This week, several congressional committees held hearings to review recent data security breaches and related consumer privacy issues, particularly those related to consumer financial data and payment systems. Generally, the hearings covered (i) potential enhancements to federal enforcement capabilities, (ii) card and payment system technologies and potential data security standards, and (iii) consumer protection enhancements. The hearings included two by the Senate Banking Committee—the first by a Subcommittee and a second held by the full Committee—as well as hearings held by the Senate Judiciary Committee and a Subcommittee of the House Energy and Commerce Committee. With regard to federal enforcement capabilities, the FTC reiterated its support for federal legislation that establishes a national breach notification requirement and a federal data security standard the FTC can enforce with civil penalties. The FTC also would like (i) its jurisdiction for data security enforcement to include nonprofit organizations, and (ii) APA rulemaking authority to address evolving risks. In support of the FTC’s request for additional authority, several members highlighted their view of the FTC’s limited ability to enforce data security under section 5 of the FTC Act. In particular, Senator Elizabeth Warren (D-MA) asserted that the FTC Act’s demanding standard and lack of strict liability unnecessarily limits the FTC’s authority to protect the public in data security matters. The FTC believes federal legislation should not preempt stronger state laws, and that state attorneys general should have concurrent enforcement authority. Significant debate centered on the possible benefits of implementing “Chip and PIN” technology in payment cards, with several legislators questioning why such technology is in widespread use in other major economies but has not yet been deployed in the U.S. Witnesses representing retailers repeatedly called on banks and payment network companies to move immediately to that technology, claiming that the outdated cards still being issued in the U.S. create unnecessary security risk. Banks outlined their plans to move to chip-based cards by October 2015 and stressed the role retailers must play in helping secure consumer data. As a corollary to technological solutions, committee members debated the role of government in setting data security standards, including for payments. Several members of Congress were critical of non-governmental standards bodies and called for a technologically neutral federal standard. Finally, Senator Mark Warner (D-VA) expressed an interest in amending federal law to extend zero-liability protections currently applicable to credit card transactions to debit card transactions.
On March 3, South Dakota enacted HB 1131, which amends state banking laws to make clear that banks can offer revolving lines of credit not tied to the issuance of a credit card.
On January 21, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s dismissal of a constitutional challenge to certain credit card fees. In re Late Fee and Over-Limit Fee Litig., No. 08-15218, 2014 WL 211729 (9th Cir. Jan. 21, 2014). A group of credit card holders filed a class action suit claiming that credit card overlimit fees and late fees are analogous to punitive damages imposed in the tort context, and therefore such fees are subject to substantive due process limits. The card holders asserted that because banks are compensated through high penalty interest rates for the lost time value and collection costs associated with any breach of the credit contract, the other charges are duplicative and therefore punitive. The court explained that its decision hinged on the similarities and differences between liquidated damages and punitive damages, and determined that the penalty clauses at issue originate from the parties’ private credit card contracts, and are distinct from the jury-determined punitive damages awards. The court held, therefore, that the “jurisprudence developed to limit punitive damages in the tort context does not apply to contractual penalties, such as the credit card fees at issue in this case.”
On December 23, the CFPB announced a coordinated enforcement action taken by federal regulators against a major credit card company and certain subsidiaries alleged to have violated multiple consumer protection laws with respect to credit card add-on products. The action, which is the fourth action taken by the CFPB relating to credit card add-on products, and the fifth add-on product action overall, extends the CFPB’s intense supervisory and enforcement focus on ancillary products and oversight of third-party service providers.
In coordination with the FDIC and the OCC, the CFPB ordered the companies to refund an estimated $59.5 million to more than 335,000 customers for certain credit card practices, including allegedly unfair billing tactics and deceptive marketing. The company must also pay an additional $9.6 million in civil penalties, submit to an independent review of other credit card add-on products, and continue to implement enhanced third-party oversight.
The consent orders allege that the company misled consumers about the benefits, fees, length of coverage, and terms and conditions of certain payment protection products, and that the company billed consumers for services they did not receive, unfairly charged consumers for interest and fees, and failed to comply with federal requirements to inform consumers about their right to a free credit report.
The coordinated action follows another taken by federal regulators last year, in which the same companies were ordered to refund approximately $85 million in connection with alleged UDAAP violations related to the offering of a rewards card and certain debt collection practices.
