Last Week, This Morning

August 11, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

Please note that we'll be taking a week off from the production of Last Week, This Morning® next week to charge our batteries and get ready to run full speed in the Fall. We'll resume publication on August 25 with another rundown of key developments that unfold during these next two weeks.

CFPB Issues ANPRs Related to Defining Larger Participants in Vehicle Financing, Debt Collection, and Credit Reporting Markets

On August 8, the Consumer Financial Protection Bureau issued advance notices of proposed rulemaking related to defining larger participants in the vehicle financing, consumer debt collection, and consumer credit reporting markets. Under the Consumer Financial Protection Act of 2010, the CFPB has the authority to supervise "larger participants" in certain markets for consumer financial products and services, as defined by rules issued by the CFPB. To date, the CFPB has issued six rules defining larger participants in markets for consumer financial products and services.

The CFPB published its vehicle financing larger participant rule on June 30, 2015. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in the vehicle financing market. Currently, a nonbank entity is a larger participant in the vehicle financing market if the entity has at least 10,000 aggregate annual originations. In the ANPR, the CFPB suggests raising the threshold to 300,000, 550,000, or 1,050,000 annual originations. Raising the threshold to 1,050,000 annual originations would reduce the number of entities estimated to qualify as larger participants by more than 90 percent, from 63 entities (which account for an estimated 94 percent of market activity) to five entities (which account for an estimated 42 percent of market activity). At present, the five entities with the highest number of originations are captives, which focus on prime lending. By raising the threshold to 550,000 annual originations, the CFPB estimates that 11 entities would qualify as larger participants and that the updated rule would cover approximately 66 percent of originations. At present, this threshold would include nine entities that focus on prime lending and two entities that engage in at least some subprime lending. The third option provided by the CFPB would be to raise the threshold to 300,000 annual originations. Under this threshold, the CFPB estimates that 17 entities would qualify as larger participants and that the updated rule would cover approximately 79 percent of originations. At present, this threshold would include 12 entities that primarily engage in prime lending and five entities that engage in at least some subprime lending.

The CFPB published its consumer debt collection larger participant rule on October 31, 2012. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in the consumer debt collection market. Currently, a nonbank entity is a larger participant in the consumer debt collection market if the entity has more than $10 million in annual receipts resulting from debt collection activities, as those terms are defined in the rule.

The CFPB published its consumer reporting larger participant rule on July 20, 2012. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in this market as well. Currently, a nonbank entity is a larger participant in the consumer reporting market if the entity has more than $7 million in annual receipts resulting from relevant consumer reporting activities.

In the ANPRs, the CFPB expresses concern that the benefits of the current thresholds may not justify the compliance burdens for many of the entities that are currently considered larger participants in these markets and that the current thresholds may be diverting limited Bureau resources to determining which entities may be subject to the CFPB's supervisory authority and whether these entities should be examined in a particular year.

Comments on the ANPRs must be received by September 22, 2025.

Amicus Brief(ly): Rumors of the CFPB's demise are evidently greatly exaggerated. This update constitutes rulemaking work, and while it is not what consumer advocates might be hoping for, it suggests that the Bureau remains intent on reducing regulatory burdens for financial services providers (a marked departure from its course of dealing under previous leadership). The contemplated changes to the various "larger participant" thresholds would dramatically reduce the number of providers subject to supervision by the CFPB, while allowing the CFPB to closely regulate the biggest providers in the vehicle finance, debt collection, and consumer reporting spaces.
FDIC Updates Supervisory Approach Regarding Use of Pre-Populated Information for Purposes of Customer Identification Program Requirements

On August 5, the Federal Deposit Insurance Corporation released a Financial Institution Letter that updates the agency's supervisory approach regarding whether an FDIC-supervised institution can use pre-populated customer information for the purpose of opening an account to satisfy Customer Identification Program requirements.

According to the FIL, "[t]he CIP rule, 31 C.F.R. § 1020.220, implements Section 326 of the USA PATRIOT Act, which, among other things, requires financial institutions to implement reasonable procedures for verifying the identity of a person seeking to open an account, to the extent reasonable and practicable, and maintain records of the information used to verify a person's identity. The CIP rule requires an institution to collect certain information from a customer opening an account. It is the FDIC's position that the requirement to collect identifying information 'from the customer' under the CIP rule does not preclude the use of pre-filled information. A commonly encountered example is the opening of an account electronically where fields in a digital form are automatically pre-populated (or 'pre-filled') with a customer's identifying information."

