The US Consumer Financial Protection Bureau (CFPB) has entered a consent order under which ACE Cash Express, Inc., a payday lender, agreed to pay $10 million to settle allegations of improper debt-collection activities.Half of the payment is for consumer redress and half is a civil penalty. The action is predicated upon a determination by the CFPB that ACE Cash Express engaged in unfair, deceptive and  abusive acts or practices (UDAAP). This July 11, 2014 order comes against the backdrop of the CFPB’s continued consideration of possible rulemaking relating to payday lenders,2 and was accompanied by a tough tone toward such lenders in CFPB Director Cordray’s remarks at the action’s announcement.3

But this enforcement action ultimately may prove most significant outside the payday lending context, given its implications for first- party debt collection, service provider liability and regulation by enforcement. In particular:

  • The CFPB apparently plans to use its UDAAP authority to subject first-party debt collectors to many, if not all, of the requirements of the federal Fair Debt Collection Practices Act (FDCPA);
  • Notwithstanding repeated requests by businesses for clarification of the circumstances in which a company will be held vicariously liable for violations by its service provider, this enforcement action continues the CFPB’s refusal to provide any guidance regarding that question; and
  • The CFPB’s action in this case is one more example of its practice of imposing requirements through enforcement actions rather than notice-and-comment rulemaking—here, essentially circumventing the CFPB’s own ongoing debt collection rulemaking, which posed questions regarding the appropriate standards for first-party debt collectors, through the principles announced unilaterally in this enforcement action.

Financial institutions that collect on their own debts or that rely on service providers to serve their customers should take note.

First-Party Debt Collection

In November 2013, the CFPB issued an advanced notice of proposed rulemaking that presented various questions that the CFPB might address in a forthcoming rule.One central question was the manner in which first- party debt collection—e.g., a creditor or merchant collecting on an account in default— should be treated under any rule.

Industry stakeholders responded by explaining that first-party collections should not be treated in the same way as third-party collections for a number of reasons, including that:

  1. The FDCPA only applies to “debt collectors,” which term excludes parties collecting on their own debts;
  2. The exclusion of first-party debt collectors from the FDCPA was2 Mayer Brown | CFPB Enforcement Action Against Payday Lender Has Broad Implications for Financial Institutions deliberate, because Congress long has recognized that the customer relationship between creditors and debtors provides the most effective check on improper first-party debt collection practices;
  3. Given the specific exclusion of firstparty collections from the FDCPA and Congress’ failure to eliminate that exclusion in passing the Dodd-Frank Act, the terms of the FDCPA should not simply be read into the UDAAP provisions of Dodd-Frank;
  4. The merchant exclusion provided by Section 1027(a) of the Dodd-Frank Act puts first-party collections by merchants beyond the CFPB’s jurisdiction;
  5. The imposition of new standards on first-party collections will likely cause more creditors to rely upon third-party collectors, which generate a far greater volume of consumer complaints; and
  6. At a minimum, given the CFPB’s limited jurisdiction, any rule relating to first-party collections should be part of a separate rulemaking with adequate opportunity for notice and comment.

The ACE Cash Express consent order indicates that the outcome of the ongoing rulemaking is irrelevant: the CFPB intends to incorporate the specific FDCPA conduct restriction into the UDAAP provisions of Dodd-Frank. This may ultimately lead to the application of other FDCPA provisions, such as the mini-Miranda and debt validation requirements, to first-party collection activities through the same mechanism.

The CFPB alleged that the company—which was collecting on its own debts and thus not subject to the FDCPA—engaged in unfair, deceptive and abusive acts and practices in its debt collection activities. These UDAAP claims were full of specific allegations drawn from the prohibited practices set forth in the FDCPA, including that the company made excessive calls to consumers, disclosed the existence of debts to third parties, failed to cease collection activities as requested and misrepresented that debts would be reported to national credit bureaus or referred for litigation or criminal prosecution. The CFPB even used the abusiveness claim to go further than the FDCPA, attempting to attach liability for the alleged use of debt collection practices to “induce delinquent borrowers with a demonstrated inability to repay their existing loan to take out a new ACE loan with accompanying fees.” This aspect of the order may have future ramifications for any creditor offering delinquent borrowers an opportunity to refinance their existing obligations.

