United States: Consumer Financial Services: UDAAP Round Up

Letter to Readers

Welcome to the latest edition of the UDAAP Round-Up. This newsletter is designed to provide you with a periodic resource to stay abreast of federal activities regarding the prohibition on unfair, deceptive, or abusive acts or practices ("UDAAPs") in the consumer financial services space. In this edition, we cover notable policy, enforcement, and supervisory developments from April 2022 through September 2022.

During this period, we saw an uptick in enforcement with 22 UDAAP/UDAP enforcement complaints and consent orders from the Consumer Financial Protection Bureau ("CFPB" or the "Bureau"), the Federal Trade Commission ("FTC" or "Commission"), and the Office of the Comptroller of the Currency ("OCC"),¹ numerous UDAAP supervisory findings from the CFPB, and a focus from the CFPB and FTC on consumer data

Background on UDAAP/UDAP Authority and Elements

For those who are new to the UDAAP space, welcome. Below, we provide a high-level overview of the CFPB's and FTC's authority and basic definitions, which provide context for the information that follows.

Section 5 of the FTC Act prohibits unfair and deceptive acts and practices ("UDAPs") in or affecting commerce.² The FTC has enforcement authority with respect to nonbank financial services companies under the FTC Act. Penalties for violation of the FTC Act include cease-and-desist orders (the violation of which is subject to civil penalties) and injunctive relief.³

Title X of the Dodd-Frank Act provides the CFPB's UDAAP supervisory and enforcement authority, and prohibits any covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.⁴ These authorities and prohibitions also apply to any person knowingly or recklessly providing substantial assistance to a covered person in the commission of a UDAAP.⁵ A "covered person" is defined as "any person that engages in offering or providing a consumer financial product or service" or service provider affiliate thereof.⁶ The Dodd-Frank Act provides the CFPB various remedies for violations of federal consumer financial laws, including: (1) rescission or reformation of contract; (2) refunds of money or return of real property; (3) restitution; (4) disgorgement or compensation for unjust enrichment; (5) payment of damages or other monetary relief; (6) public notification regarding the violation, including the costs of notification; and (7) limits on activities or functions of the person. ⁷ The Dodd-Frank Act also provides for civil money penalties.⁸

An act or practice is unfair if (1) it causes or is likely to cause substantial injury to consumers; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or to competition.⁹ In determining whether an act or practice is unfair, the FTC and the CFPB may consider established public policies as evidence to be considered with all other evidence, but such public policy considerations may not serve as a primary basis for such determination.¹⁰

A representation, omission, or practice is deceptive if (1) it is likely to mislead the consumer; (2) the consumer's interpretation of the representation is reasonable under the circumstances; and (3) the misleading representation is material.¹¹

An act or practice is abusive if it (1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreasonable advantage of: (a) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; (b) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or (c) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.¹² While the CFPB has abusiveness authority, the FTC does not.

Focus on Consumer Data

Since the last edition of the UDAAP Round-Up, both the CFPB and the FTC have taken action in the consumer data space.

A. CFPB Issues Circular and Interpretive Rule

In August 2022, the CFPB issued a Circular stating that entities can violate the prohibition on unfair practices by having insufficient data protection or information security.¹³ The CFPB reasons that weak data security practices are likely to cause substantial injury to consumers that is not reasonably avoidable and is unlikely to be justified by countervailing benefits to consumers or competition.

In particular, the Circular calls out the following practices as likely unfair:

• Failing to require multi-factor authentication for employees or failing to offer multi-factor authentication to consumers accessing systems and accounts (or a reasonably secure equivalent);
• Having inadequate password management policies and practices, including use of default enterprise logins or passwords, and failing to monitor for breaches at other entities; and
• Failing to routinely update systems, software, and code or failing to update when alerted to a critical vulnerability

Shortly after it issued the Circular, the CFPB issued an Interpretive Rule on a related topic: the extent to which digital marketing providers are considered "service providers" under the Dodd-Frank Act.¹⁴ The UDAAP prohibition in the Dodd-Frank Act applies to "service providers." The Dodd-Frank Act defines "service provider" as "any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service."¹⁵ However, the term "service provider" does not include those providing either "a support service of a type provided to businesses generally or a similar ministerial service" or "time or space for an advertisement for a consumer financial product or service through print, newspaper, or electronic media."¹⁶

The Interpretive Rule states that when digital marketers identify or select prospective customers and/or select or place content to affect consumer engagement, they are providing a significant and, therefore, "material" service to covered persons. The rule provides that such "material" service is beyond the scope of the "ministerial service" exception to the definition of "service provider." The rule also explains that companies providing such services do not fall within the "time or space" exception because they are providing a service that goes beyond providing "airtime or physical space" for an advertisement. Accordingly, such digital marketers may be considered service providers subject to the UDAAP prohibition. Read our analysis of the Interpretive Rule here.

