Last Week, This Morning

June 10, 2024

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an “Amicus Brief(ly)1” comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters – CARLAW®, HouseLaw®, InstallmentLaw™, PrivacyLaw®, and BizFinLaw™ – provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or

CFPB Requires Registration of Final, Public Orders Issued Against Certain Nonbank Entities

On June 3, the Consumer Financial Protection Bureau finalized a rule that requires certain covered nonbank entities that offer or provide consumer financial products or services to register final, public orders, including consent and stipulated orders, issued against them by government agencies or courts. Certain entities, such as insured depository institutions, insured credit unions, motor vehicle dealers, federally recognized Indian tribes, and natural persons, are excluded from the final rule. The final rule will require certain covered nonbank entities to identify an executive responsible for the entity’s efforts to comply with the order in the registry and submit an annual written statement that includes information: (1) describing the steps the executive has taken to review or oversee the nonbank entity’s activities subject to the order during the preceding calendar year, and (2) attesting whether, to the executive’s knowledge, during the preceding calendar year, the entity identified any violations or noncompliance with the obligations imposed by the order in the registry. Covered nonbank entities that are subject to an order published on the Nationwide Multistate Licensing System and Registry’s Consumer Access website (except for orders issued or obtained at least in part by the CFPB) may elect to comply with a one-time registration option in lieu of complying with the final rule’s notification and written statement requirements with respect to that order.

The final rule is effective on September 16, 2024. It provides covered nonbank entities with certain timeframes to comply with the requirements, including submission of their registrations. Registration will begin for covered nonbank entities as early as October 16, 2024.

Amicus brief(ly): This rulemaking is long at 450+ pages, but the rule itself is relatively short. The brevity of the rule, however, does not reflect its impact on non-bank companies subject to the rule. Companies subject to consent orders or the equivalent at the federal or state level will have to craft procedures for complying with these requirements relatively quickly and consider how they will put their written statements together each year regarding their efforts to comply with the orders. Industry commenters made some very fair points about the redundancy of this requirement (it is pretty easy to find published consent orders online, whether at the federal or the state level) and the potential impact of this rulemaking on executive hiring and retention in light of the required sworn annual statement that incorporates a self-reporting requirement (albeit one that is limited to compliance with the consent order(s)). The CFPB frames the rule as an effort designed to help it monitor and reduce consumer risks, with a focus on accountability, but industry concerns about regulatory excess seem well-founded.
CFPB Issues Consumer Financial Protection Circular on Unlawful and Unenforceable Contract Terms and Conditions

On June 4, the Consumer Financial Protection Bureau issued Consumer Financial Protection Circular 2024-03 responding to this question: Can persons that include unlawful or unenforceable terms and conditions in contracts for consumer financial products and services violate the prohibition on deceptive acts or practices in the Consumer Financial Protection Act? The CFPB answered the question in the affirmative, noting numerous instances under federal, state, and/or case law where contractual terms, including waiver provisions, are unlawful or unenforceable. The CFPB stated that “the inclusion of unlawful or unenforceable terms and conditions in consumer contracts is likely to mislead a reasonable consumer into believing that the terms are lawful and/or enforceable, when in fact they are not. … In particular, consumers are unlikely to be aware of the existence of laws that render the terms or conditions at issue unlawful or unenforceable, so in the event of a dispute, they are likely to conclude they lawfully agreed to waive their legal rights or protections after reviewing the contract on their own or when covered persons point out the existence of these contractual terms and conditions.” The circular went on to note that disclaimers stating “subject to applicable law” or “except where unenforceable” and disclaimers issued after the fact “are unlikely to cure the provision’s misleading or material nature.”

The press release announcing the circular referred to the inclusion of unlawful or unenforceable contractual terms and conditions as a “fine print tactic” and “intimidation” and stated that “[c]ompanies may be liable even if the unenforceable terms are borrowed from form templates or widely available contracts.”

Amicus brief(ly): Compliance lawyers cringe at “validation” like this, but it happens, and it appears that the CFPB loves to be the agency that makes it happen. Anyone who has tried to create a multistate credit document has faced the question of whether to make a state-specific version of the document to account for state law limitations on certain terms, when a “savings” clause can simplify things for the creditor. The compliance advice you may have heard on this question probably sounded something like: “If it is feasible to create a state-specific credit agreement that excludes this provision prohibited by [insert state] law, we recommend that you do that.” New Jersey has a long-tenured statute requiring creditors to include an explicit statement in a credit agreement that includes a savings clause to indicate whether it applies to New Jersey residents. The CFPB is warning us to adopt that approach in all cases to avoid at least its claims (if not the claims of consumer plaintiffs or state attorneys general) that a contract with a term prohibited by state law is misleading even if it includes a savings clause. Fortunately, in the world of increasingly versatile loan origination systems, creating and maintaining state-specific credit documents is more practicable than ever.
CFPB Establishes Process for Recognizing Organizations That May Issue Standards to Facilitate Implementation of Upcoming Personal Financial Data Rights Rule

On June 5, the Consumer Financial Protection Bureau finalized a rule that establishes the process for recognizing industry standard-setting bodies that may issue standards that companies can use to help them comply with the soon-to-be-final Personal Financial Data Rights rule, issued by the CFPB in October 2023.

