) Account identity information

6) Other information, such as consumer reports, fees assessed on consumer accounts, bonuses, or other incentives, and information about security breaches that exposed consumer information.

When the CFPB publishes nearly 100 pages of guidance as a precursor to a proposed rule, you should expect a lengthy and robust rule will be published at some point in 2023. There’s no way to know for sure exactly what will be in the proposed or final rule but expect banks to be saddled with some level of responsibility for disclosing consumer data upon request. We’re available on the hotline to discuss the guidance published by the CFPB, but the real work on this issue shouldn’t begin until the proposed rule is published at a yet to be determined date in 2023.

The FCRA and Commercial Loans

The Fair Credit Reporting Act (FCRA) regulates the collecting and furnishing of credit information and imposes disclosure requirements in connection with accessing credit reports. The FCRA is law and only a few parts of the law have implementing regulations, so the FCRA can be somewhat difficult to interpret at times.

One of the most common questions we’re asked is whether the FCRA applies to commercial loans. There’s not a straightforward answer to this, and although the FCRA is generally limited to consumer purpose transactions, it also applies in some cases to commercial purpose transactions involving a consumer.

But, if there is a “consumer,” how can this be a commercial loan? The answer is that the FCRA defines a “consumer” as just an “individual.” There’s no requirement that the consumer/individual be obtaining a product or service specifically for a consumer purpose.

Does this mean that the bank must have a permissible purpose before pulling a credit report on an individual guarantor for a loan to a business entity? The answer to this is conclusively ‘yes’—there always must be some permissible purpose before pulling any consumer report on any individual. The question is whether the application itself is enough of a permissible purpose, since the individual is just a guarantor. For this, we turn to the Advisory Opinion to Tatelbaum which concludes that if an individual has any kind of personal liability on a business loan, including just a guarantee, there would be permissible purpose by means of the application for credit.

What about during the term of the loan? Many banks regularly pull consumer reports on individuals throughout the term of the loan, and there’s a question as to whether the need to review constitutes a permissible purpose. In the Advisory Opinion to Gowen the Federal Trade Commission (FTC) concludes that in order to have valid permissible purpose, the bank would need to have some authority to change the terms of the loan as a result of the review; for example, if the bank had the authority to terminate the loan if the report contained certain negative information. On the other hand, if the bank is just “reviewing” the report to potentially offer the borrower different terms, then it would generally not be allowed, “unless the contract expressly provides for such action.”

As a caveat, however, these opinions are merely informal guidance, and are not binding on the FTC any of the bank regulators. While plenty of banks do rely on advisory opinions, we still recommend getting written authorization from the individual before pulling credit. In fact, we’d recommend this in every case, for any consumer report pulled. This way, the bank can rely on that written authorization as a valid permissible purpose to pull the consumer report, rather than having to justify that one of the other permissible purposes apply. Said another way, the bank always has a permissible purpose to obtain a consumer report if the individual authorizes this in writing. The full list of permissible purposes can be found in Section 604(a) of the FCRA.

Besides permissible purpose questions, another common question we get is whether an adverse action notice must be provided in a commercial context. The general rule in the FCRA is that if the bank obtains a consumer report and takes adverse action based in whole or in part on any information in the report, it must give the consumer an adverse action notice. The catch here is how the FCRA defines an “adverse action,” which does not include guarantors.

Thankfully, the FTC clarifies in the Advisory Opinion to Stinneford the confusion over whether all consumers (individuals) receive adverse action notices, or if guarantors are treated differently. If the consumer is only a guarantor (i.e., secondarily liable on the loan), then an adverse action notice would not be required to be provided to the guarantor. This is true even if the application is being denied based on information in the guarantor’s consumer report. On the other hand, if the individual is a co-borrower (i.e., primarily liable on the loan), then an adverse action notice would be required.

If trying to figure out the difference between the two sounds like way too much work, the bank is welcome to provide an adverse action notice in both cases. Note, however, that any time the bank provides multiple FCRA adverse action notices, each individual should receive a separate adverse action notice with the credit score disclosures associated with just her or his own report. In other words, the individual should never receive the credit score information of another co-applicant.

CFPB Publishes Fall Supervisory Highlights

The Consumer Financial Protection Bureau (CFPB) recently published its Fall 2022 Supervisory Highlights. In the most recent issue several trends were evident: 1) the same violations keep popping up, even though past Supervisory Highlights have addressed these types of violations, 2) continued unfair, deceptive or abusive acts or practices (UDAAPs) in violation of the Consumer Financial Protection Act (CFPA), and 3) CARES Act or COVID-19-related issues. The Fall 2022 Supervisory Highlights cover examinations in the areas of auto servicing, consumer reporting, credit card account management, debt collection, deposits, mortgage origination, mortgage servicing and payday lending completed between January 1, 2022, and June 31, 2022.

Auto Servicing

The CFPB continues to evaluate these activities, primarily to see if entities have engaged in any UDAAPs. Examiners identified unfair and deceptive acts or practices, including violations related to add-on product charges, loan modifications, double billing, use of devices that interfered with driving, collection tactics, and payment allocation.  Among the things specifically called out, the CFPB noted:

“…consumers paid off their loans early, but servicers failed to ensure consumers received refunds for unearned fees…”

“…servicers stated that the consumers were “preliminarily approved” for loan modifications but had to make a payment equal to the standard monthly payment before the servicers would finalize the modifications…In fact, servicers denied most of the modification requests…”

Servicers activated devices that interfere with driving (sometimes called starter interrupt devices) when consumers were not past due on payment and caused the devices to sound late payment warning beeps despite consumers being current.