Many digital marketers that would qualify as "service providers" under the Bureau's interpretation of that term likely rely on consumer data to target ads to specific consumers. These digital marketers' data security practices may be scrutinized by the CFPB under its UDAAP authority according to the principles announced in the Circular discussed above.

B. FTC Issues Advance Notice of Proposed Rulemaking

Shortly after the CFPB issued the Circular and Interpretive Rule, the FTC published an Advance Notice of Proposed Rulemaking ("ANPR") on privacy and data security.¹⁷ For decades, the FTC has used its enforcement authority to police unfair and deceptive acts or practices to confront a diverse array of data security and privacy-related concerns. Under Chair Lina Khan, the FTC has indicated that it intends to exercise its rulemaking authority to impose data security and privacy standards across the economy, as opposed to only investigating individual companies on a case-by-case basis.

The ANPR explains that the rulemaking is designed to expand the remedies available to the FTC in matters involving privacy and data security. A 2021 US Supreme Court decision stripped the FTC of its ability to seek monetary relief for UDAP violations under Section 13(b) of the FTC Act.¹⁸ However, the Commission is able to seek monetary relief based on the violation of a rule.

The rulemaking is pursuant to the FTC's authority under Section 18 of the FTC Act, which allows the FTC to issue rules that identify specific business practices that are unlawful because they are unfair or deceptive. The FTC also must show that the specific practices are prevalent. Notably, rulemaking using this process is slow and cumbersome—even compared to typical notice-and-comment rulemaking under the Administrative Procedure Act—and typically takes several years.

The ANPR covers a wide range of potential consumer data and privacy concerns and shows that the FTC is particularly interested in "dark patterns." A "dark pattern" generally refers to design features that can manipulate or trick consumers into making choices they otherwise would not make. Dark patterns of interest to the FTC include interfaces and user experiences that lead consumers to make unintended and potentially harmful decisions about their personal information—such as burying privacy settings behind multiple layers of the user interface. The FTC's commentary also suggests that the agency (or at least the Commissioners voting in favor of the ANPR) are skeptical of consumer consent as a basis to collect, process, and share consumer data.

The ANPR requested comment on a wide range of topics over 95 questions, including the extent to which commercial surveillance practices or lax security measures harm consumers, the use of automated decision-making systems, and the extent to which new rules on data security would impede or enhance innovation and competition. After granting an extension, comments are due on November 21, 2022.

For a more detailed discussion of this ANPR, read our Legal Update.

Enforcement Trends

In recent months, we have seen an uptick in UDAAP/UDAP enforcement in the consumer financial services space.

A. Abusiveness

The Bureau hasn't been shy in using its abusiveness authority in recent months. In fact, the Bureau made abusiveness claims in five new actions. First, in July 2022, the Bureau reached a settlement with a bank involving claims that the bank opened credit cards, lines of credit, and deposit accounts without the consumers' knowledge or consent. According to the CFPB, the conduct took unreasonable advantage of consumers' inability to protect their interests in selecting or using a product or service. Under the terms of the settlement, the bank is required to pay a $37.5 million civil money penalty and to provide redress to affected consumers.

Next, in July 2022, the CFPB entered into a consent order with another bank concerning the administration of unemployment insurance benefits on prepaid debit cards. According to the Bureau, the bank implemented a fraud filter that set a low bar to automatically freeze accounts. Further, the Bureau alleged that the bank retroactively applied its automated fraud filter to reverse unemployment insurance benefit credits for consumers whose notices of error the bank had previously investigated and paid. The CFPB found this to be abusive conduct because it took unreasonable advantage of the consumers' inability to protect their interests in selecting or using a consumer financial product or service. The Bureau also found this conduct to be unfair.

