In the past two months, consent orders were reached in two high profile enforcement actions. In February 2016, a consent order came out between the Consumer Financial Protection Bureau (CFPB), Department of Justice (DOJ) and Toyota Motor Credit Corporation. More surprisingly, the CFPB stretched its authority under Dodd-Frank to enter into the data security arena. This most recent consent order signals that the CFPB may be shifting its focus from transparent communication between consumers and creditors to the high tech world of data security.
With data security being a recent hot topic of concern for consumers, it comes as no surprise that the CFPB has tossed its name in the data security enforcement hat. Just this month, the CFPB imposed a $100,000 civil penalty against an online payment processor, Dwolla, for allegedly deceiving consumers about its data-security practices and safety of its online payment system. (Read our March 7 Alert about it.) Dwolla operates an online payment system and collects and stores consumers' sensitive personal information, including names, addresses, Social Security numbers and bank account information.
The enforcement action alleges that from December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access by employing data security practices which exceeded industry standards. Additionally, Dwolla told consumers it encrypted all sensitive personal information. However, as laid out in the Consent Order, this was far from the truth. It was discovered that from its inception until at least October 2013, Dwolla had not adopted or implemented a written data security plan to govern the collection, maintenance or storage of consumers' personal information. Moreover, employees received little to no data security training before December 2012. Most alarmingly, it was revealed that in numerous instances, Dwolla transmitted consumers' personal information without encrypting the data.
As a result of the CFPB enforcement action, Dwolla must stop misrepresenting the data security practices implemented by it and must enact comprehensive data security measures and policies, including a program of risk assessments and audits. Additionally, Dwolla must train employees on the company's data security policies and procedures. Notably, the Consent Order requires Dwolla's board to ensure compliance with the order and provides that the board will bear ultimate responsibility for Dwolla's compliance.
This enforcement action is of particular interest because it is the first data security enforcement action by the CFPB and signals a potential new target area by the agency. Financial institutions should take note to ensure that their data security policies are compliant because now they face scrutiny from yet another government agency. Financial institutions should not only ensure that policies are in place but that their policies are accurately communicated to consumers.
In a separate matter, the CFPB and the DOJ last month resolved an action with Toyota Motor Credit Corporation (TMC). Pursuant to the order, TMC is required to pay up to $21.9 million in restitution to African American and Asian and Pacific Islander borrowers who paid higher interest rates than white borrowers for their auto loans.
According to the Order, the discriminatory conduct occurred because TMC allowed auto dealers' discretion to mark up interest rates prior to finalizing the deal. Usually, when consumers finance automobile purchases from auto dealerships, the dealer facilitates indirect financing through a third-party auto lender like TMC. The indirect auto lender, TMC in this case, sets the rates for consumers based on credit worthiness. Those rates are then relayed to auto dealers. The auto dealers are allowed to charge a higher interest rate when they finalize the deal with the consumer. It was alleged that in the instant case, consumers' rates were marked up as much as 2.5 percent by auto dealers.
The CFPB and DOJ investigated TMC's indirect auto lending activities' compliance with the Equal Credit Opportunity Act. The investigation found that TMC's policies resulted in minority borrowers paying higher dealer markups without regard to the credit worthiness of the borrowers. The investigation found that on average, African American borrowers were charged over $200 more for their auto loans, and Asian and Pacific Islander borrowers were charged, on average, over $100 more for their auto loans than white borrowers. It is important to note that the investigation did not find that TMC intentionally discriminated against consumers, but rather its discretionary pricing and compensation policies resulted in discriminatory outcomes.
Pursuant to the Order, TMC must reduce dealer discretion to mark up interest rates to only 1.25 percent above the rate set by TMC for loans with terms five years or less and one percent for auto loans with longer terms. TMC has the option to move to non-discretionary dealer compensation.
This action solidifies the relationship between the CFPB and the DOJ, as it is the fourth joint public resolutions addressing the fair lending risks in dealer discretion and financial incentives.
Both of these enforcement actions signal that the CFPB is not slowing down and is using its authority under Dodd-Frank to touch upon various aspects of the consumer finance industry.