The consumer financial services sector is subject to substantial oversight and statutory regulation at the state and federal levels. While large financial institutions and affiliates are often the primary focus of regulation, the regulatory framework extends much further, and in many instances, extends to licensed professionals whose practices and services extend to the consumer financial services market. This article discusses the regulation and oversight of licensed professionals within the consumer financial services field at the state and federal levels.
September 05, 2023 Feature
Regulation of Licensed Professionals for Unfair, Deceptive, or Abusive Acts
Andrew C. Sayles
Oversight of Consumer Financial Services
Consumer finance refers to “the borrowing, saving, and investment choices that people (i.e., households) make over time” and the provision of related products and services. It includes extending credit and servicing loans, extending or brokering leases of personal or real property, real estate settlement services, performing property appraisals of real estate or personal property, financial advisory services, debt collection services concerning consumer debt, and marketing activities for professional services. Professionals within the consumer financial services field include real estate brokers, attorneys, financial advisors, real estate appraisers, directors and officers for regulated entities, and loan brokers.
The consumer financial services field is regulated on both the state and federal levels through statutory protections and regulations and enforcement actions by administrative agencies intended to protect consumers from abuse or deception in the marketplace. The first overarching set of rules in this field was established federally within section 5 of the Federal Trade Commission Act (FTC Act) in 1914. Over time, states followed suit and enacted similar provisions, with many modeled after section 5 of the FTC Act (so-called “Little FTC Acts”). State regulation focuses on unfair or deceptive acts or practices (UDAP), provides for state attorney general enforcement, and often permits private causes of action for consumers. The largest catalyst for regulation in recent years is attributable to the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) enacted in 2010. Title X of the Dodd-Frank Act enacted the Consumer Financial Protection Act (CFPA), which created the Consumer Financial Protection Bureau (CFPB). The CFPB is a federal regulatory agency with significant autonomy and authority over the financial services industry. This includes rulemaking authority in the form of unfair, deceptive, or abusive acts or practices (UDAAP) protections. For reference herein, UDAP refers to the various state regulations and UDAAP refers to the federal regulatory scheme. Finally, in many instances, enforcement and regulation also occur through private causes of action where permitted.
Common examples of UDAP and UDAAP claims include failing to provide consumers with promised services, using bait-and-switch tactics, misleading consumers about costs and prices for products and services, inadequate disclosures concerning financing or lease terms, processing payments for companies engaged in fraudulent activities, and misleading or abusive debt collection practices.
State Regulation of Professionals Based on UDAP
All states have legislation designed to protect consumers from deception, abuse, and fraud within the marketplace. These protections, in many instances, extend to consumer financial services and products and create civil causes of action for statutory violations. Some states have their own additional regulatory schemes and oversight bodies that extend specifically to financial services. For example, the California Consumer Financial Protection Law is an extremely influential legislation. New York is very active in the consumer financial services field through its Department of Financial Services. Beyond regulation and legislation, many states are active through attorney general investigations and enforcement.
Licensed professionals (e.g., attorneys, doctors, accountants, architects, and real estate agents) are generally subject to oversight by an administrative body or board. However, regulations and laws designed to protect consumers have expanded in recent decades, creating additional sources of oversight for professionals, both directly and indirectly. Some states exclude from their UDAP laws certain licensed professionals acting within the scope of their profession. However, a key factor in whether a professional’s conduct may be regulated under a corresponding UDAP provision is the degree of professional judgment and strategy involved in the activity. For example, should a mortgage broker who makes misrepresentations in advertising regarding financing terms be protected from false advertising regulations simply because they are licensed? Even where licensed professional exemptions exist, many Little FTC Acts will nonetheless extend to professionals if their conduct otherwise violates a federal regulation. Such provisions weaken or override existing state exemptions for licensed professionals.
State UDAP Claims against Professionals
The regulation of licensed professionals for unfair or deceptive acts is very dynamic from state to state. Even where there are clearly expressed exemptions, an underlying threshold assessment is generally required concerning whether the professional service is within the scope of “trade and commerce” or “goods and services” subject to regulation.