On December 16, the CFPB published a final rule to review and adjust provisions of Regulation Z that implement amendments to TILA under the CARD Act and HOEPA. Specifically, the CFPB is required to adjust, as appropriate based on the annual percentage change reflected in the Consumer Price Index in effect on June 1, 2013, (i) the threshold amount that triggers requirements for the disclosure of minimum interest charges and (ii) the maximum penalty fee card issuers can impose for violating account terms without violating the restrictions on penalty fees established by the CARD Act. For 2014, the minimum interest charge disclosure threshold will remain unchanged, while the permissible penalty fees will increase to $26 for a first late payment and $37 for each subsequent violation within the following six months. Similarly, the CFPB is required to adjust the combined points and fees threshold that triggers compliance with HOEPA. Effective January 1, 2014, that threshold will be $632.
On December 17, the CFPB released its annual report to Congress on college credit card agreements, prepared pursuant to the CARD Act. The report follows an inquiry launched earlier this year into financial products marketed to students. The study revealed that since 2009, the number of college card agreements in effect has decreased by 41 percent, the compensation paid to colleges and universities has decreased by 40 percent, and the number of new accounts opened by students has decreased by 18 percent.
The Bureau’s press release urges financial institutions to voluntarily disclose to the public any agreements with colleges and universities to market debt, prepaid, and other products to students and warns that “[t]he CFPB prioritizes its supervisory examinations based on the risks posed to consumers” and “[failing to make] college financial product arrangements transparent to students and their families . . . increase[s] such risks.”
On December 12, the CFPB published the preliminary results of its ongoing study of arbitration agreements in consumer finance contracts. Section 1028(a) of the Dodd-Frank Act directs the CFPB to study the use of pre-dispute arbitration contract provisions, and preconditions the CFPB’s exercise of rulemaking authority regarding arbitration agreements on a finding that the regulation is “in the public interest and for the protection of consumers.” The CFPB commenced its arbitration study in early 2012, and expanded its review this year with a proposal to survey credit card holders, and by exercising its authority under Dodd-Frank Act Section 1022 to order some companies to provide template consumer credit agreements, as Director Cordray indicated during a September House Financial Services hearing.
The CFPB reports the following preliminary results, among others:
- Larger banks are more likely to include arbitration clauses in their credit card contracts and checking account contracts than smaller banks and credit unions.
- Just over 50% of credit card loans outstanding are subject to arbitration clauses, while 8% of banks, covering 44% of insured deposits, include arbitration clauses in their checking account contracts.
- Arbitration clauses are prevalent across the general purpose reloadable (GPR) prepaid card market, with arbitration clauses appearing in the cardholder contracts for 81% of GPR prepaid cards studied by the CFPB.
- Class action waivers are ubiquitous, appearing in approximately 90% of arbitration provisions.
- A minuscule number of consumers exercise contract carve-outs permitting disputes to be pursued in small claims courts, while credit card issuers are “significantly more likely” to sue consumers in small claims court.
The CFPB did not consider specific policy options at this stage. However, the report outlines numerous additional steps the CFPB plans to take as part of its arbitration study, which may expand to include other financial product markets. For example, in response to stakeholder comments, the CFPB is revising a prior proposal to conduct a survey of consumers that addresses consumer awareness of arbitration clauses and consumer perceptions of and expectations about formal dispute resolution. The CFPB also intends to assess the possible impact of arbitration clauses on the price of consumer financial products. Finally, the CFPB is examining the interrelationship between public enforcement and private aggregate enforcement (i.e., class actions) by conducting an empirical analysis of the types of cases brought by public and private actors, and the relationship between any actions against the same defendants or challenging similar conduct. The report does not provide anticipated timelines for these or any of the other future steps the Bureau describes.
On December 10, the CFPB released a consent order with a federal savings association, pursuant to which the bank will refund approximately $34 million to more than one million credit card holders who were enrolled in deferred-interest financing for healthcare services. The order does not include a civil penalty. The deferred-interest action is the first public action taken by the CFPB since it promised to scrutinize such products in its October credit card report.
The product at issue typically is offered by healthcare providers who offer personal lines of credit for healthcare services, including medical, dental, cosmetic, vision, and veterinary care. The CFPB alleges that the bank failed to sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods associated with the credit cards, which led to consumers being misled during the enrollment process. The CFPB further claimed that healthcare providers improperly completed applications and submitted them on behalf of consumers, failed to provide consumers with copies of the credit card agreement, and, where disclosures were provided, those disclosures failed to adequately explain the deferred-interest promotion.