Interestingly, the press release announcing the settlement stated that the bank was the "strongly preferred provider for California unemployment benefits," and because of this, consumers' ability to switch providers was limited. This is not the first time we have seen the Bureau under Director Chopra's leadership emphasize an entity's relative position in the market when asserting abusiveness claims. Under the terms of the settlement, the bank is required to pay a $100 million civil money penalty and provide redress to affected consumers.

Also in July 2022, the Bureau filed a complaint against a payday lender alleging that the lender steered consumers into refinance plans when a free repayment plan was available. According to the Bureau, borrowers in certain states had a contractual right to a free repayment plan that would have allowed them to pay the outstanding balance in four equal installments over the next four paydays without accruing additional fees or interest. The Bureau alleged that, in many instances, the company pushed borrowers into refinancing the loans with additional fees. In its complaint, the Bureau argued that the lender engaged in abusive acts by interfering with consumers' ability to understand a term or condition of the loans (namely, that the consumers had a contractual right to a free repayment plan), and by taking unreasonable advantage of consumers' lack of understanding of the cost or conditions of available repayment options. The CFPB also alleged that the lender engaged in deceptive and unfair acts and practices based on similar conduct.

In September 2022, the Bureau entered into a consent order with a bank related to overdraft fees. Specifically, the Bureau found that the bank charged consumers overdraft fees on debit card purchases and ATM withdrawals even when consumers had enough money in their accounts at the time they made those purchases or withdrawals if the transaction later settled with insufficient funds due to the timing and ordering of the settlements. The Bureau alleged that this conduct was abusive because it took unreasonable advantage of consumers' lack of understanding of the bank's complex and counterintuitive transaction processing practices. The CFPB also alleged that this conduct was unfair. Under the terms of the settlement, the bank is required to pay a $50 million civil money penalty and refund at least $141 million in overdraft fees.

Finally, in September 2022, the CFPB filed a complaint against an online lender and its subsidiaries. According to the complaint, the defendants required consumers to join a membership program that charged monthly fees to access certain loans, and did not allow consumers to cancel their membership until their loans were paid. Among other things, the Bureau alleged that the defendants engaged in abusive acts and practices because they took unreasonable advantage of consumers' lack of understanding of the material risks, costs, or conditions of the loans and consumers' inability to protect their interests in selecting or using a consumer financial product or service. The complaint states that many consumers did not understand the fact that the defendants would not allow them to cancel their membership unless they paid off their loan, which many consumers may have been financially unable to do immediately.

We expect the CFPB to continue to flex its abusiveness authority, even when unfair and deceptive claims are available.

B. Debt Relief

The debt relief industry continues to garner scrutiny from the CFPB and FTC. Since the last edition of the UDAAP Round-Up, the CFPB settled UDAAP claims in two enforcement actions involving student loan debt relief. First, in May 2022, the CFPB settled UDAAP claims against providers of debt relief account maintenance and payment processing services. The CFPB found that the respondents engaged in deceptive acts or practice by, among other things, leading consumers to believe the respondents would not disburse fees until student loan debt relief companies had earned the fees, but the respondents failed to confirm that fees had been earned before disbursing them. The consent order requires the respondents to pay over $8.6 million in consumer redress and a civil money penalty of $3 million.

In addition, in June 2022, the CFPB settled UDAAP allegations against the owner of a student loan debt relief company. According to the CFPB, the defendant obtained account and billing information from another debt relief company that had agreed to cease operations pursuant to a 2016 consent order with the CFPB. The CFPB alleged that the defendant, acting through a new company he formed, engaged in unfair acts or practice by collecting fees from consumers without their consent. The CFPB further alleged that the defendant provided "substantial assistance" to the new company he formed in the commission of a UDAAP, by providing office space, establishing company bank accounts, and covering business expenses while knowing or recklessly avoiding knowing that the debt relief company was debiting consumers' bank accounts without their authorization. The settlement requires the defendant to pay a $175,000 civil money penalty and prohibits the defendant from providing debt relief services in the future.

The FTC also took action in conjunction with the California Department of Financial Protection and Innovation against a series of companies and their owners, alleging UDAPs in connection with a sham mortgage relief operation. A federal court granted a temporary restraining order ("TRO") temporarily shutting down the operation and freezing the assets of the defendants.