Attorneys and medical professionals. In general, attorneys and medical professionals are more removed from UDAP laws. A key factor for whether state UDAP laws apply often correlates to whether the professional is subject to distinct licensing and regulatory requirements. For example, attorneys are subject to judicial regulation and medical professionals to regulation by state administrative agencies. That separate oversight is generally viewed as supplanting a need for consumer protection laws. Nonetheless, attorneys, physicians, and other medical care providers may still find themselves subject to UDAP regulation.
Many state UDAP laws do not extend to pure legal malpractice claims but may apply where there is a blending or overlap of professional and nonprofessional services. Some states have held that the business-oriented acts of attorneys such as billing, collection of fees, and marketing are covered under respective UDAP laws. In some instances, blanket exemptions exist. New Jersey’s Consumer Fraud Act does not apply to “learned professionals,” which include attorneys. Similarly, Illinois generally excludes attorneys from its UDAP statute. Other states, such as Utah, focus more on the conduct of the professional to determine if they should be exempted. Another approach, as seen in Colorado, is to not make any black-letter rule one way or another and instead review the claims on a case-by-case basis.
The application of UDAP laws to medical professionals is similar to that for attorneys but, again, varies from state to state. For example, while New York generally does not extend its UDAP legislation to the practice of medicine, it has held its provisions applicable where medical services blend with business services. Just across the Hudson River, however, medical professionals benefit from the blanket “learned professional” exemption to New Jersey’s Consumer Fraud Act. Looking west, Oregon has held that dentists are subject to its UDAP regulation because they offer “goods or services” covered by statute, while Washington’s UDAP law applies only to the entrepreneurial activities of dentists.
Other professionals. Design professionals, accountants, and real estate agents encounter similar circumstances to attorneys and medical professionals, albeit with a larger application of UDAP laws. For example, Illinois, Kansas, and Oregon do not exempt architects from their UDAP protections because they are not subject to the same degree of oversight as attorneys and medical professionals. Texas formerly held that its UDAP statute applied to malpractice claims against architects and engineers but subsequently amended the statute to exempt design professionals. Accountants in Oregon are subject to its UDAP laws notwithstanding the regulation of those professionals by a separate agency within the state. In Massachusetts, an accountant may be liable under the UDAP scheme where it certified financial statements containing material misstatements and omissions. Other states have held more firmly to their professional exemptions for accountants even where nonclient reliance exists. In Connecticut, a UDAP claim against a real estate agent who intentionally undervalued a property and concealed the fact that they represented the buyer as well as the seller was sufficient to subject the professional to UDAP oversight and liability notwithstanding claims of professional negligence.
Increased State Regulation and Litigation of UDAP and UDAAP Claims
Recent developments within the federal consumer financial services field have resulted in an increase in civil claims by consumers in state courts and a call for increased state attorney general activity. The 2021 U.S. Supreme Court ruling in TransUnion LLC v. Ramirez held that a plaintiff in a federal action must demonstrate a concrete, particularized injury in order to satisfy Article III standing requirements. As a result, claims alleging violations of consumer protection regulations and legislation generally require some showing of an injury or harm, notwithstanding the availability of statutory damages. While TransUnion does not impact the regulatory authority of federal bodies, it has substantially impacted the ability of consumers to act as private attorneys general within federal courts. Practically speaking, consumer class actions based only on statutory violations are much more difficult to bring in federal court. In contrast, many states do not apply that same standing requirement of Article III and therefore provide an alternative forum to pursue violations based on federal consumer protection laws.
Dovetailing with the push of private civil actions to state courts, the CFPB has invited increased state attorney general enforcement. On May 19, 2022, the CFPB issued an interpretive rule confirming and describing the ability of states to enforce regulations under the federal CFPA. Therein, the CFPB encouraged increased state regulation and noted that states are able to act against a broader cross-section of companies and individuals than the CFPB and clarified that a pending CFPB enforcement action does not impact or preclude a concurrent state action.
Federal Regulation of Professionals Based on UDAAP
Federal consumer financial services regulation occurs primarily through the CFPB and the FTC. The CFPB is authorized to (1) issue regulations, (2) bring enforcement actions against those within the financial services field who engage in UDAAP, and (3) issue rules concerning major consumer financial protection statutes. The CFPB has authority to levy substantial monetary penalties for violations of designated consumer protection laws and UDAAPs established through the CFPA. A “covered person,” defined as any person or affiliate of a person that provides a consumer financial product or service, may face fines upward of $1 million for each day they are in violation of a consumer law. Further, the CFPB may impose restrictions and injunctions on any covered person or entity in relation to the applicable consumer financial services.
