Tag Archives: Alexandra N. Mogul

CFPB Advisory on Placement Practices May Have Broader Market Implications

by Courtney M. Dankworth, Avi Gesser, Alexandra N. Mogul, Paul D. Rubin, and Jehan A. Patterson

Photos of the authors

From left to right: Courtney M. Dankworth, Avi Gesser, Paul D. Rubin, Alexandra N. Mogul, and Jehan A. Patterson (photos courtesy of Debevoise & Plimpton LLP)

On February 7, 2023, the Consumer Financial Protection Bureau (the “CFPB”) issued an advisory opinion (the “Advisory Opinion”)[1] on certain digital placement practices, which may have broader market implications. The Advisory Opinion provides that the prohibition on referral fees under section 8 of the Real Estate Settlement Procedures Act (“RESPA”) in real estate transactions that involve federally related mortgage loans extends to operators of websites that allow consumers to compare mortgages and other real estate settlement services.[2] Specifically, if a comparison-shopping website ranks lenders or settlement service providers (or utilizes certain design choices intended to steer consumers’ choices of providers) based on compensation received by the website operator rather than on neutral criteria, that compensation may be considered an unlawful referral fee in the CFPB’s view.

Continue reading

CFPB’s Report on Buy Now, Pay Later

by Courtney M. Dankworth, Alexandra N. Mogul, Gregory J. Lyons, Courtney Bradford Pike, Zila Reyes Acosta-Grimes, and Jehan A. Patterson

On Thursday, September 16, 2022, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) published a report (the “Report”) detailing the regulatory risks of Buy Now, Pay Later (“BNPL”) products in response to last December’s market monitoring orders to five BNPL companies.

BNPL generally refers to a credit product offered by a third-party institution that enables consumers to split the payment for a retail transaction into four equal installments: the first payment is a down payment due at checkout, and the remaining payments are made in two-week intervals over the next six weeks. BNPL lenders do not charge interest; rather, they incur revenue in the form of late fees and, in some instances, transaction fees.

This blog post first provides a brief overview of some of the unique qualities of the BNPL industry, which has been experiencing significant growth over the past few years. It then outlines the key risks to consumers posed by the BNPL industry as highlighted in the Report as well as the Bureau’s stated next steps for increasing its oversight of the industry. At least in the near term, it appears that the Bureau intends to exercise its jurisdiction over BNPL lenders through supervisory examinations and the issuance of interpretive rules or similar guidance to provide consumers with protections similar to those in the traditional credit card space. This blog post outlines steps that BNPL lenders may wish to consider taking to mitigate the potential risks to consumers that the Report identifies.

Continue reading

Banking Regulators Finalize 36-Hour Data Breach Notification Rule

by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein

On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.

Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.

The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.

The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.

Continue reading

First Resolution by the DFS Under Its Cyber Rules Highlights the Risks of Inadequate Cyber Investigations and the Importance of Satisfying State Breach Notification Obligations

by Luke Dembosky, Avi Gesser, Jim Pastore, Chris Ford, Alexandra Mogul, and Sarah Smith

Last year, we discussed the first enforcement action brought by the New York State Department of Financial Services (“DFS”), which involved charges against First American Title Insurance Company. That hearing is scheduled for March 22.

On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that imposes a $1.5 million penalty for several violations including:

  • Failure to investigate whether an attacker, who compromised a single email mailbox, accessed private data of individuals.
  • Failure to satisfy various state breach notification obligations.
  • Failure to notify the DFS of the incident.
  • Failure to conduct a cybersecurity risk assessment, as required by Part 500.

In addition to the $1.5 million fine, Residential Mortgage must undertake various risk mitigation measures to prevent future incidents.

Continue reading

Insulated No More: The Seila Decision and the End of the Independent CFPB Director

by Courtney M. Dankworth, Mary Beth Hogan, Gregory J. Lyons, Erol Gulay, David Imamura, Alexandra N. Mogul, and Victoria L. Recalde

On June 29, 2020, the Supreme Court issued its decision in Seila Law LLC v. Consumer Financial Protection Bureau, finding unconstitutional the Consumer Financial Protection Bureau’s (the “CFPB” or “Bureau”) leadership structure in which a single director is removable by the President only for cause. This “for cause” limitation on the President’s removal powers by the authors of Dodd-Frank made the CFPB leader more independent than the leaders of other executive agencies. In addition, given the CFPB Director’s five year term, a CFPB Director appointed by one President could remain in office well into the tenure of the next.

The Supreme Court’s decision in Seila eliminates this “for cause” protection, ending the CFPB’s insulated political status and opening up the CFPB to leadership change when a new President takes office. This decision will have a narrow immediate impact, since the CFPB is currently headed by an appointee of President Trump, but will have greater meaning if former Vice President Joe Biden wins the presidency in the fall. More generally, the decision will lead to a CFPB that is more closely aligned with the political priorities of whichever administration is in power.

Continue reading