C. Flawed Processes and Ineffective Use of Technology

Since the last edition of the UDAAP Round-Up, the CFPB and the OCC cited regulated entities for flawed processes and technologies that harmed consumers in the consumer financial services space. In July 2022, the CFPB entered into a consent order with an auto finance company based on the company's consumer credit furnishing practices. Among other things, the CFPB alleged that the company engaged in unfair conduct by using ineffective manual processes and systems containing known logic errors to furnish information to consumer reporting agencies ("CRAs"). The CFPB concluded that the practices resulted in widespread inaccuracies in the information the company furnished that may have impacted consumers' ability to obtain credit or obtain more favorable credit. The consent order requires the respondent to pay $13.2 million in consumer redress and a $6 million civil money penalty to the Bureau.

Next, in August 2022, the Bureau entered into a consent order with a company that offered consumers an automated savings tool. The tool used a proprietary algorithm to make transfers from consumers' checking accounts "for the benefit of" accounts held in the company's name. According to the Bureau, the company represented that the tool "never transfers more than you can afford," provided a "no overdraft" guarantee, and represented that, in the unlikely event of an overdraft, the company would reimburse consumers. The Bureau found that the company engaged in deceptive acts or practices because it knew its algorithm had limitations that resulted in overdrafts of consumers' account and the company did not always reimburse consumers for overdraft fees. The company was ordered to pay over $68,000 in consumer redress and a $2.7 million civil money penalty to the Bureau.

Other process-related claims were recently settled in separate actions by the OCC and CFPB. According to the agencies, a bank committed UDAAPs, in part because it failed to provide an effective risk management program for distributing unemployment benefits. Among other things, the agencies alleged that an automatic fraud filter with a low threshold to freeze accounts denied consumers' access to their benefits without a sufficient investigation. We describe the CFPB's abusiveness findings in this matter in the "Abusiveness" section above. The settlements require the bank to pay a total of $225 million in civil money penalties and provide consumer redress.

D. Repeat Offenders

Earlier this year, Director Chopra announced that the Bureau would aggressively pursue so-called "repeat offenders," and that "[t]he worst type of repeat offender" is one that "violated a formal court or agency order."¹⁹ Consistent with this statement, since the last edition of the UDAAP Round-Up, the Bureau has filed several lawsuits against companies it alleges have violated prior consent orders or have been the subject of other enforcement actions.

In April 2022, the Bureau filed a complaint against a CRA, its two subsidiaries, and an executive for violating a prior consent order. According to the Bureau, CFPB examiners informed the CRA that it was violating requirements of the order, but a year later, the CRA was still in violation of the order and was engaged in additional violations of law. The Bureau's complaint explains that the CRA violated the order and engaged in deceptive conduct in a variety of ways, including by tricking consumers into recurring payments.

Next, in April 2022, the Bureau, along with the New York Attorney General, filed suit against a remittance transfer provider alleging UDAAPs, among other violations. Among other things, the complaint alleges that the Company engaged in unfair acts or practices when it failed to timely make remittance transfers available to recipients and failed to timely make refunds available to senders. The complaint states that Bureau examiners identified numerous violations of law in prior examinations of the company, but the company failed to address the issues. The Bureau press release announcing this action labels the defendant a "repeat offender," and states that the defendant violated prior orders from the FTC and the US Department of Justice.

The Bureau also filed a complaint against a payday lender labeling the company a "repeat offender" because it was the subject of a 2014 CFPB consent order that addressed related, but distinct, practices.

The abusiveness claims the Bureau alleged in its recent complaint against this company are described above.

E. Deceptive and Unfair Marketing

In the last several months, we have seen active deceptive and unfair marketing enforcement, especially by the FTC. The FTC filed a complaint against a payment processing company in July 2022, alleging that, among other things, the company made false representations to small business owners in sales pitches.²⁰ The FTC emphasized the fact that many of the business owners had limited English proficiency, and while the defendants' sales pitches were often made in the business owners' native language, the written agreements were in English and not translated. The FTC alleged that these practices were unfair and deceptive. To settle the claims, the defendants agreed to return $4.9 million to harmed businesses. In September 2022, the FTC brought an action against a company for allegedly using dark patterns to misrepresent that consumers were pre-approved for credit card offers when many of the consumers did not ultimately qualify for the cards.

