Last Week, This Morning

September 2, 2025

Below you will find several key developments in the financial services industry, including related developments in information privacy and data security, from the past week. We add an "Amicus Brief(ly)1" comment to each item, where we briefly (see what we did there?) note for friends (and again?) of CounselorLibrary the important takeaways from the developments outlined in the email. Our legal reporters - CARLAW, HouseLaw, InstallmentLaw, PrivacyLaw, and BizFinLaw - provide more comprehensive, real-time updates of federal and state laws, regulations, litigation, and other industry items of interest. For a personal guided tour and free trial of any of these legal reporters, please contact Michael Willer at 614-855-0505 or mwiller@counselorlibrary.com.

CFPB Proposes Definition of "Risks to Consumers" Applicable to Supervisory Designation Proceedings

On August 26, the Consumer Financial Protection Bureau published in the Federal Register a proposal to adopt a standard definition of "risks to consumers with regard to the offering or provision of consumer financial products or services" for its use in proceedings to designate nonbank covered persons for supervision. Section 1024(a)(1)(C) of the Consumer Financial Protection Act of 2010, codified at 12 U.S.C. 5514(a)(1)(C), authorizes the CFPB to supervise a nonbank covered person that it "has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond, ... is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services." The CFPB noted that it has not issued a rule addressing the meaning of "risks to consumers" in this context but has instead issued orders in individual cases. The CFPB is concerned that its application of "risks to consumers' may not be consistent, institutions facing potential designation may be uncertain about what standard will apply to their case, and it may not be conforming to the best reading of the statute in individual cases.

The CFPB's proposed rule provides that, "[f]or purposes of 12 U.S.C. 5514(a)(1)(C), conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services consists of conduct that: (a) Presents a high likelihood of significant harm to consumers; and (b) Is directly connected to the offering or provision of a consumer financial product or service as defined in 12 U.S.C. 5481." The CFPB requests comment on all aspects of this standard, specifically whether 'risks to consumers' must be potential violations of law. Comments on the proposed rule are due by September 25, 2025.

Amicus Brief(ly): This proposal by the CFPB addressing the prior inconsistent approach to supervision of non-bank providers may lead to a lasting change at the CFPB that would limit its reach to that established by statute. While the proposed approach likely should have been the mindset from the beginning, we will take what we can get. The CFPB is taking a shot at establishing a concrete definition of "risks to consumers" that should give providers a basis to resist the CFPB's attempts to define it case-by-case. If successful, the rulemaking would establish a little more certainty regarding the CFPB's reach in non-bank supervision, so providers should use these next three weeks to get supportive comments together and submitted before the September 25 deadline.

CFPB Resolves Claims Against Fintech Company for Failing to Properly Maintain Records of Customer Funds Held at Partner Banks

The U.S. Bankruptcy Court for the Central District of California recently issued a stipulated final judgment and order to settle claims brought by the Consumer Financial Protection Bureau in an adversary proceeding against a fintech company currently in Chapter 11 bankruptcy proceedings. The company acted primarily as a third-party service provider for other fintech companies and their bank partners by providing services including advertising, deposit account maintenance, offering debit cards and services, bill payment, and funds transfers. The company served as a bridge between nonbank fintech platforms - which may not keep customer deposits - and the traditional banks with which fintech customer funds were stored, offering cash management services to banks and directing the movement of customer funds to and from banks that were originating and receiving ACH and wire transfers for customers.

The CFPB alleged that the company engaged in unfair acts or practices, in violation of the Consumer Financial Protection Act, by failing to properly maintain records of customer funds held at partner banks. The CFPB claimed that the company's records did not align with the records maintained by the banks, with the shortfall estimated at between $60 and $90 million. The alleged discrepancies were discovered during initial bankruptcy proceedings involving the company, resulting in the partner banks freezing customer accounts and preventing customers from accessing funds for up to eight months in some instances. In some cases, customers still have not received the full amount of their alleged account balances held with the company. The CFPB alleged that the company (and its partner banks) were aware of the discrepancy between their respective books for months before the company filed for bankruptcy.

The order requires the company, without admitting or denying liability, to pay a nominal fine of $1. The order also permanently enjoins the company from participating in, or assisting others in, advertising, marketing, promoting, offering for sale, selling, or providing any deposit-taking activities, the transmission or exchange of funds, activities that otherwise involve acting as a custodian of funds, or payments or other financial data processing. The order also prevents the company from selling customer information, including names, addresses, telephone numbers, email addresses, social security numbers, other identifying information, or any data that enables access to a customer's account.

