Q: When does the Consumer Financial Protection Bureau (CFPB) have authority over insurance ‎companies?

The federal legislation commonly known as the Dodd-Frank Wall Street Reform Act, which created the ‎CFPB, specifically carves out the regulation of insurance from the wide range of duties and powers of ‎the agency. However, despite exclusions in the law for the “business of insurance” and for “any ‎person regulated by a state insurance regulator”, the CFPB has authority over insurance companies if: (1) ‎they provide a “consumer financial product or service” such as financial advisory services, loans to ‎policyholders and insurance premium financing; (2) they are covered by an “enumerated consumer ‎law” such as the Fair Credit Reporting Act (FCRA), Real Estate Settlement Procedures Act (RESPA) and ‎Fair Debt Collection Practices Act (FDCPA); or (3) they are operating as a “service provider” to a ‎‎“covered person”, as where an insurance industry participant operates as a debt protection contract ‎administrator or assists in the design of a product offering for regulated financial institutions and their ‎customers. 

In addition, under Title X, the CFPB can take action against any company, including insurance companies, if ‎it deems the company to have engaged in “unfair deceptive and abusive acts and practices”, also ‎known as “UDAAP”. The CFPB has broad authority to interpret what constitutes a UDAAP violation and an ‎equally broad ability to penalize companies for such violations. A review of the 70 or so enforcement ‎actions completed by the CFPB to date reveals that a substantial number of them allege, often among ‎other things, UDAAP violations. Even if a company is in technical compliance with other applicable laws ‎and regulations, it may be found in violation of UDAAP standards.

And there are indirect ways the CFPB can and effectively does regulate companies it is not ‎empowered to regulate directly, including insurance companies. For example, in issuing Bulletin 2012-‎‎03, the CFPB sets forth its expectations of regulated institutions or covered persons in the ‎management of their vendors. Simply stated, this Bulletin imposed on regulated institutions the ‎responsibility of ensuring that their vendors are and remain in compliance with applicable consumer ‎laws. As regulated institutions have endeavored to meet the requirements of the Bulletin, questions ‎have arisen as to its application not only to those acting as direct service providers to covered persons, but also to those vendors two and three steps ‎removed from the regulated institution.‎

Q: Could the CFPB regulate insurance products offered in conjunction with loans (add-on products)? If ‎so, how?‎

The Truth in Lending Act (TILA) specifically grants the CFPB authority to implement rules regulating ‎financial products and services. The concern among insurance industry participants is that such rules ‎could be used to indirectly regulate insurance products offered in conjunction with the underlying ‎financial products or services. ‎

The CFPB has already ventured into the regulation of products such as credit reporting and identity ‎theft protection benefits sold as add-ons to credit cards. See ‎here ‎and here as ‎examples. Given that these add-on protection benefits appear to have been successfully brought under the CFPB’s authority, ‎add-on insurance and warranty products are the logical next step. Companies offering extended ‎warranties on cars, gym equipment and similar higher-value consumer goods should be paying close ‎attention to this line of enforcement actions by the CFPB because of their own connection to underlying ‎consumer transactions. Arguably, the insurance companies flying closest to the flame are those already acting as vendors to covered persons or conducting activities covered by enumerated business laws.

Q: What are the trends to watch in regard to the CFPB enforcement actions?‎

The CFPB is still relatively new, and we are still discovering the extent of its authority, both actual ‎and presumed. The easiest way to spot trends is to pay attention to every bulletin, enforcement action, ‎press release and public statement emanating from the CFPB. All of these are disclosed publicly on ‎the CFPB's website, http://www.consumerfinance.gov. While the exercise is somewhat like guessing ‎where lightning might strike next, it is pretty easy to see enforcement trends as they are developing – ‎in the kinds of products and companies in which the CFPB is taking an interest, the types of activities ‎it finds particularly troublesome, the way in which it interprets the laws and regulations it is charged with enforcing, ‎the measure and amount of penalties being collected, and the nature and degree of cooperation with other federal and state agencies. ‎

In recent months, the CFPB has taken enforcement actions against companies engaged in a variety of ‎industries for what it deems to be unlawful or deceptive acts or practices relating to consumer-facing ‎activities in the areas of credit card terms, debt collection, marketing and advertising and business referrals. Generally, the CFPB has been considered to be ‎more aggressive than predecessor agencies in the enforcement tools it chooses to use. Civil ‎investigative demands, subpoenas, litigation and cross-agency referrals at both state and federal ‎levels all are available to and commonly utilized by the CFPB.

And the stakes are higher. For non-culpable ‎or negligent violations, the penalty may not exceed $5,000 for each day during which such violation ‎continues. For reckless violations, the civil penalty may not exceed $25,000 for each day during which ‎the violation continues. And for knowing violations, the civil penalty may not exceed $1 million for ‎each day the violation continues. To date, the monetary penalties, restitution payments to consumers ‎and other forms of monetary relief collected by the CFPB have totaled nearly $7 billion.‎

Q: What steps should insurance companies consider to minimize their risk of becoming the subject of ‎an CFPB enforcement action?‎

First and foremost, a company should be vigilant and proactive. By the time a regulator discovers a company's ‎problems and starts talking in terms of “bringing it into compliance”, the company starts its negotiations from ‎a position of weakness. When a company begins to observe an enforcement or policy trend, or even ‎an “expression of concern” by the CFPB about a certain business practice, it should turn the magnifying ‎glass inward to determine if it could withstand similar scrutiny by the CFPB or other regulators. If so, the ‎challenge becomes one of identifying and isolating the source of concern, modifying policies, controls ‎or procedures where necessary to correct the course of action, and taking whatever internal enforcement or remedial ‎measures may be required to ensure the practice stops and any adversely impacted consumers are ‎made whole. On a case-by-case basis, depending on the nature and extent of the problem identified and ‎other important facts, self-reporting may be worth considering. A company should always want to get ‎out in front of a known problem. ‎

A company should also be attentive to its customers – paying attention to their ‎experiences with your business, taking their complaints seriously and treating them the way every consumer should reasonable expect to be treated. Remember that the CFPB's primary objective is to protect ‎consumers and its view of business and how it should be conducted is formed accordingly. For many companies, it is counter-intuitive to see themselves through the eyes of a ‎consumer or a regulator charged with protecting the consumer, but that is what it must do.  Every internal discussion about business practices that, if commenced or discontinued, may impact consumers ‎should include regulator and consumer expectations and not only whether the proposed practice (or discontinuance of the practice) will be accretive to the ‎bottom line. A savvy business attorney can help his or her client find strategic ways to balance the ‎objectives of the business with the need to maintain compliance with the myriad applicable laws and ‎regulations and yes, regulator and consumer expectations. ‎

All of this presupposes that a company has a compliance program in place appropriate for its size, structure ‎and risk profile. Any company that has not yet developed a compliance program, with both front-end ‎compliance and follow-up auditing components, is likely to be vulnerable in any number of areas. A ‎company can be as vigilant or customer-sensitive as it wants, but if there is no compliance framework ‎in place to set company policy, to detect vulnerabilities before they become problematic, to address potential risks, to ‎monitor the effectiveness of policies or controls and to enforce or remediate where necessary, ‎regulatory trend-spotting will be of little value.‎