The FTC also settled claims for alleged deceptive advertising in connection with an online real estate business, an investment platform, and a credit repair company. As discussed in the "Flawed Processes and Ineffective Use of Technology" section above, the CFPB settled deceptive marketing allegations against a company that offered an automated savings tool.

Finally, in August 2022, the FTC claimed a major victory in a case filed in 2019 against a business-tobusiness payments company regarding deceptive marketing. In its complaint, the FTC alleged that the company made deceptive representations regarding possible savings, fraud controls, and fees. A district court agreed with the FTC's allegations, granting the agency summary judgment on liability issues against the company and its CEO. The matter is pending, and the FTC has recently requested that the court permanently prohibit the company from charging for any add-on product or service in an apparent effort to block an avenue for the company to charge additional fees to its clients.

F. Money Transfers

The CFPB and FTC continue to bring UDAAP actions related to money transfer services. First, as discussed above in the "Repeat Offenders" section, the CFPB filed suit against a remittance transfer provider, alleging that it engaged in unfair acts or practices when it failed to timely make remittance transfers available to recipients and failed to timely make refunds available to senders. Second, the FTC filed suit against a retail company in June 2022, claiming that the company permitted its money transfer services to be used by fraudsters. The FTC alleged that while the company was aware of telemarketing and other marketing scams involving money transfer services, it continued to process money transfers in-store without enacting policies and procedures to detect and prevent transfers to fraudsters. According to the FTC, this conduct amounted to an unfair practice.

G. Garnishments

In May 2022, the CFPB settled claims that a bank engaged in unfair and deceptive acts or practices with respect to garnishments. Among other things, the CFPB relied on state law to allege a federal UDAAP violation. Many states enact limits or exemptions to bank account and paycheck garnishments to ensure that consumers have a minimum amount of funds to cover living expenses following a court order for garnishment. According to the Bureau, the bank processed garnishment orders against its consumers deposit accounts without applying the protections of the consumers state of residence. Under the consent order, the bank must pay a $10 million civil money penalty and provide at least $592,000 in consumer redress.

Since the last edition of the UDAAP Round-Up, the CFPB released two editions of its Supervisory Highlights publication that discuss UDAAPs the Bureau identified in examinations of supervised entities. The FTC has released a report on dark patterns, a proposed rule on impersonating the government and businesses, and a request for information on electronic disclosures. We discuss each of these developments in more detail below.

A. CFPB Supervisory Highlights

In May 2022, the CFPB released a new edition of its Supervisory Highlights. ²¹ This edition covers examinations completed between July 2021 and December 2021, and notably is the first edition that covers some examinations completed during Director Chopra's tenure at the Bureau. A non-exhaustive list of the issue's UDAAP findings is below.

• Auto Loan Servicing. This edition of Supervisory Highlights discusses several UDAAPs related to auto loan servicing. Among other things, CFPB examiners identified wrongful repossessions at auto servicers. According to the Bureau, servicers engaged in unfair acts or practices when they repossessed vehicles after consumers took action that should have prevented the repossession. Along these lines, the CFPB released a bulletin earlier this year that focused on mitigating the harm of repossession. In addition, according to the Supervisory Highlights, some servicers engaged in a deceptive act or practice in connection with deferrals offered to consumers. The deferrals at issue were likely to increase consumers' final payment amounts, and the servicers sent consumers notices stating that their final payment "may be larger." In fact, consumers' final payments often increased dramatically. The CFPB determined that the "imprecise conditional statements" in the notices the servicers sent to consumers misled consumers about the amount of their final loan payment after the deferral. In response to these findings, servicers updated their notices and practices. For example, some servicers included estimated final payment amounts in the deferral notices.
• Debt Collection. Examiners also cited debt collectors for violations of the UDAAP prohibition. Bureau examiners found that debt collectors may have engaged in an unfair act or practice by failing to timely refund overpayments and credit balances to consumers. Among other things, the Bureau stated that consumers could not reasonably avoid the injury because they were unlikely to know about the credit balances and because they had no way to expedite the refund process. In response to these findings, the entities will issue refunds to consumers, revise their policies and procedures, and strengthen monitoring.
• Remittance Transfers. In addition, this edition of Supervisory Highlights details alleged violations in connection with remittance transfers. As an example, examiners found that remittance transfer providers engaged in deceptive acts or practices by making representations of "instant" or "30 second" transfers, even though the transfers may not be completed in 30 seconds and could instead be delayed up to 48 hours. In response to these findings, institutions implemented additional UDAAP training and ensured that their compliance departments reviewed advertisements.

