Though the January 1, 2021, effective date of the California Consumer Financial Protection Law (CCFPL) has now passed, financial institutions continue to work through the intricacies of the expansive new regulations. As we have covered, the CCFPL extends California regulatory oversight to previously non-regulated FinTech companies, payday lenders, debt collectors, and other alternative financial service providers.

Additionally, the law enhances California's oversight of both traditional and non-traditional institutions as it relates to unfair, deceptive, or abusive acts or practices (UDAAP). These enhancements of California's oversight capabilities have raised significant questions about the consequences of non-compliance with California's consumer protection regulations.

Under the new law, California's revamped consumer protection agency, the Department of Financial Protection and Innovation (DFPI), may enforce the following penalties in civil or administrative actions, pursuant to new Cal. Fin. Code § 90012(c):

  • For any violation of the CCFPL, a penalty may not exceed the greater of either:
    • $5,000 for each day during which the violation or failure to pay continues; or
    • $2,500 for each act or omission in violation.
  • For any reckless violation of the CCFPL, a penalty may not exceed the greater of either:
    • $25,000 for each day during which the violation or failure to pay continues; or
    • $10,000 for each act or omission in violation.
  • For any knowing violation of the CCFPL, a penalty may not exceed the lesser of either:
    • 1 percent of the person's total assets;
    • $1,000,000 for each day during which the violation continues; or
    • $25,000 for each act or omission in violation.

The new law does not expressly alter any of the existing penalty provisions associated with financial institution misconduct in California's financial code. There may be contextual clues that the CCFPL's silence on this point was intentional: the CCFPL does take care in other parts of the law to note whether existing regulatory authority is altered in any way. For example, in a section related to DFPI examinations, the CCFPL notes that "[n]othing in this subdivision shall alter or supersede the requirements for the cost of an examination conducted under the authority of any other law administered by the commissioner." There is no such corresponding disclaimer associated with the CCFPL's penalty provisions.

Accordingly, it seems clear that entities should expect the DFPI to continue to impose pre-CCFPL penalties in addition to the new CCFPL penalties outlined above. What remains unclear, however, is whether the DFPI could enforce both sets of penalties for a single violation. As of the date of this article, the DFPI has not published an administrative or enforcement action subsequent to the effective date of the CCFPL to test either proposition.

This is not an insignificant expansion of the DFPI's penalty authorities—penalties differing from those enumerated by the CCFPL apply to savings associations, mortgage lenders, student loan servicers, escrow agents, covered lenders, business and industrial development corporations, and more.

As a matter of conjecture, perhaps the DFPI will ultimately use its CCFPL authority to enforce penalties associated with UDAAP violations and violations perpetrated by the new financial entities caught by the CCFPL (i.e., FinTechs, payday lenders, debt collectors, and other alternative financial service providers), while reverting to the existing financial code authorities to penalize more traditional financial institutions that commit specifically covered statutory or regulatory violations.