In addition to consumer redress, the order mandates certain terms of the bank’s contracts with medical providers offering the healthcare credit card. For example, the bank must incorporate specific “transparency principles” into its agreements with healthcare providers, and the contracts must prohibit certain charges. The bank also must enhance disclosures provided with the card application and billing statements, and improve training for healthcare providers offering the card. In addition, the order details consumer complaint resolution requirements, and prohibits certain incentive arrangements and paid endorsements. To date, the CFPB has not released the attachments to the consent order, which include, among other things, the transparency principles and disclosures.
The New York Attorney General entered into a similar agreement with the bank earlier this year. Under that agreement, the bank was likewise required to add a set of transparency principles to provider contracts to ensure that card terms were described accurately and to revise promotional interest rate options and other disclosures to better inform consumers’ use of the card.
On December 2, the U.S. Court of Appeals for the Fifth Circuit held that a set of parens patriae suits filed by the Mississippi Attorney General (AG) against credit card issuers is not subject to federal jurisdiction under the Class Action Fairness Act (CAFA) or National Bank Act (NBA) preemption. Hood v. JP Morgan Chase & Co., No. 13-60686, 2013 WL 6230960 (5th Cir. Dec. 2, 2013). The consolidated appeal involves cases originally filed by the AG in state court against six credit card issuers for allegedly violating the Mississippi Consumer Protection Act in connection with the marketing, sale, and administering of certain ancillary products, including payment protection plans. After the card issuers removed the cases, a federal district court denied the state’s motion to remand, holding that it had subject matter jurisdiction because: (i) the cases were CAFA mass actions; (ii) the NBA (and the Depository Institutions Deregulation and Monetary Control Act for one state-chartered bank defendant) preempted some of the state law claims; and (iii) it had supplemental jurisdiction over the remaining state law claims. The Sixth Circuit disagreed and held that the card issuers failed to prove that any card holder met CAFA’s individual amount in controversy requirement, rejecting the issuers’ argument that the state is the real party in interest and its claims for restitution and civil penalties exceed the threshold. The court also rejected the issuers’ argument—and the district court’s holding—that the payment protection plans were part of the loan agreement and the fees associated with the plans constitute “interest,” such that the state’s challenge to the plans was an implicit usury claim preempted by the NBA. Instead, the court held that while the plans could conceivably fit within the definition of “interest,” there is no clear rule on this subject that demands removal. Moreover, the court held that even if the payment protection plan fees are “interest,” the claims still would not be preempted because the state does not allege that the issuers charged too much interest, but rather challenges the alleged practice of improperly enrolling customers in the plans. The court reversed the district court and remanded for further proceedings consistent with its opinion.
On November 15, Bloomberg reported that the CFPB is examining credit card issuers’ rewards programs. The article quotes CFPB Director Cordray stating that rewards programs can involve “detailed and confusing rules” and that the CFPB “will be reviewing whether rewards disclosures are being made in a clear and transparent manner.” The CFPB’s recent Credit CARD Act report identified rewards product disclosures as one of many card practices that “pose risks to consumers and may warrant further scrutiny by the Bureau.”
Bloomberg reported that the examinations cover the marketing of rewards programs, “particularly the marquee promise of a given card, such as cash back, or redeemable airline miles, and what a customer needs to do to get it.” The article notes that there is no apparent sudden rise in consumer complaints about rewards, but the CFPB has targeted the programs because they are, according to the source, the primary reason consumers choose a particular card.
While the CFPB reportedly is not examining the disclosures on the basis that they could present UDAAP risk, the article states that the scope of the targeted examinations includes (i) the time it takes for card holders to redeem their rewards, (ii) the potentially obscure nature of the conditions on redeeming rewards, (iii) programs that require increasing amounts of spending over time to redeem an award, and (iv) forfeiture and reinstatement of rewards.
On November 13, New York Governor Andrew Cuomo signed AB 3601, a bill intended to protect payment card holders from liability for unauthorized use of unsolicited convenience checks. Effective immediately, cardholders are held harmless for unauthorized use of unsolicited convenience checks associated with their account. The New York Bankers Association opposed the bill because its title and the accompanying sponsor’s memo misstate the purpose of the bill as being an outright ban on the unsolicited mailing of convenience checks to consumers when, in fact, the bill does not ban the practice.
