Amid the uncertainty over the future of the CFPB, another continuing question is whether state consumer protection authorities will act to fill gaps left by the CFPB’s inaction. State attorneys general have tools available to pursue financial services practices that they believe harm consumers, and some have announced intentions to do so. But to date, the states have not initiated a flurry of suits regarding consumer financial protection.

Under the leadership of purported Acting Director Mick Mulvaney, the CFPB has curtailed investigative and enforcement activities, which states could take as a cue to step in. In fact, Mulvaney seemingly exhorted states to do so, as in a speech to the National Association of Attorneys General where he said that the CFPB would look to states for “a lot more leadership when it comes to enforcement.”

Increased state activity could occur, enforcing not only the many state laws and regulations that can apply to financial companies but also federal ones. State attorneys general have long had authority to enforce certain federal requirements, such as under the Truth in Lending Act and the Real Estate Settlement Procedures Act. And Section 1042 of the Dodd-Frank Act (codified at 12 U.S.C. § 5552) allows state attorneys general to bring actions to enforce provisions of the Dodd-Frank Act, and CFPB regulations issued under it, against financial services entities. This includes the authority to pursue actions for “abusive” acts or practices against state-chartered banks and nonbank entities—which Illinois, for one, has already done.

Well before former Director Richard Cordray’s departure, state attorneys general and other state officials have been enhancing their capabilities to regulate the consumer financial services industry and bringing some noteworthy enforcement actions. Some attorneys general have increased the size of their consumer protection divisions, while states including Pennsylvania, Maryland, and New Jersey have created separate consumer financial protection units. Long before Mulvaney pulled the CFPB back from a full-scale probe of the Equifax data breach, state attorneys general and state banking regulators moved forward with multi-state examinations and investigations into the hack that exposed the personal data of more than 148 million Americans. Equifax has said it is under investigation by every state attorney general and faces more than 240 class action lawsuits. On April 4, 2018, a Massachusetts state court judge ruled that the lawsuit filed by the Massachusetts attorney general accusing Equifax of failing to safeguard its databases or provide prompt notice of the breach could move forward.

The stage now seems set for further consumer protection actions by state AGs, many of whom have been vocally critical of Mulvaney and the Trump Administration’s control of the CFPB. The attorneys general of New York, California, Connecticut, D.C., Hawaii, Illinois, Iowa, Maine, Maryland, Massachusetts, Minnesota, New Mexico, North Carolina, Oregon, Vermont, Virginia and Washington wrote the president in December, stating that they were very concerned by reported statements by Acting Director Mulvaney regarding the Bureau and that “[i]f incoming CFPB leadership prevents the agency’s professional staff from aggressively pursuing consumer abuse and financial misconduct, we will redouble our efforts at the state level. . . .” Most of these officials also signed on to an amicus brief to the U.S. Court of Appeals for the D.C. Circuit supporting deputy director Leandra English’s competing claim to be Acting Director of the CFPB. And they more recently sent Education Secretary Betsy DeVos a letter objecting to her department’s rulemaking process to reconsider rules regarding student loan borrower defenses and financial responsibility that were to go into effect in 2017.

Individual state AGs have made their own pronouncements, such as New Mexico AG Hector Balderas’ assertion that “I will continue to fight against President Trump’s continued attempts to sabotage the Consumer Financial Protection Bureau . . .” and Virginia AG Mark Herring’s statement: “As the Trump administration and Mick Mulvaney continue their assault on the CFPB and federal consumer protection resources, we’re going to be ready to help pick up the slack at the state level.” California AG Xavier Becerra has complained of an attempted “hostile and illegal takeover” of the CFPB by the Trump Administration, and a “Mulvaney rip-off of consumer oversight” of big banks. A recent press release by New Jersey AG Gurbir Grewal referenced that state’s “efforts to fill the void left by the Trump Administration’s pullback of the Consumer Financial Protection Bureau. . . .

From the number and fervor of these statements, one might have expected a spike in financial services enforcement activities at the state level by now. But a review of press releases from the 23 Democratic attorneys general over the last five months suggests that―with the possible exception of Virginia―Mulvaney’s actions at the CFPB have not triggered a notable increase in activity by these AGs. At least, not yet.

While this fact may seem surprising, there are several reasons why the volume of AG legal actions may not match their recent rhetoric:

  1. AGs could be waiting for the final word from the courts on who will run the CFPB. Attorneys general may be taking a pragmatic wait-and-see approach before taking on significant new initiatives.
  2. Investigations take time. The new consumer protection units may in fact be busy developing cases, which have not progressed enough to announce new enforcement actions.
  3. Developing expertise—and recruiting personnel with that expertise—takes time. While at least one AG’s office has added a former CFPB official to its staff, not all offices may have an extensive team with expertise in the consumer financial services area, which cannot be achieved overnight.
  4. Resource allocation requires hard choices. State budgets are tight, even in a much-improved economy.

Still, even if all these factors hold true, the number of state lawsuits and other state actions to promote consumer financial protection is likely to increase in the not-too-distant future. Seizing the opportunity left by Mulvaney and the Trump Administration makes good political sense, for one thing. The path from the attorney general’s office to the governor’s mansion is a familiar one, and consumer financial protection is a popular mantle for ambitious state politicians to claim.

In addition to litigation, state authorities can influence consumer financial protection through supervision and regulation. While in most instances a state could not match the CFPB’s ability to set nationwide consumer protection rules, New York is a special case to watch. As the financial capital of the world, when New York requires its banks, insurance companies, and other financial services entities to meet a heightened regulatory standard, that requirement can become a de facto national standard. For example, in February 2017, the New York State Department of Financial Services (NYDFS) announced a first-in-the-nation cybersecurity regulation that requires entities under NYDFS supervision to develop robust cybersecurity programs and meet specific compliance benchmarks on rolling deadlines, including requiring the designation of a Chief Information Security Officer (CISO). While New York’s enforcement authority for the regulation is limited to covered entities such as New York state-chartered banks and NYDFS-licensed money transmitters, the expectations set by the regulation could spread further and be adopted by other states, or by industry as best practices.

Other states, too, could take steps to further regulate various aspects of financial services companies’ activities that impact consumers. Only time will tell which states will act next, and which of the available enforcement, supervisory, and regulatory tools they will choose to use. We will continue to monitor these developments and report on them here.