On March 19, 2015, the Consumer Financial Protection Bureau (“CFPB”) announced the issuance of a Final Policy Statement (“Policy Statement”) that expands its Consumer Complaint Database (“Database”) to allow consumers to publicly air the details of their alleged grievances with financial services providers by including consumer complaint narratives in the Database. The CFPB first proposed to include complaint narratives in the Database in July 2014 (“Policy Proposal”), when the agency also announced that it was accepting complaints for prepaid cards and non-bank products, such as debt settlement services. As with the Policy Proposal, the CFPB’s final issuance is proving to be controversial. For example, the Policy Statement fails to address the fact that the Bureau does not independently validate the truth of the allegations set forth in the majority of the consumer complaints it receives.
FINAL POLICY STATEMENT
The Policy Statement provides guidance on how the CFPB will publicly disclose consumer complaint narratives via its web-based, public-facing Database. Specifically, the Policy Statement outlines certain procedures by which consumer complaint narratives are obtained and subsequently published in the Database.
Consumer Opt-In to Share Narratives
Under the Policy Statement, consumers must opt-in and provide their informed consent before the CFPB will publicly share consumers’ complaint narrative. The CFPB would obtain a consumer’s opt-in consent when the consumer submits a complaint to the Database and checks a “consent box,” which is accompanied by language explaining that consent (whether given or not) would not impact how a complaint is handled. The accompanying language would also explain that a consumer may withdraw consent at any time and have the complaint narrative removed from the Database. Importantly for consumers, the CFPB will remove personal information from the complaint narrative to address the risk of re-identification.
Personal Information Scrubbing Standard and Methodology
The Policy Statement speaks in detail regarding the CFPB’s process for scrubbing complaints of personal information, such as names, telephone numbers, account numbers, Social Security numbers, and other direct identifiers. According to the Policy Statement, the CFPB designed a scrubbing standard and methodology that is modeled after the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule and its safe harbor method. Specifically, the CFPB’s scrubbing standard removes most of the specific HIPAA identifiers from complaint narratives, as well as demographic information, personal financial information, and information pertaining to third parties. While identification of an individual consumer based solely on the complaint data and narrative published by the CFPB may be unlikely, it remains to be seen how this additional information will be used in conjunction with other publicly available and/or illicitly obtained information. It is not known what the CFPB’s response will be if a consumer is identified or has his/her identity stolen because of a complaint narrative.
Company Responses to Consumer Complaint Narratives
The Policy Statement provides financial services companies with a mechanism to publicly respond to published complaint narratives by allowing companies to choose responses, at their option, from a set list of structured response options. This approach was adopted by the Policy Statement in direct response to industry comments that business and legal considerations limit a financial services provider’s ability to provide meaningful publicfacing narrative responses, as was the Bureau’s original intention. The CFPB explains that this alternative approach should “eliminate or significantly mitigate” concerns regarding public disclosure of protected confidential information and other legal, business, or reputational considerations.
RFI ON COLLECTING AND SHARING CONSUMER COMPLIMENTS
Concurrent with the Policy Statement, the CFPB issued a Notice and Request for Information (“RFI”) to seek input on the “potential collection and sharing of information about consumers’ positive interactions with financial service providers.” However, a comparison of the Policy Statement and the RFI should not give industry participants much hope that the two means of airing consumers’ views will somehow balance out.
Under current procedures, the CFPB collects and shares some data about how a company handles complaints relative to its peers. While the Bureau suggests that its data sharing implicitly provides “some positive feedback,” the RFI outlines two additional potential methods for sharing positive consumer feedback about companies: (1) by providing more information about a company’s complaint handling; and (2) by collecting and providing consumer compliments separate to the current complaint process.
Under the first method, the CFPB proposes one scenario in which the consumer would have the ability to rate a company’s handling of his or her complaint on a one-to-five scale of satisfaction. The CFPB is seeking public comment on whether and how data from these ratings could be disclosed to the public, including whether to publish comparison tools and dashboards, or “Top Ten” lists. Under the second method, the CFPB proposes to solicit, collect, and share consumer compliments using a system that is independent of the current complaint process. The RFI seeks public comment on this proposed method, as well as whether the CFPB should use and/or modify existing submission channels (e.g., the CFPB’s Tell Your Story feature) and whether a new database to intake and publish consumer compliments should follow a similar or different process path to the existing consumer complaints process path. In addition, the RFI seeks public comment on the type of compliment information that would be publicly disclosed, including which elements of a compliment to disclose, which particular compliments should be excluded from disclosure, and how scrubbing and consent should be applied.
According to the Policy Statement, publication of complaint narratives could occur as soon as June 22, 2015, which is 90 days after the date on which the Policy Statement was published in the Federal Register. The deadline to submit comments in response to the positive feedback RFI is May 23, 2015.
Industry participants must assess the impact of the Policy Statement in the current risk environment. Reputational risk is likely of the most concern here, but operational and legal/regulatory risks also abound. Moreover, fundamentally, financial institutions will also face decisions regarding the extent to which they participate in the public response function of the consumer complaint portal. Finally, industry participants must continue to consider previously raised concerns regarding the consumer complaint portal, including information security, basic agency authority to impose the Policy Statement without formal regulatory action, and overall customer service benchmarks.