A UDAAP violation may exist based on a deceptive, unfair, or abusive act or practice, each of which can independently support enforcement activity and regulation. There is no formal definition for “deception” within the CFPA. Rather, it is applied based on decisions stemming from section 5 of the FTC Act, state UDAP statutes, and judicial analysis. Within its Supervision and Examination Manual, the CFPB explains that a deceptive act must be one that misleads or is likely to mislead a reasonable consumer as to a material issue. Unfair conduct is assessed based on the FTC Act definition and occurs where “(A) the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers; and (B) such substantial injury is not outweighed by countervailing benefits to consumers or to competition.” An abusive act or practice, unlike deceptive and unfair acts, does not have a corollary within the FTC Act or most state UDAP laws. The CFPB has authority to act against abusive acts if the conduct:
(1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
(2) takes unreasonable advantage of
(A) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
(B) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or
(C) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
Only one of these four tests needs to be satisfied to establish an abusive act.
Federal UDAAP Claims against Professionals
Federally, the body of consumer protection laws applicable to licensed professionals is not as diverse and expansive as we see among state UDAP laws. Nonetheless, many professionals are still subject to an expansive framework of legislation and regulation within the consumer financial services field.
Although many professionals are initially exempted from the scope of CFPB and FTC oversight under the Dodd-Frank Act, their professional activities may create an exception to the exemption. The CFPB is prohibited from regulating certain “core business activities.” Professionals and professional services that fall within the core-business activities exclusion include real estate brokerages; accountants and income tax preparers; attorneys; state insurance regulator–regulated parties; employee benefit plan service providers; state securities commission–regulated parties, investment advisors, and other Securities and Exchange Commission (SEC)–regulated parties; Commodity Futures Trading Commission–regulated parties; charitable organizations and their officers and directors; and insurance companies.
Significantly, however, the above core-business activities exemption does not extend to persons or entities whose actions are alleged to have violated one of the 18 enumerated statutes carved out within the CFPA. These statutes include the Fair Debt Collection Practices Act (FDCPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Consumer Leasing Act (CLA), and Fair Credit Reporting Act (FCRA). For example, attorneys engaging in debt collection activities find themselves the subject of CFPB or FTC oversight and enforcement activity based on FDCPA violations. Similarly, TILA, RESPA, and FCRA impose marketing and disclosure requirements, which may include professionals to the extent they provide services within the scope of those statutes.
Debt Collection Activities and Attorney Oversight
A substantial source of federal oversight and civil liability for professionals exists among attorneys who engage in debt collection activities. The FDCPA defines a “debt collector” as “any person who uses any instrumentality of interstate commerce or the mails in any business the principal purpose of which is the collection of any debts, or who regularly collects or attempts to collect, directly or indirectly, debts owed or due or asserted to be owed or due another.” Although initially exempted from the FDCPA, a statutory amendment in 1986 and a subsequent Supreme Court holding in 1995 clarified that the litigation activities of attorneys are regulated by the FDCPA.
The FTC has general authority to enforce the FTC Act’s prohibition of unfair or deceptive practices against creditors collecting their own debts and uses the FDCPA as its standard for determining whether a practice is unfair or deceptive. Congress expanded federal oversight of the debt collection industry when creating the CFPB, giving that agency enforcement and rulemaking authority under the FDCPA. The CFPB has, in turn, advanced congressional directives through enforcement actions, civil investigations, interpretations of the FDCPA, and, most recently, promulgating debt collection rules. In October 2020, after several years of public comment, the CFPB implemented Regulation F, its “final” debt collection rule. Regulation F took effect on November 30, 2021, and is intended to establish a clear framework of policies, procedures, and practices applicable to debt collectors. Moreover, it further extends the oversight functions of the CFPB within the debt collection industry.