In September 2022, the CFPB released a special edition of Supervisory Highlights focused on student loans.²² The CFPB has been paying increasing attention to the student loan market, and in January 2022, the CFPB announced that it planned to begin examining the in-house lending operations of colleges and universities.²³ This edition of Supervisory Highlights emphasized the fact that the student loan servicing market has experienced significant shifts over the past few years due to the federal student loan payment suspension, a large number of servicing transfers, and changes to Public Service Loan Forgiveness ("PSLF") and other programs. The report included a variety of UDAAP findings, including:

• Institutional Lending: Transcript Withholding. According to this edition of Supervisory Highlights, some institutions engaged in abusive acts or practices by withholding official transcripts from consumers who were delinquent or in default on a debt owed to the school. According to the CFPB, this practice took unreasonable advantage of students' inability to protect their interest in selecting or using a consumer financial product or service, given the critical importance of transcripts.
  
  Students need transcripts for many things, including pursuing employment and further education, and the CFPB noted that the consequences of withholding transcripts may be disproportionate to the underlying debt amount. Further, the CFPB found that the heightened pressure to produce transcripts leaves consumers with little-to-no bargaining power. Along these lines, the CFPB released a blog post earlier this year that expressed support for a call from the Department of Education for schools to end the practice of transcript withholding.²⁴
• Servicing: Administration of Forgiveness Programs and Repayment Plans. Among other findings, CFPB examiners identified UDAAPs in connection with student loan servicers' administration of PSLF, Income Driven Repayment ("IDR"), and Teacher Loan Forgiveness ("TLF"). For example, CFPB examiners found it to be both unfair and abusive when servicers denied consumers for TLF because a consumer formatted specific dates as MM-DD-YY instead of MM-DD-YYYY, despite meeting all other eligibility requirements. The report includes a "Compliance Tip" indicating that servicers should "routinely approve applications for payment relief when they have all the required information to make decisions, even if that information is provided in a non-standard format or across multiple communications."
  
  Examiners also found that servicers engaged in deceptive acts or practices when they represented to consumers with parent PLUS loans that they were not eligible for IDR or PSLF when such loans may be eligible if consolidated into a Direct Consolidation Loan.

B. FTC Report on Dark Patterns

On September 15, 2022, the FTC released a report addressing dark patterns.²⁵ As explained above, "dark patterns" are design features that can manipulate or trick consumers into making choices they otherwise would not have made, and the FTC and CFPB have cited dark patterns as UDAAPs in enforcement actions. The FTC's report sheds light on conduct the FTC believes constitutes a "dark pattern"—a mix of actions that the FTC traditionally would simply have labeled "deceptive" and actions that it seems the FTC dislikes, but might not be illegal.

According to the report, dark patterns include design elements that:

• Manipulate consumer choice by inducing false beliefs;
• Hide or delay disclosure of material information, such as fees;
• Lead to unauthorized charges; and
• Obscure or subvert consumer privacy choices.

As an example, the report explains that a loan comparison website that appears to be an unbiased ranking of loans options, but that actually ranks loans based on fees paid to the operator of the website, is a dark pattern. Burying mandatory fees and forcing consumers to navigate a difficult-to-find and confusing path to cancel a service are also examples of dark patterns. The report offers suggestions on how to avoid dark patterns, such as by including any mandatory fees in the upfront advertised price and ensuring that consumers who wish to cancel subscriptions can easily navigate to such cancellation screens through the user interface.

C. FTC Rulemaking on Impersonation of Government and Businesses

In September 2022, the FTC released a Notice of Proposed Rulemaking addressing the impersonation of government entities and businesses.²⁶ The proposed rule would make it unlawful to falsely pose as or to misrepresent affiliation with a government entity, business, or officer of either. The rule would also make it unlawful to provide the means and instrumentalities for another person to violate the rule.

According to the Commission, the impersonation prohibited by the rule is already unlawful under the UDAP prohibition. Because of this, the FTC stated that the rule should not impose any new requirements on law-abiding entities. But the proposed rule will allow the Commission to seek penalties against violators and more readily obtain monetary redress for harmed consumers. As explained above, a 2021 US Supreme Court decision stripped the FTC of its ability to seek monetary relief for UDAP violations under Section 13(b) of the FTC Act.²⁷ However, the Commission is able to seek monetary relief based on the violation of a rule.