"Under the FDIC's interpretation, a financial institution could use information from current or prior accounts or relationships involving the bank or its agents, or other sources, such as parent organizations, affiliates, vendors, and other third parties to pre-fill information that is reviewed and submitted by the customer. The FDIC considers such information from the customer for purposes of the CIP rule. When examining an FDIC-supervised institution that collects identifying information from a customer where some or all of the information was pre-populated, FDIC examiners will consider the pre-filled information as from the customer provided that (1) the customer has opportunity and the ability to review, correct, update, and confirm the accuracy of the information, and (2) the institution's processes for opening an account that involves pre-populated information allow the institution to form a reasonable belief as to the identity of its customer and are based on the institution's assessment of the relevant risks, including the risk of fraudulent account opening or takeover."

Amicus Brief(ly): The use of pre-fill tools has increased of late, particularly in the mobile environment. In this age of convenience and speed, the FDIC's position makes sense - especially because the information used to pre-fill applications comes from the customer and that customer will review the pre-filled information for accuracy. Although this guidance applies in the context of satisfying CIP requirements, providers would do well to consider the guidance when assessing the impact of pre-fill information on Red Flag programs, address discrepancy issues, and other fraud prevention and identity verification methods.

Massachusetts AG Obtains $2 Million Settlement with Mortgage Loan Servicer

On August 7, the Massachusetts attorney general announced a $2 million settlement with a Texas-based residential mortgage loan servicer, resolving allegations that the servicer violated the Massachusetts Consumer Protection Act, the Massachusetts foreclosure prevention law (Massachusetts General Laws Chapter 244, Section 35B), and the AG's debt collection regulations in connection with its mortgage servicing activities.

Specifically, the AG alleged that the servicer failed to take reasonable steps and make a good faith effort to avoid foreclosure, as required by Section 35B, in its loss mitigation reviews of Massachusetts borrowers. When reviewing loan modification applications under Section 35B, servicers must consider certain factors, such as the borrower's ability to repay, so that the resulting loan modification is affordable. According to the AG's news release, the servicer allegedly "required consumers to pay large upfront down payments that were not subject to an affordability analysis as a threshold requirement to entering an otherwise affordable loan modification. Thus, consumers who could not afford these down payments were unable to access the modification and some ultimately were forced into an otherwise preventable foreclosure." In addition, the AG alleged that the servicer failed to comply with Section 35B by failing to timely respond to loan modification applications within the 30-day statutory timeline; failing, within five days of receipt of loan modification applications, to send missing document letters identifying any additional information needed from the applicant to complete the application; and failing to provide written assessments of borrowers' loan modification applications or, where a written assessment was issued, failing to provide borrowers with required disclosures.

The AG alleged that the servicer violated the debt collection regulations by making excessive debt collection calls to borrowers and by failing to provide borrowers with timely notice of their right to request validation of their debts. The Massachusetts debt collection regulations provide that creditors may not initiate more than two communications in a 7-day period to the borrower and that creditors provide a debt validation notice to borrowers within five business days after the initial debt collection communication.

Amicus Brief(ly): Massachusetts continues to lead the way for states when enforcing consumer protection laws. The debt collection regulations cited in the settlement are well-known and have been around for a while. Servicers and creditors are typically aware of the debt validation notice, but the servicer in this case was allegedly not sending one. (The requirement is a bad fit outside the context of third-party debt collection. The AG has been advised of the bad fit, but the requirement remains). While these collection conduct rules have been in place for several years, the AG's office surprised us a few years ago with its reading that servicers and collectors are limited to two contact attempts in seven days, not two conversations or messages. The settlement makes clear that the servicer denied the allegations the AG made, and that it agreed to the alleged facts only to facilitate the termination of the investigation.

New York Issues Industry Letter Requesting Information on Buy-Now-Pay-Later Activities

The New York Department of Financial Services recently published an Industry Letter requesting information from parties covered by the Buy-Now-Pay-Later Act passed as part of the 2025-2026 New York State budget. The BNPL Act will become effective 180 days after regulations are written to implement its requirements. Further information regarding the BNPL Act may be found in our May 19 InstallmentLaw email alert. This request for information is intended to gather information so that these regulations may be written "in accordance with DFS's mission to develop and implement data-driven regulation and policy."

Responses are due by August 29, 2025. Responses are voluntary and are requested from those whose activities are covered by the BNPL Act as well as other interested parties. The specific information requested may be found in an Excel spreadsheet linked to the Industry Letter. It covers market background, product offerings and characteristics, consumer characteristics and underwriting, information regarding a respondent's business model, and consumer disclosures and transaction documentation. The Industry Letter indicates that the DFS may, when drafting the BNPL regulations, refer to the data collected in aggregated and anonymized form in publications required by the New York State Administrative Procedures Act. Responses may include a request from the respondent that the DFS withhold designated portions of its submission from publication under the Freedom of Information Law on the grounds that the information pertains to trade secrets or is commercially sensitive information.