Regulation F imposes new restrictions as to how and when debt collectors may communicate with consumers by telephone. This includes limiting the number of calls that may be placed within a given week and limiting when subsequent contact may occur following initial contact. There is no exception provided for communications with a party who is engaged in litigation concerning the underlying debt, which will likely create pitfalls for FDCPA violations once matters are placed in suit. Regulation F also addresses the changing modes of communication by permitting email and text communication, subject to prior disclosures to the consumer by the creditor and the option to opt out of such electronic communications. The new debt collection rules also revise and expand what information must be disclosed to a debtor through debt validation notices and supply a form notice that provides “safe harbor” from violations if used. Additionally, record retention policies have been formally identified. While many in the industry had previously developed strong record retention policies in order to better defend FDCPA claims, the new rules now establish mandated retention of records concerning compliance with the FDCPA and communications with consumers.
As a result of Regulation F, future regulatory enforcement activities and civil claimants will benefit from clearly defined rules, policies, and procedures when alleging unfair and deceptive practices in the debt collection industry. What remains to be seen is whether the broadly applicable federal rules will conform with practices within the various states. For example, many states have specified notices and disclosures associated with residential foreclosure actions or their own state fair debt collection practices regulation. Invariably, there will be tension between mandated disclosures under Regulation F and unrelated mandated disclosures within the state. Similarly, creditors will need to work closely with collection agencies and counsel to ensure that appropriate records are maintained over the course of a consumer’s debt. Although certain creditors are not subject to the FDCPA, their records and data will be relied on by their debt collecting affiliates, who are subject to the debt collection rules.
CFPB Actions concerning Attorney Debt Collectors
Consumer advocates have argued that the FDCPA carries an implied requirement of meaningful involvement by any attorney who engages in debt collection activities. There is no such specific provision within the FDCPA, but the CFPB, and many courts, have advanced this implied requirement.
In Bock v. Pressler & Pressler, LLP, a consumer alleged FDCPA violations against a defendant law firm arising from a state court collection suit. The plaintiff argued that an attorney for the defendant law firm signed and filed “so many complaints that it is either physically impossible or so highly improbabl[e] that he read the Collection Complaint or made a sufficient inquiry from which to conclude that the factual allegations have evidentiary support,” constituting a false and misleading representation in the collection of a debt. The consumer contended that no meaningful attorney involvement could have occurred in the investigation and approval process leading to the filing of the collection action. The defendant contended that it relied on automation, its data systems, and non-attorney personnel to confirm underlying information. The district court found that based on the volume of filings, the law firm would have spent only four seconds investigating each claim before the complaint was filed and rejected arguments that the law firm’s systems and software were sufficient to constitute any meaningful attorney review. As a result, judgment was entered in favor of the plaintiff. The law firm appealed the matter to the Third Circuit Court of Appeals, at which time the CFPB and FTC each filed amicus briefs on behalf of the plaintiff. The Third Circuit did not address the merits of the district court’s ruling and instead remanded the matter to determine whether the plaintiff had Article III standing in light of the Supreme Court holding in Spokeo, Inc. v. Robins. After remand, the CFPB commenced a separate action against the defendants. Therein, the CFPB alleged UDAAP violations against the law firm based on alleged violations of the FDCPA, including a lack of meaningful attorney involvement. The CFPB action resulted in a consent order that placed conditions and requirements on the firm’s debt collection practices and fined the law firm $1 million.
The CFPB took similar actions in a complaint filed against a Georgia attorney and firm in CFPB v. Frederick J. Hanna & Associates, P.C. There, the CFPB alleged that the defendant law firm filed an average of 1,300 collection suits per week, totaling approximately 138,000 collection suits over a two-year period. The CFPB charged that there was a lack of meaningful attorney involvement and that collection suits were filed without a proper factual basis or investigation and took issue with the high percentage of suits that were dismissed when challenged by consumer-debtors. The defendant law firm entered into a settlement by consent order with the CFPB that resulted in a $3.1 million fine on the law firm principals and regulations on the firm’s debt collection activities.
It should be noted that the refinement of practices and procedures for meaningful attorney involvement claims has also resulted in a successful outcome for attorney debt collectors. In CFPB v. Weltman, Weinberg & Reis Co., L.P.A., following a four-day trial, the defendant law firm successfully defended claims alleging that the extent of attorney involvement was misrepresented in violation of the FDCPA.
The consent orders entered in Pressler and Hanna detailed what the CFPB expected from debt collection firms and have resulted in substantial regulatory activity and civil litigation surrounding meaningful attorney involvement claims. In fact, a third consent order against a law firm debt collector was entered with the CFPB on January 18, 2023, with terms substantially similar to those in Pressler and Hanna. As part of the Regulation F rulemaking process, the CFPB considered memorializing meaningful attorney involvement measures in the form of a safe harbor provision but ultimately omitted any reference to this standard as part of Regulation F, to the satisfaction of both the collection industry and consumer advocates.
