Q: When does the Consumer Financial Protection Bureau (CFPB) have authority over insurance companies?
The federal legislation commonly known as the Dodd-Frank Wall Street Reform Act, which created the CFPB, specifically carves out the regulation of insurance from the wide range of duties and powers of the agency. However, despite exclusions in the law for the “business of insurance” and for “any person regulated by a state insurance regulator”, the CFPB has authority over insurance companies if: (1) they provide a “consumer financial product or service” such as financial advisory services, loans to policyholders and insurance premium financing; (2) they are covered by an “enumerated consumer law” such as the Fair Credit Reporting Act (FCRA), Real Estate Settlement Procedures Act (RESPA) and Fair Debt Collection Practices Act (FDCPA); or (3) they are operating as a “service provider” to a “covered person”, as where an insurance industry participant operates as a debt protection contract administrator or assists in the design of a product offering for regulated financial institutions and their customers.
In addition, under Title X, the CFPB can take action against any company, including insurance companies, if it deems the company to have engaged in “unfair deceptive and abusive acts and practices”, also known as “UDAAP”. The CFPB has broad authority to interpret what constitutes a UDAAP violation and an equally broad ability to penalize companies for such violations. A review of the 70 or so enforcement actions completed by the CFPB to date reveals that a substantial number of them allege, often among other things, UDAAP violations. Even if a company is in technical compliance with other applicable laws and regulations, it may be found in violation of UDAAP standards.
And there are indirect ways the CFPB can and effectively does regulate companies it is not empowered to regulate directly, including insurance companies. For example, in issuing Bulletin 2012-03, the CFPB sets forth its expectations of regulated institutions or covered persons in the management of their vendors. Simply stated, this Bulletin imposed on regulated institutions the responsibility of ensuring that their vendors are and remain in compliance with applicable consumer laws. As regulated institutions have endeavored to meet the requirements of the Bulletin, questions have arisen as to its application not only to those acting as direct service providers to covered persons, but also to those vendors two and three steps removed from the regulated institution.
Q: Could the CFPB regulate insurance products offered in conjunction with loans (add-on products)? If so, how?
The Truth in Lending Act (TILA) specifically grants the CFPB authority to implement rules regulating financial products and services. The concern among insurance industry participants is that such rules could be used to indirectly regulate insurance products offered in conjunction with the underlying financial products or services.
The CFPB has already ventured into the regulation of products such as credit reporting and identity theft protection benefits sold as add-ons to credit cards. See here and here as examples. Given that these add-on protection benefits appear to have been successfully brought under the CFPB’s authority, add-on insurance and warranty products are the logical next step. Companies offering extended warranties on cars, gym equipment and similar higher-value consumer goods should be paying close attention to this line of enforcement actions by the CFPB because of their own connection to underlying consumer transactions. Arguably, the insurance companies flying closest to the flame are those already acting as vendors to covered persons or conducting activities covered by enumerated business laws.
Q: What are the trends to watch in regard to the CFPB enforcement actions?
The CFPB is still relatively new, and we are still discovering the extent of its authority, both actual and presumed. The easiest way to spot trends is to pay attention to every bulletin, enforcement action, press release and public statement emanating from the CFPB. All of these are disclosed publicly on the CFPB's website, http://www.consumerfinance.gov. While the exercise is somewhat like guessing where lightning might strike next, it is pretty easy to see enforcement trends as they are developing – in the kinds of products and companies in which the CFPB is taking an interest, the types of activities it finds particularly troublesome, the way in which it interprets the laws and regulations it is charged with enforcing, the measure and amount of penalties being collected, and the nature and degree of cooperation with other federal and state agencies.
In recent months, the CFPB has taken enforcement actions against companies engaged in a variety of industries for what it deems to be unlawful or deceptive acts or practices relating to consumer-facing activities in the areas of credit card terms, debt collection, marketing and advertising and business referrals. Generally, the CFPB has been considered to be more aggressive than predecessor agencies in the enforcement tools it chooses to use. Civil investigative demands, subpoenas, litigation and cross-agency referrals at both state and federal levels all are available to and commonly utilized by the CFPB.
And the stakes are higher. For non-culpable or negligent violations, the penalty may not exceed $5,000 for each day during which such violation continues. For reckless violations, the civil penalty may not exceed $25,000 for each day during which the violation continues. And for knowing violations, the civil penalty may not exceed $1 million for each day the violation continues. To date, the monetary penalties, restitution payments to consumers and other forms of monetary relief collected by the CFPB have totaled nearly $7 billion.
Q: What steps should insurance companies consider to minimize their risk of becoming the subject of an CFPB enforcement action?
First and foremost, a company should be vigilant and proactive. By the time a regulator discovers a company's problems and starts talking in terms of “bringing it into compliance”, the company starts its negotiations from a position of weakness. When a company begins to observe an enforcement or policy trend, or even an “expression of concern” by the CFPB about a certain business practice, it should turn the magnifying glass inward to determine if it could withstand similar scrutiny by the CFPB or other regulators. If so, the challenge becomes one of identifying and isolating the source of concern, modifying policies, controls or procedures where necessary to correct the course of action, and taking whatever internal enforcement or remedial measures may be required to ensure the practice stops and any adversely impacted consumers are made whole. On a case-by-case basis, depending on the nature and extent of the problem identified and other important facts, self-reporting may be worth considering. A company should always want to get out in front of a known problem.
A company should also be attentive to its customers – paying attention to their experiences with your business, taking their complaints seriously and treating them the way every consumer should reasonable expect to be treated. Remember that the CFPB's primary objective is to protect consumers and its view of business and how it should be conducted is formed accordingly. For many companies, it is counter-intuitive to see themselves through the eyes of a consumer or a regulator charged with protecting the consumer, but that is what it must do. Every internal discussion about business practices that, if commenced or discontinued, may impact consumers should include regulator and consumer expectations and not only whether the proposed practice (or discontinuance of the practice) will be accretive to the bottom line. A savvy business attorney can help his or her client find strategic ways to balance the objectives of the business with the need to maintain compliance with the myriad applicable laws and regulations and yes, regulator and consumer expectations.
All of this presupposes that a company has a compliance program in place appropriate for its size, structure and risk profile. Any company that has not yet developed a compliance program, with both front-end compliance and follow-up auditing components, is likely to be vulnerable in any number of areas. A company can be as vigilant or customer-sensitive as it wants, but if there is no compliance framework in place to set company policy, to detect vulnerabilities before they become problematic, to address potential risks, to monitor the effectiveness of policies or controls and to enforce or remediate where necessary, regulatory trend-spotting will be of little value.