On November 4, the U.S. District Court for the Southern District of New York held that credit card holders may pursue statutory damages for alleged violations of Regulation Z’s short-form credit card notice requirement, even though the short-form notice requirement is contained in a section of Regulation Z that is not enumerated under TILA’s statutory damages section. Zevon v. Dept. Stores Nat’l Bank, No. 12-7799, 2013 WL 5903024, (S.D.N.Y. Nov. 4, 2013). A credit card holder filed a putative class action alleging that the monthly short-form notice provided by the issuer was incomplete and omitted provisions required by Regulation Z’s model form provision. The court rejected the card issuer’s argument that because TILA only provides card holders with a cause of action for statutory damages for specifically enumerated statutory provisions, and because the short-form notice provision is not enumerated in the statute but is set only by Regulation Z, the card holder is not entitled to statutory damages. The court explained that following the card holder’s reasoning would immunize card issuers from statutory damages for even the most egregious short-from notice violations. Instead, the court held that because the allegedly violated Regulation Z provision was promulgated pursuant to an enumerated statutory provision—TILA’s long-form notice requirement—card holders are permitted to bring claims for statutory damages for short-form violations. The court rejected the card issuer’s motion to dismiss for these reasons, but granted its motion to limit statutory damages to $500,000, holding that the Dodd-Frank Act’s increase to a $1 million cap cannot be applied retroactively to violations that allegedly occurred prior to the Act’s passage.
On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
On October 18, the United States District Court for the Southern District of New York dismissed a putative TILA class action alleging that a bank made improper interest rate disclosures on credit card bills and assessed incorrect late fees and interest. Schwartz v. HSBC Bank USA, N.A., No. 13-cv-00769, 2013 WL 5677059 (S.D.N.Y. Oct. 18, 2013). The card holder asserted that despite his timely payments the bank assessed him late fees and incorrectly disclosed the annual interest rate and balances on his monthly statements. The court first rejected the card holder’s disclosure claim, characterizing the alleged violations as “hypertechnical” disclosure defects that did not provide a basis for plaintiff to recover. The court held that, while the applicable TILA rule mandates the disclosure of the applicable rate, the balance to which the rate applied, and the nominal APR, the card holder did not properly allege how his statements lacked or misstated any of these required disclosures. The court also held that dismissal was warranted because the bank had refunded the alleged improper late fees before plaintiff commenced the lawsuit, and therefore plaintiff sustained no actual damages.
On October 2, the CFPB released its first review of the consumer credit card market. The Credit Card Accountability Responsibility and Disclosure Act of 2009 (the CARD Act) requires the CFPB to prepare a report every two years to examine developments in the consumer credit card marketplace, including (i) the terms of credit card agreements and the practices of issuers, (ii) the effectiveness of disclosures, and (iii) the adequacy of UDAP protections. The CFPB also must review the impact of the CARD Act on (i) the cost and availability of credit, (ii) the safety and soundness of issuers, (iii) the use of risk-based pricing, and (iv) product innovation. In connection with this initial report, the CFPB hosted a credit card field hearing in Chicago, IL, at which Director Cordray reviewed the report’s findings and industry representatives and consumer advocates discussed the current state of the credit card market.
In its review of the post-CARD Act market, the CFPB found that the CARD Act largely accomplished its intended goals. The CFPB reports that: (i) the total cost of credit declined by two percentage points between 2008 and 2012; (ii) overlimit fees and repricing actions have been effectively eliminated; (iii) the size of late fees has decreased; (iv) there is sufficient available credit, notwithstanding the impacts of the financial crisis, but less than in 2007; and (iv) the CARD Act’s ability-to-repay provisions have protected young consumers.
However, the CFPB identifies numerous concerns it has about the credit card market, including “practices that may pose risks to consumers and may warrant further scrutiny by the Bureau.” Those concerns include:
- Add-on products: The CFPB remains concerned about the ways these products are marketed and will continue to pursue allegedly deceptive practices. All of the CFPB’s major enforcement actions to date have involved add-on products, most of which related to credit cards.
- “Fee harvester” cards: The CFPB recognizes that some upfront fees that exceed 25% of the initial credit limit have been held not to be covered by the CARD Act because a portion of the fees are paid prior to account opening. Still, the CFPB plans to monitor the use of application fees in connection with account openings to determine if it should take action under its available authorities.
- Deferred interest products: The CFPB intends to study the risks and benefits of private label cards that finance purchases without interest for a period of time but then assess interest retroactively if the balance is not paid in full by a given date.
- Online disclosures: The CFPB intends to assess the methods by which card issuers provide consumers with disclosures when they access their accounts online.
- Rewards products disclosures: The CFPB will review whether disclosures for “highly complex” rewards products are being made in a clear and transparent manner and whether “additional action” is warranted.
- Grace period disclosures: The CFPB believes it may need to take action to ensure that disclosures sufficiently inform consumers that once they carry a credit card balance into a new billing cycle, they no longer enjoy the grace period on new purchases.