Comments to the rule are due by December 21, 2022.

D. FTC Updating Digital Advertising Guidance

The FTC released a Request for Information in June seeking input on its guidance on digital advertising.²⁸ The guidance was first issued in 2000, and the FTC updated the guidance in 2013. The Commission plans to update the guidance once again to take into account advances in technology and changes in how advertisers interact with consumers online. Among other things, the FTC requested comments on advertising on mobile devices, advertisements in which disclosures are communicated on a website to which the advertisement links, and disclosures when consumers must navigate multiple webpages in order to complete a purchase. Comments were due in August 2022.

Looking Ahead

Over the last six months, we have seen a marked increase in UDAAP/UDAP enforcement at the CFPB and FTC, and the agencies have ramped up under their new leadership. We have also seen the CFPB increasingly willing to rely on the abusiveness prong of the UDAAP prohibition in both enforcement and supervision. In addition, the FTC is making strides to promulgate rules that will allow it to more easily assess penalties for UDAP violations.

While we expect the FTC to continue to be active in the UDAP space in the coming months, the CFPB's future is less certain. A panel of the Fifth Circuit Court of Appeals recently ruled that the CFPB is unconstitutionally funded.²⁹ Given this decision, the Bureau likely is currently unable to exercise any of its authority, including its UDAAP authority, in states covered by the Fifth Circuit, and it may face challenges to its actions elsewhere as well. It remains to be seen how the Bureau and regulated entities will proceed.

We look forward to analyzing these and other developments impacting UDAAP/UDAP trends in future issues of the Round-Up.

Mayer Brown's UDAAP Capabilities

Mayer Brown offers a full array of representation to the financial services industry, including:

• Providing day-to-day strategic regulatory advice;
• Assessing legal risks in product development;
• Developing compliance management programs;
• Performing compliance reviews and risk assessments;
• Handling state and federal supervisory examinations and associated findings;
• Responding to 15-day and Potential Action and Request for Response (PARR) letters;
• Representing clients in state and federal enforcement matters, including responding to civil investigative demands (CIDs) and subpoenas;
• Designing consumer redress plans; and
• Handling consumer and government litigation.

Our lawyers have experience providing UDAAP advice to a diverse range of clients, including large global financial institutions, national and regional banks, credit unions, fintech companies, mortgage lenders and servicers, consumer and small business lenders, secondary market investors, payment processing companies, insurance companies, and online advertising platforms, among others. .

Footnotes

1 This review generally covers those actions first filed during this period. Actions that were initiated prior to April 1, 2022, and resolved during this period are counted in the enforcement trend statistics (e.g., total civil money penalties), but they are not discussed in the narrative.

2 15 U.S.C. § 45(a)(1). Many states have adopted similar laws

3 Id. § 53(b). Historically, injunctive relief under Section 13(b) of the FTC Act included potential orders for restitution or disgorgement. However, a recent US Supreme Court decision eliminated the FTC's ability to seek equitable monetary relief under Section 13(b). AMG Capital Mgmt v. FTC, 141 S. Ct. 1341 (2021). Nevertheless, the FTC has continued to obtain monetary relief in connection with settlements of violations of Section 5 of the FTC Act on the theory that, if the agency successfully sought an administrative cease-and-desist order, the agency could obtain money damages in a follow-on action in federal court based on a showing that the conduct at issue in the cease-and-desist order was such that "a reasonable man would have known under the circumstances was dishonest or fraudulent." 15 U.S.C. § 57b(a)(2).

4 12 U.S.C. §§ 5531(a), 5536(a)(1)(B).

5 Id. § 5536(a)(3). Please see our previous discussion of the CFPB's use of "substantial assistance" as an enforcement tool. See "Substantial Assistance: the CFPB's Newest Tool" (July 19, 2016), available at: https://www.mayerbrown. com/-/media/files/perspectives-events/publications/2016/07/ substantial-assistance-the-cfpbs-newest-tool/files/get-thefull-report/fileattachment/160718-update-cfs.pdf.

6 Id. § 5481(6). The Dodd-Frank Act also includes a "related person" concept that is intended to reach certain persons related to covered persons, if they manage, control, or materially participate in the conduct of the covered person's affairs. Id § 5481(25).