Amicus Brief(ly): Generally speaking, informed lawmaking yields a better result than uninformed rulemaking (see, for example, the ongoing NYC debt collection regulation). Kudos to New York's DFS for seeking information about BNPL products directly from providers that are subject to the New York BNPL Act. The BNPL Act imposes a number of requirements on providers, including a requirement that providers comply with the Truth in Lending Act and Regulation Z even on a no-interest BNPL product designed specifically not to be subject to TILA. Providers are encouraged to get comments to the DFS this month to advocate for a sensible regulation.
House Financial Services Committee Requests Feedback on Federal Consumer Financial Data Privacy Law

House Financial Services Committee Chairman French Hill (R-AR) and Financial Institutions Subcommittee Chairman Andy Barr (R-KY) recently issued a request for public feedback on potential changes to current federal consumer financial data privacy law. Comments must be received by August 28, 2025. Specifically, the House Financial Services Committee requested feedback on the following questions concerning Title V, Subtitle A, of the Gramm-Leach-Bliley Act:

  • Should we amend the GLBA or consider a broader approach?
  • Should we consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach?
  • If the GLBA is made a preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws?
  • How should the GLBA relate to other federal consumer data privacy laws?
  • How should the term "non-public personal information" be defined within the context of privacy regulations?
  • Do the definitions of "consumer" and "customer relationship" in the GLBA require modification?
  • Does the current definition of "financial institution" sufficiently cover entities that should be subject to GLBA requirements, such as data aggregators?
  • Are there states that have developed effective privacy frameworks?
  • Should we consider requiring consent to be obtained before collecting certain types of data, such as PIN numbers and IP addresses?
  • Should we consider mandating the deletion of data for accounts that have been inactive for over a year, provided the customer is notified and no response is received?
  • Should we consider requiring consumers to be provided with a list of entities receiving their data?
  • Should we consider changing the structure by which a financial institution is held liable if data it collects or holds is shared with a third party and that third party is breached?
  • Should we consider changes to require holders of consumer financial data to minimize data collection to only collection that is needed to effectuate a consumer transaction and place limits on the time period for data retention?
Amicus Brief(ly): We have said it in these pages before, but we'll have to say it again this morning - data use and management is a top regulatory issue, and it is not going away. The idea floated by Chairmen Hill and Barr to make the GLBA a preemptive federal standard has appeal because it would mean less of a tangled regulatory web of federal and state privacy laws to manage. But other federal consumer finance laws with preemption provisions allow the states to enact more restrictive state laws. Would a GLBA provision allow that? Or would it establish the GLBA as the information privacy law of the land? These and other issues should be on commenters' minds as they consider what to ask of Congress this month in response to this request for public comment.
California Privacy Protection Agency Files First Judicial Action to Enforce Investigative Subpoena Under CCPA

On August 6, the California Privacy Protection Agency filed a court action seeking to enforce an investigative subpoena the agency previously issued against a Fortune 500 retail company. The CPPA's petition alleges that the company failed to comply with the subpoena by refusing to answer questions about its business practices during specific time periods. The subpoena sought information about the company's compliance with the California Consumer Privacy Act, including whether the company failed to honor consumers' right to opt out of the sale and sharing of their personal information online. According to the CPPA, its petition marks the agency's first public disclosure of an ongoing investigation into a company and the agency's first judicial action to enforce an investigative request.

The CPPA's head of enforcement stated in the announcement: "We will not hesitate to seek the court's assistance when necessary to advance our investigations and protect Californians' privacy rights. We look forward to addressing the merits of this dispute in court."

Amicus Brief(ly): Speaking of privacy and data security, the CPPA has been busy with its enforcement of the CCPA and other state laws, as evidenced by its list of achievements at the end of the announcement of this judicial enforcement action. For example, the agency has collected almost $1M in fines in two recent enforcement actions and has others pending, not to mention its pursuit of unregistered data brokers pursuant to the more recent Delete Act (get registered, data brokers). The CCPA was the first state privacy law of its kind, and it is clear that the CPPA is focused on enforcing it. While we do not have details about the nature of the company's response to the subpoena, the action itself serves as a reminder to providers to treat any investigative subpoenas with care and to communicate with regulators about what they are looking for if it is not clear. Sometimes, though, it takes a trip to the courts to sort the details out.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.