Amicus Brief(ly): The impact of this stipulated final order is not in the nominal fine (which would likely have been more material but for the company's insolvency) but in the requirement for the company to cease doing business. The stipulated order does not resolve the issues related to consumer funds, but it appears that the Chapter 11 trustee and the CFPB will be providing refunds from the CFPB's victim relief fund. Fintech providers working with banks to offer consumer deposit accounts should carefully review policies and procedures around the important cash management and asset tracking concerns that gave rise to this case.

FTC Updates Fees Charged to Telemarketers Accessing Do Not Call Registry

On August 27, the Federal Trade Commission announced a revised fee structure for entities accessing the National Do Not Call Registry, effective October 1, 2025. All telemarketers calling consumers in the U.S. are required to download the numbers on the DNC Registry to ensure they do not call consumers who have registered their phone numbers. Telemarketers must subscribe each year for access to DNC Registry numbers.

Beginning on October 1, 2025, the annual fee to access the DNC Registry will increase to $82 per area code of data, up from the current figure of $80 per area code. The amount charged to access the entire DNC Registry, covering all area codes nationwide, will increase to $22,626, up from the current figure of $22,038. The cost to access an additional area code for six months will increase to $41 per area code, an increase of $1 from FY 2025. The first five area codes will remain free, and organizations that are exempt from the DNC rules, such as some charitable organizations and political organizations, may obtain the entire list for free.

Amicus Brief(ly): This annual adjustment imposes marginal increases in the cost to telemarketers and their customers to access the DNC Registry. The cost of doing business always seems to go up. Entities subject to the Telemarketing Sales Rule's DNC provisions and state laws that require compliance with the federal rule as a matter of state law need to access the DNC Registry in order to abide by the rule's parameters. Readers can refer to the FTC's Q&A on TSR compliance for a refresher on what the rule requires.
Pennsylvania AG Settles Claims Against Vehicle Dealership Group

The Pennsylvania Office of the Attorney General recently entered into a settlement agreement with a vehicle dealership group located in the commonwealth to resolve allegations of false, misleading, and deceptive credit, advertising, and sales practices, in violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law and Automotive Industry Trade Practices regulations.

Specifically, the AG alleged that the dealership group engaged in false, misleading, and deceptive credit practices, including:

  • misrepresenting the characteristics of vehicles, including the model type and/or available options to consumers and/or finance companies during the credit application process;
  • changing credit applications by inflating incomes and adding co-signers to or removing them from the credit applications;
  • placing credit in the names of co-signers without their explicit knowledge and/or approval; and
  • using consumers' electronic signatures to approve the purchase of add-on products without their consent.

The AG also alleged that the dealership group engaged in false, misleading, and deceptive advertising practices, including engaging in social media advertising via pages for third parties that have similar names as the dealerships but are not related to the dealerships, in an attempt to bypass social media transparency and advertising regulations.

In addition, the AG alleged that the dealership group engaged in false, misleading, and deceptive sales practices, including:

  • failing to disclose pertinent information to consumers, including the actual full financed price of vehicles;
  • failing to disclose material information to consumers in a non-deceptive way and refusing to use easy-to-understand methods such as window stickers;
  • adding products, including extended warranties, to consumers' purchases without their knowledge and/or explicit consent;
  • misleading consumers about the steps required to cancel and receive a refund for an add-on product;
  • failing to timely honor requests from consumers to cancel add-on products included in their purchases; and
  • failing to disclose that a used vehicle was a rental, fleet, or demonstrator vehicle on purchase documentation and failing to notify the consumer of such use.

Under the terms of the settlement agreement, the dealership group will pay $130,000 to the commonwealth, which includes $100,000 in restitution to impacted Pennsylvania consumers. In addition, the dealership group will hire a compliance officer, implement stricter communication regarding the condition of all vehicles sold, offer vehicles outside of a manufacturer warranty a 90-day 3,000-mile powertrain warranty, and provide greater transparency concerning vehicle financing, including ensuring that consumers are fully aware of all financing terms.

Amicus Brief(ly): It seems as though many enforcement actions related to dealership compliance turn on allegations of deceptive advertising and misleading origination practices. This Pennsylvania case covers a number of the usual hits, including claims of misleading price and availability advertising, adding the cost of optional products and services to a transaction without obtaining clear consent from the consumer, and trouble with cancellation of those optional products after consummation. The fine imposed by the Pennsylvania AG in this settlement is neither negligible nor exorbitant, but it reflects the seriousness with which the AG takes these allegations and that the AG is ready to act on consumer claims of misleading or deceptive conduct by vehicle dealers.

1 For the unfamiliar, an “Amicus Brief” is a legal brief submitted by an amicus curiae (friend of the court) in a case where the person or organization (the “friend”) submitting the brief is not a party to the case, but is allowed by the court to file the brief to share information or expertise that bears on the issues in the case.