7 15 U.S.C. § 5565(a)(2).

8 Id. § 5565(c); 12 C.F.R. § 1083.1.

9 15 U.S.C. § 45(n); 12 U.S.C. § 5531(c)(1). The statutory language is modeled on the FTC's December 17, 1980, Policy Statement on Unfairness, appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984).

10 15 U.S.C. § 45(n); 12 U.S.C. § 5531(c)(1).

11 FTC Policy Statement on Deception (Oct. 14, 1983), appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984); CFPB, Examination Manual v.3, UDAAP-5 (March 2022) (citing FTC Policy Statement on Deception). The CFPB has indicated that it will look to authorities under the FTC Act for guidance in defining the scope of deception under Title X of the Dodd-Frank Act. See id. at 5 n.10.

12 12 U.S.C. § 5531(d).

13 Consumer Financial Protection Circular 2022-04, "Insufficient Data Protection or Security for Sensitive Consumer Information" (Aug. 11, 2022), available at: https://www.consumerfinance.gov/compliance/circulars/ circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.

14 "Limited Applicability of Consumer Financial Protection Act's 'Time or Space' Exception With Respect to Digital Marketing Providers," 87 Fed. Reg. 50556 (Aug. 17, 2022), available at: https://www.govinfo.gov/content/pkg/ FR-2022-08-17/pdf/2022-17699.pdf.

15 12 U.S.C. § 5481(26).

16 Id.

17 "Trade Regulation Rule on Commercial Surveillance and Data Security," 87 Fed. Reg. 51273 (Aug. 22, 2022), available at: https://www.govinfo.gov/content/pkg/ FR-2022-08-22/pdf/2022-17752.pdf.

18 AMG Capital Management, 141 S. Ct. 1341.

19 Rohit Chopra, Director, CFPB, Lecture at University of Pennsylvania Law School: Reining in Repeat Offenders (March 28, 2022), available at https://files.consumerfinance. gov/f/documents/cfpb_reining-in-repeat-offenders_cited-lecture_2022-03.pdf.

20 The FTC has long interpreted the consumer protection provisions of the FTC Act to protect not only natural persons, but also small- and medium-sized businesses.

21 CFPB, Supervisory Highlights, Issue 26 (May 2022), available at: https://files.consumerfinance.gov/f/documents/ cfpb_supervisory-highlights_issue-26_2022-04.pdf. Read a more comprehensive analysis this edition of Supervisory Highlights here.

22 CFPB, Supervisory Highlights Student Loan Servicing Special Edition, Issue 27 (Sept. 2022), available at: https:// files.consumerfinance.gov/f/documents/cfpb_student-loan-servicing-supervisoryhighlights-special-edition_report_2022-09.pdf.

23 CFPB, "Consumer Financial Protection Bureau to Examine Colleges' In-House Lending Practices" (Jan. 20, 2022), available at: https://www.consumerfinance.gov/about-us/ newsroom/consumer-financial-protection-bureau-to-examine-colleges-in-house-lending-practices/. Read our analysis of this development here.

24 CFPB, "Transcript Withholding Holds Back Workers and Wages" (April 18, 2022), available at: https://www. consumerfinance.gov/about-us/blog/transcript-withholdingholds-back-workers-and-wages/

25 FTC, "Bringing Dark Patterns to Light," Staff Report (Sept. 2022), available at: https://www.ftc.gov/system/files/ ftc_gov/pdf/P214800%20Dark%20Patterns%20Report%20 9.14.2022%20-%20FINAL.pdf.

26 "Trade Regulation Rule on Impersonation of Government and Businesses," 87 Fed. Reg. 62741. (Oct. 17, 2022), available at: https://www.federalregister.govdocuments/20 22/10/17/2022-21289trade-regulation-rule-on-impersonation-of-government-and-businesses.

27 AMG Capital Management, 141 S. Ct. 1341. Read our discussion of this case here.

28 Federal Trade Commission, "FTC Staff Requests Information Regarding Digital Advertising Business Guidance Publication" (June 3, 2022), available at: https:// www.ftc.gov/system/files/ftc_gov/pdf/Digital%20 Advertising%20Business%20Guidance%20Request%20 for%20Information.pdf.

29 Read our analysis of this development here.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.