By Heidi C. Salow and Micah R. Thorner, DLA Piper

This article originally appeared as a DLA Piper E-Commerce and Privacy Alert. It is reprinted here with permission
The Obama Administration's proposed sweeping changes to financial services regulation include the creation of a new consumer-protection bureau—The Consumer Financial Protection Agency. The plans have raised questions about the potential for new disclosure standards in the financial-services industry. In this article, Heidi Salow and Micah Thorner of DLA Piper provide a brief overview of the proposed CFPA and the privacy uncertainties the plans present.

Addressing the Obama Administration’s proposals to reform financial regulation in the U.S., Barney Frank (D-MA), Chairman of the House Financial Services Committee, promised to report legislation which would create a new Consumer Financial Protection Agency (CFPA) before the House adjourned for its August recess at the end of July.

This proposed new agency would be authorized to concentrate, in one agency, many of the consumer protection powers over mortgages and credit cards that now are spread across as many as 10 federal regulators. The Obama Administration proposal is set forth in a Department of the Treasury report, “Financial Regulatory Reform: A New Foundation” (Report).

The report reflects the Obama Administration’s view that a broad reorganization of the way the government regulates its financial system and protects consumers is necessary because consumer protection has allegedly taken a back seat to other aspects of bank regulation. This view follows the issuance, in the waning months of the Bush Administration, of strong credit card regulations by the Federal Reserve Board, compounded by the recent enactment of legislation that threatens to dramatically alter the existing business model that has historically governed the credit card industry.

The CFPA would be charged with ensuring that consumers have clear information about the financial products or services they purchase, as well as protecting them from any deception they might encounter when purchasing such products. The proposed legislation suggests that the agency could accomplish these objectives by requiring lenders to make safer, “plain vanilla” products clearly available to consumers, while stepping up scrutiny on alternative products. The agency would be empowered to issue new regulations requiring financial disclosure documents to “balance communication” of the relative merits of the products or services, “prominently disclose significant risks and costs,” and communicate those risks and costs in a “clear, concise, and timely” manner. In short, the Administration proposes a reform of financial services regulations that purport to integrate the consumer perspective, by rule, into the marketing and sale of financial services and products.

These reforms have many legislators and businesses very worried. Some of their key concerns about the proposal include:

   1. Broad authority over financial products. Under the terms of President Barack Obama’s plan, the new agency would have sweeping authority over providers of financial products, including banks and credit card companies. The authorization language in the proposal is very broad and so the precise impact of any forthcoming regulations is difficult to gauge. Nonetheless, many in the financial services industry have expressed grave concerns about whether this proposal will add yet another layer of regulation and whether the federal government, in the form of CFPA, will soon be dictating the terms of the products the industry offers—for example, the rate and fees that can be charged to credit card customers—and whether rules that are virtually unreviewable could meaningfully alter their business models and threaten their economic viability. In addition, given the broad language used to define the concepts of financial services and products in this new proposed statute, and the extensive delegation of authority provided to this new agency by the contemplated legislative provisions, it is possible that jurisdiction may be asserted over products and services not traditionally seen to be within the scope of conventional financial services and products. One consequence of being subject to such jurisdiction would include the possibility of non-recognition of an agreement to arbitrate.

   2. New regulator with less knowledge. The proposal removes responsibility for consumer protection from the existing federal banking agencies and Federal Trade Commission and sequesters it in a new federal agency with no other defined purpose other than to “promote transparency, simplicity, fairness, accountability, and access in the market for consumer products or services.” The CFPA would be charged with protecting consumers of credit, savings, payment, and other consumer financial products and services, except for investment products and services currently regulated by the SEC. The FTC would retain authority for dealing with fraud, remain the lead agency for data security, and have backup authority for the CFPA. The new agency, however, would become responsible for privacy protection related to financial products, services, and transactions.

      Because the CFPA’s supervisory, examination, and enforcement authority would extend to all persons and entities covered by the statutes it implements, as well as by statutes with no or limited rule-writing authority (such as the Fair Credit Reporting Act [FCRA] or Gramm-Leach-Bliley Act [GLBA]), all federal and state-chartered depository institutions, bank affiliates, and other nonbanking institutions would fall within its jurisdiction despite the new agency’s limited knowledge of financial regulations issued across multiple federal agencies. In other words, critics contend, the new agency would have enforcement authority without the necessary technical and institutional expertise to successfully protect consumers. It should be added that enforcement authority for this new agency not only contemplates the ability to litigate free of the Justice Department in federal courts, but also to represent itself before the United States Supreme Court following notice to the U.S. Attorney General.

      Because most, if not all, financial services products would be regulated by one agency, it is possible that such a structure would give the CFPA only some of the information it would need for effective regulation, making the whole system weak and inefficient.

   3. New disclosure standard creates uncertainty for financial services companies. In March 2007, eight federal regulators (the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller, the Office of Thrift Supervision and the Securities and Exchange Commission) requested comment on a model privacy form (Model Form) that financial institutions would be able to use for their privacy notices to consumers, as required by GLBA. The agencies made clear that use of the Model Form (expected to be finalized in August) would be entirely voluntary but would allow entities to qualify for a safe harbor. Achievement of safe harbor status would depend on vigorous adherence to the content and format requirements set forth in the proposed rule, however. The information contained in the proposed Model Form is highly standardized, permitting very little variation among entities’ disclosures about their information-sharing practices. The Administration’s proposal would potentially limit the ability of financial service providers to obtain this safe harbor by using the Model Form. The Administration’s Report proposes that the CFPA enact regulations:
          * making all mandatory disclosure forms clear, simple, and concise;
          * requiring that disclosures and communications with customers be clear and reasonable; and
          * allowing the CFPA to use technology to make disclosures more dynamic and relevant.

The plan would require financial service providers to present disclosures that are “technically compliant, non-deceptive, and reasonable.” To satisfy this new standard, marketing materials, notices (including privacy notices), and other consumer communications would have to identify any significant product risks, and a provider that failed to meet this duty would be subject to action by the CFPA. When introducing a new product or service, a provider would risk liability—even for using a Model Form—unless the provider obtained a “no action letter” or waiver from the CFPA.

In light of these specific proposals for consumer notices and communications, it is unclear at this early juncture whether the proposed Model Form will become obsolete.

Given the role that abusive and overly complex exotic mortgage products played in sparking the financial crisis, at first glance an independent agency dedicated to consumer financial protection might not seem terribly radical. But the true impact of such a new federal bureaucracy, operating with a singular purpose yet in the absence of any true institutional context, lies in the many details to be unveiled as the legislative process evolves. Already, many serious questions have arisen, with answers yet to come.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»