The proposed Personal Financial Data Rights rule would require depository and nondepository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing consumers’ data, including important privacy protections for that data; provide basic standards for data access; and promote fair, open, and inclusive industry standards. The CFPB proposed that standards adopted by CFPB-recognized standard setters might be used to facilitate implementation of a final Personal Financial Data Rights rule.

The CFPB’s final rule identifies the attributes that a standard-setting body must demonstrate in order to be recognized by the CFPB and includes procedures for standard setters to apply for recognition by the CFPB. The final rule also includes a mechanism for the CFPB to revoke the recognition of standard setters and a maximum recognition duration of five years, after which recognized standard setters will have to apply for re-recognition. The final rule is effective 30 days after it is published in the Federal Register.

Amicus brief(ly): The CFPB was busy last week. This development advances the CFPB’s Personal Financial Data Rights rule and reminds us that the CFPB remains serious about the broader rule designed to empower consumers to manage what happens with their financial data. The provisions finalized in this rulemaking do not directly impact industry players by requiring anything of them, but we direct you to the final pages of the rule to see how the CFPB describes what it is looking for with regard to an organization’s openness, balance, due process, consensus, and transparency in the development of the standards it establishes (whether the organization is a consumer group, an app developer, or a financial company).
New Jersey Amends Dealer Rules

Effective June 3, the New Jersey Motor Vehicle Commission amended its rules pertaining to licensed motor vehicle dealers to implement recent statutory amendments. Among other changes, the new rules:

  • amend application and licensing provisions;
  • revise established place of business and recordkeeping requirements for new motor vehicle dealers, used motor vehicle dealers, leasing dealers, and licensees conducting online sales;
  • add to the actions that constitute grounds for rejection, suspension, or revocation of a license, refusal to renew a license, or issuance of fines or a cease and desist order, including prohibiting selling, leasing, or dealing in motor vehicles through a third party engaged in the brokering of motor vehicles or “birddogging;”
  • increase the period of validity of a nonresident temporary registration; and
  • allow for a second nonresident temporary registration in certain circumstances.
Amicus brief(ly): The rules around licensing for vehicle dealers do not change all that often, so when this came through, it got our attention. There is nothing too onerous in these New Jersey rules, but dealers there should review them and update their procedures around recordkeeping and dealing with vehicle brokers that are not licensed, among other necessary changes pursuant to the new licensing rules. The rulemaking addresses industry comments and clarifies the Motor Vehicle Commission’s thought process with respect to the issuance of these rules and may be worth a read for New Jersey dealers and finance companies working with those dealers.
Connecticut Protects Victims of Domestic Violence from Coerced Debt

Connecticut recently enacted Senate Bill 123, which, among other things, requires a “claimant” to stop all collection activities that concern a debt identified by the debtor as a coerced debt until the claimant has completed a specified review. The new law defines “coerced debt” as “any [unsecured credit card] debt incurred in the name of a debtor who is a victim of domestic violence, as defined, …, when such debt was incurred in response to any duress, intimidation, threat of force, force or undue influence used to specifically coerce the debtor into incurring such debt.” A claimant is an entity, including a collection agency, that has, or purports to have, a claim against a debtor arising from an allegedly coerced debt.

A debtor must provide the claimant with certain information and documentation, certified by the debtor, showing that the debt was coerced. If a debtor notifies a claimant orally that a debt being collected is a coerced debt and requests that the claimant waive the debt, the claimant must, within 10 days of receiving the oral notice, send written notice to the debtor stating that the request must be in writing and in accordance with the information and documentation requirements.

Within 10 days of receipt of the information and documentation provided by the debtor, the claimant must: (1) suspend collection efforts for a period of 60 days or until it completes its investigation, whichever is longer; and (2) conduct a good faith review to determine whether the debt is a coerced debt. The claimant may not commence a legal action to collect the debt while completing the good faith review, and, if an action is then pending, the claimant must not proceed on the action while completing the review. If the claimant determines after its review that the debt is a coerced debt, it must permanently cease collection activities with respect to the debt and notify any credit rating agency to delete any negative information concerning the debt. If the claimant determines after its review that the debt is not a coerced debt, it may recommence collection activities.

The new law is effective on January 1, 2025.

Amicus brief(ly): This new law reminds us of the identity theft laws from the early 2000s when states like New York and California created specific processes for creditors and debt collectors to follow when consumers claimed that a debt created in their name was not, in fact, theirs. This law makes the act of coercing another person to incur debt a civil law violation in addition to imposing requirements both on debtors and on creditors or debt collectors with respect to alleged coerced debt. Fortunately, the identity theft laws provide something of a template for how to build policies and procedures around what appears to be an expanding area of the law. In fact, the National Consumer Law Center issued a model coerced debt law just last month, so be on the lookout for other states to follow the lead of Connecticut and the small handful of other states that have adopted this kind of consumer protection statute.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.