Recent CFPB Activity and Trends
The CFPB as a data security regulator. The FTC has actively and consistently pursued enforcement actions based on data security failures. Its scope of enforcement here is determined, in large part, through the Gramm-Leach-Bliley Act (GLBA). The GLBA extends coverage to financial institutions and their affiliates and requires entities within its scope to maintain specific security programs pursuant to the Safeguards Rule. The covered entities here include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the SEC.
Prior to August 2022, CFPB activity in data security enforcement had been limited. In a March 2016 action, the CFPB alleged that an online payment company misrepresented its data protection policies to consumers and that consumers may have chosen other service providers had accurate information been provided. Importantly, there was no actual data breach alleged in that investigation. Instead, the CFPB appeared more focused on ensuring that consumers were accurately informed of data security measures.
On August 11, 2022, the CFPB confirmed through Circular 2022-04 that it would become more engaged in data security oversight. There, the CFPB addressed whether entities violate applicable UDAAP rules when they have insufficient data protection or information security. The CFPB answered with a resounding “yes.”
Within the circular, the CFPB confirmed that UDAAP violations may arise from deficient data security measures: “In addition to other federal laws governing data security for financial institutions, including the Safeguards Rules issued under the [GLBA], ‘covered persons’ and ‘service providers’ must comply with the prohibition on unfair acts or practices in the CFPA.” An unfair act or practice under the CFPA is an act or practice (1) that causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers, and (3) is not outweighed by countervailing benefits to consumers or competition. The circular confirmed that “[i]nadequate security for sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B). While these requirements often overlap, they are not coextensive.” The circular did not mandate data security practices but did identify several examples of data security measures that would be beneficial to consumers: (1) multifactor authentication, (2) adequate password management, and (3) timely software updates. CFPB Circular 2022-04 expanded on the 2016 enforcement action by indicating that a lack of adequate security measures can constitute a UDAAP violation regardless of whether any representations were made. As a result, any entity that may find itself subject to CFPB oversight must be cognizant of the potential for enforcement and liability associated with data security incidents.
Constitutionality of the CFPB. Since its creation in 2011, there have been many challenges to the constitutionality of the CFPB. Some have challenged the structure of the CFPB, which provided for a single director who could only be removed for cause, thereby insulating the director from displacement upon a change in the executive branch. Alternatively, others have challenged the funding of the CFPB, which is not subject to congressional appropriations but rather is funded through the Federal Reserve.
In 2020, the Supreme Court held in Seila Law LLC v. CFPB that the single-director structure of the CFPB, which prevented the director from being removed absent a for-cause showing, was unconstitutional. However, the Court found that the for-cause removal provision could be severed from the statutory language, permitting the CFPB to continue functioning.
On October 19, 2022, the Fifth Circuit Court of Appeals found that the funding structure of the CFPB was unconstitutional. In Community Financial Services Ass’n of America, Ltd. (CFSAA) v. CFPB, the court held that the CFPB’s self-funding structure violated the appropriations clause and separation of powers principles such that the CFPB’s payday lending rule was vacated. On February 27, 2023, the Supreme Court granted certiorari. The outcome of CFSAA v. CFPB before the Supreme Court may have enormous implications within the consumer financial services field in that it could result in the invalidation of CFPB rules and guidance.
Conclusion
Professionals who engage in acts within the consumer financial services field should be cognizant of the varying sources of regulation and liability concerning their interactions with consumers. On the state level, marketing and business activities can subject professionals to oversight and civil liability notwithstanding statutory exemptions for many UDAP laws. Moreover, the increasing activity of the CFPB within the industry as a regulator and promulgator of rules, as well as its active encouragement of state engagement, serves to increase the scrutiny that professionals will face to the extent they interact with consumers within covered areas. Federally, the CFPB is increasing its activity within the debt collection sphere and has confirmed that it views its congressional directive to include data security oversight where applicable. Finally, the Supreme Court’s anticipated ruling later this year in CFSAA v. CFPB may significantly alter the role and impact of the CFPB.