“…servicers’ representatives told delinquent consumers that their driver’s licenses and tags would be or may be suspended if they did not make a prompt payment…”

Consumer Reporting

Companies that regularly assemble or evaluate consumer information for the purpose of providing reports to third parties are Consumer Reporting Companies (CRCs). These CRCs play a vital role in availability of credit and are subject to the Fair Credit Reporting Act (FCRA). Recently, examiners found deficiencies in CRCs’ compliance with dispute investigation requirements and furnisher compliance with accuracy and dispute investigation requirements. Among the things specifically called out, the CFPB noted:

“…continuing to find that furnishers are violating the FCRA by inaccurately reporting information despite actual knowledge of errors…. found that furnishers reported a consumer’s account as delinquent despite placing the account in deferment…”

“…furnishers continued to report consumer accounts with an indication that the dispute investigation was still open when, in fact, the furnisher had determined that the accounts were no longer being investigated…”

“…furnishers’ policies and procedures did not document the basis on which dispute agents should determine consumer direct disputes reasonably qualify as frivolous or irrelevant…and lacked reasonable internal controls regarding the accuracy and integrity of furnished information, such as verifying random samples of furnished information…”

“…servicers neither conducted reasonable investigations nor sent notices that disputes were frivolous or irrelevant where direct dispute notices may have been prepared by a credit repair organization…”

Credit Card Account Management

The CFPB assessed the credit card account management operations for compliance with Federal consumer financial services laws. Examinations of these supervised entities identified Regulation Z violations and UDAAPs. Among the things specifically called out, the CFPB noted:

“…after increasing a consumer’s APR, credit card issuers must periodically assess whether it is appropriate to reduce the account’s APR and did not…”

“…claimed that consumers could cancel the product coverage simply by calling a toll-free number when, instead, they were required to take additional steps to cancel…” (Deceptive)

“…claimed that consumers would not be required to pay product premiums for months in which they had a zero balance when, in fact, consumers were required to carry a zero average daily balance for the billing cycle…” (Deceptive)

“…omitted disclosure of the burdensome administrative requirements that consumers were required to satisfy to submit benefits claims for the product…” (Unfair)

“…failed to cancel the products on the date of the consumer’s request and failed to issue pro rata refunds based on the date of the request…” (Unfair)

Debt Collection

The CFPB has authority to examine certain institutions that engage in consumer debt collection activities. Recent examinations identified violations of the Fair Debt Collection Practices Act (FDCPA). Among the things specifically called out, the CFPB noted:

“…continued to engage the consumer after the consumer stated multiple times they were driving and needed to discuss the account at another time…”

“…used combative statements and continued the call after the consumer stated they were unemployed, affected by COVID-19, and unable to pay, and even after the consumer clearly stated that the call was “making him agitated”…”

“…communicating with a person other than the consumer about the consumer’s debt, when the person had a name similar or identical to the consumer…”


The CFPB evaluated how financial institutions handled pandemic relief benefits deposited into consumer accounts.  Among the things specifically called out, the CFPB noted:

Using protected unemployment insurance or economic impact payments funds to set off a negative balance in the account into which the benefits were deposited

Garnishing protected economic impact payments

In connection with out-of-state garnishment orders, processing garnishments in violation of applicable state laws

Mortgage Origination

The CFPB, in examining the mortgage origination operations of certain supervised entities identified Regulation Z violations and UDAAPs.  Among the things specifically called out, the CFPB noted:

Reducing loan originator compensation to cover settlement cost increases that were not unforeseen – “…entities then reduced the amount of compensation to the loan originator after loan consummation by the amount provided to cure the tolerance violation…”

Deceptive waiver of borrowers’ rights in loan security agreements – “…waiver provided that borrowers who signed the agreement waived their right to initiate or participate in a class action…reasonable consumer could understand the provision to waive their right to bring a class action on any claim…”

Mortgage Servicing

The CFPB focused on servicers’ actions related to the COVID-19 pandemic. Servicers were found to be engaged in UDAAPs by charging fees for phone payments when consumers were unaware of the fees. Examiners further noted Regulation X violations and UDAAPs for failure to provide consumers with CARES Act forbearances. Among the things specifically called out, the CFPB noted:

“…servicers engaged in abusive acts or practices by charging sizable phone payment fees when consumers were unaware of the fees…During calls with consumers, representatives did not disclose the phone pay fees’ existence… general disclosures, provided prior to making the payment, indicating that consumers “may” incur a fee for phone payments did not sufficiently inform consumers of the material costs…”

Charging illegal fees during CARES Act forbearances

“…policies and procedures were not reasonably designed to inform consumers of all available loss mitigation options…” or “…to properly evaluate consumers for all available loss mitigation options, resulting in improper denial of deferral options…”

Feel free to reach out to us on the hotline if you have any questions about the Supervisory Highlights, and what the implications may be for banks going forward.