The CFPB’s decision to incorporate the specific FDCPA requirements into the UDAAP  provisions of the Dodd-Frank Act is confirmed by another recent enforcement action: the filing of a civil action on July 14, 2014, against a law firm and its lead attorneys for operating what  the CFPB characterized as a “debt collection lawsuit mill.”In that matter, the CFPB asserted two FDCPA claims against the law firm: first, for the alleged lack of meaningful professional involvement in the filing of lawsuits, and second, for filing false affidavits. For good measure, the CFPB also asserted two deception claims for exactly the same conduct, again strongly suggesting that it considers the FDCPA to have been incorporated into the UDAAP prohibitions (although presumably without the FDCPA private right of action).

In light of these two actions, financial institutions and other businesses that engage in first-party debt collection, and that are subject to the CFPB’s jurisdiction, should assume that the CFPB will attempt to impose FDCPA standards upon them through the UDAAP provisions of the Dodd-Frank Act. The Federal Trade Commission has taken a similar approach under Section 5 of the Federal Trade Commission Act.6 Given the very narrow view of the merchant exclusion that the CFPB has taken in litigation,7 merchants also should evaluate whether— despite that exclusion’s seemingly clear limitation on the CFPB’s authority—the CFPB will attempt to impose FDCPA standards on merchants’ efforts to collect on credit they provide to consumers.

Service Provider Liability

Industry stakeholders repeatedly have asked the CFPB to provide guidance on the standard under which they may be held liable for the acts of  their third-party service providers. To date, the CFPB has declined to do so. Instead, it has  issued general guidance that raises more questions than it answers.8

But this has not stopped the CFPB from pursuing enforcement actions alleging a failure to prevent, identify or correct service provider misconduct.9 In the ACE Cash Express action, the CFPB’s claims rested on allegations of violations by both first-party collectors and third-party collectors that ACE had engaged as service providers. The consent order is particularly confusing on this point as it does not explain (i) whether the alleged first-party collection activity or the alleged third-party collection activity (or both) provided the basis  for the company’s liability or (ii) what legal standard applies for determining whether the financial institution is responsible for independent actions of service providers.

In particular, nothing in the consent order indicates whether the CFPB believes that financial institutions should be held to a strict liability standard for the acts of their service providers, to a negligence standard or to a standard that actually requires the financial institution to know that the service providers engaged in wrongful conduct. The consent order does state that the company’s “compliance monitoring, vendor management, and quality assurance did not prevent, identify, or correct instances of misconduct by some third-party debt collectors,” but it does not clarify whether this allegation reflects a broadly applicable standard for managing service providers. As a result, the CFPB once again has left substantial uncertainty for the vast majority of financial institutions that use service providers to deliver or support their services.10

Regulation Through Enforcement

Numerous industry stakeholders have complained about the CFPB’s failure to articulate clear legal standards that facilitate compliance as well as the CFPB’s preference for using vague guidance documents or interpretive bulletins, coupled with regulation through enforcement. The ACE Cash Express enforcement action further demonstrates this approach, as well as its downsides, in that first- party collectors now must speculate about which portions of the FDCPA may apply to them through the UDAAP provisions of the Dodd- Frank Act. For example, although the Dodd- Frank Act provides no clear basis for imposing such a requirement on creditors, financial institutions may wonder if some portion of the FDCPA mini-Miranda requirements may apply to some first-party collections.

The CFPB’s approach also undermines the ongoing debt collection rulemaking process. The CFPB seems to have prejudged many of the important questions relating to first-party collections, raising serious questions about the CFPB’s commitment to considering the comments it has received. Also, the CFPB may have provided a preview of a future rulemaking pertaining to payday lenders regarding the ability to offer refinancing for existing loans.


The CFPB’s ACE Cash Express enforcement action casts a significant shadow, not just over payday lenders, but also—and likely most significantly—over financial institutions that collect their own debts or rely on service providers to serve their customers, and that continue to struggle with the regulatory uncertainty created by the CFPB’s regulation by enforcement approach. As with other recent enforcement actions and regulatory pronouncements, the CFPB has taken an expansive and aggressive view of its authorities and a narrow view of the specific limitations Congress imposed, clouding legal requirements rather than generating clear rules that facilitate compliance. Financial institutions should carefully manage their potential exposure to CFPB enforcement activity.