These are the 5 CFPB rules to watch in 2024

December 27, 2023 8:00 AM

Consumer Financial Protection Bureau Director Rohit Chopra is slated to finalize a raft of new regulations in 2024, including rules cutting overdraft fees and allowing customers to share their banking data with third parties.

Rohit Chopra, the director of the Consumer Financial Protection Bureau, will be giving banks a big lump of coal this Christmas by proposing to eliminate billions in overdraft revenue and credit card late fees.

The top consumer regulator has a dozen rules on its docket and plans to kick off 2024 by issuing final rules in January on overdraft fees, insufficient funds fees and credit card late fees.

Chopra has already taken a big bite out of corporate profits by prodding the top banks to scale back their approach to fees generally. But 2024 also will be the year that Chopra advances a tougher approach to technology aimed at protecting consumers' data privacy rights. The CFPB has rules in the works next year that would rein in data brokers and data aggregators while also subjecting the largest payments firms to the bureau's supervision.

Consumers and lawmakers have repeatedly called for common-sense guardrails around personal financial data that gives consumers more control. Toward that end, Chopra wants to restrict what financial data can be bought and sold. With Big Tech firms morphing into payments giants, the CFPB also plans to issue a rule that would subject Amazon, Apple, Google and others to supervision as it examines the ways in which companies monetize data that may unfairly impact consumers.

Here are five of the most important rulemakings the CFPB will issue in 2024:

The Consumer Financial Protection Bureau is slated to finalize a rule cutting credit card late fees to $8, saying the fees are far larger than the costs incurred by banks in covering late fees.

Credit card late fees to be slashed to $8

Banks are livid about a rule expected in January that would slash credit card late fees to just $8 — down from the current $30 for a first offense and $41 for subsequent violations.

Credit card companies charged consumers a record $105 billion in interest and $25 billion in fees last year, the CFPB claimed in its biannual report to Congress. When the CFPB issued its proposal in February to cut late fees, Chopra did not mince words.

"By our estimates, 75% of late fees have no purpose beyond padding the credit card companies' profits," he said.

With billions of dollars at stake, trade groups representing large issuers are threatening to sue the CFPB once the credit card late fee rule is finalized. Banks claim the CFPB failed to convene a small-business review panel to assess the economic impact on small issuers, as required by law. Small community banks and credit unions argue they will suffer economic harm if the rule goes into effect. A reduction in late fees could force issuers to eliminate credit card rewards programs, trade groups claim. Banks, credit unions and their trade groups launched letter-writing campaigns raising questions about the rule's impact on the cost of debt collection and losses from delinquent borrowers. The CFPB said it received 57,933 comment letters on its proposal.

The CFPB's proposal would set credit card late fees at "reasonable levels." Chopra often says that late fees must be "reasonable and proportional" to the costs incurred to deal with late payments — the specific language outlined in the Credit Card Accountability Responsibility and Disclosure Act of 2009. Chopra also has criticized the Federal Reserve Board for carving out a special provision in 2010 that allowed banks and credit card issuers to raise late fees every year in line with inflation. The CFPB found that of the 20 largest card issuers, 18 of them charge late fees at or near the maximum level allowed by the CARD Act, which Chopra said is a sign that the industry is not competitive. Under the plan, late fees would no longer be pegged annually to inflation and fees higher than 25% of the minimum payment would be banned.

"Over a decade ago, Congress banned excessive credit card late fees, but companies have exploited a regulatory loophole that has allowed them to escape scrutiny for charging an otherwise illegal junk fee," Chopra said in February when proposing the rule.

The rule comes as credit card debt has skyrocketed to nearly $1 trillion. Under the CFPB's proposal, if an issuer wants to charge a late fee higher than $8, they would have to show the CFPB why the higher fee is justified. The Consumer Bankers Association has pushed back strongly against the proposal, claiming the bureau has lumped all fees charged by credit card companies into one bucket of "late fees," and that most of the growth is coming from annual fees paid by prime borrowers.

Banks and credit card issuers claim that the CFPB will be eliminating $9 billion a year in fee revenue that will have to be made up in other ways — either by raising interest rates for all borrowers or limiting the extension of credit, primarily to borrowers with low credit scores.

Cracking down on illegal overdraft practices, insufficient funds fees

Banks have dramatically cut overdraft fees in the past few years due to pressure from the CFPB and consumers. Ally Financial in Detroit that became the first bank to scrap all overdraft-related charges in 2021. Then a ripple effect spread across the industry when Bank of America slashed overdraft fees last year from $35 to $10. Consumers have saved billions in the process.

In January, the CFPB is expected to release a proposal to amend Regulation Z, which implements the Truth in lending Act of 1968. Congress created a limited exemption for overdraft programs long before the advent of debit cards, and banks had "bounce protection programs" that charged a flat fee to help consumers avoid bouncing a check. Specifically the CFPB is looking at whether overdraft services should be considered finance charges or if they are an extension of credit. Banks typically charge a flat, per-transaction fee of roughly $36 when a consumer does not have enough money in their account.

But overdraft programs became a big revenue source for banks with the growth of debit cards, which ultimately led other regulators to require that consumers have the choice to affirmatively "opt in" to overdraft protection. The CFPB has largely been monitoring the overdraft services of the largest banks to determine if they are engaging in what it calls "illegal overdraft practices."

Banks offer a wide range of products and features such as real-time payment updates, 24-hour grace periods and other alerts to help consumers avoid overdraft fees. Many consumers who monitor their account balance may think that checking a mobile banking app — or looking up their balance online, by phone or at an ATM — accurately reflects the balance that they have available in their account and can avoid an overdraft fee. But the CFPB claims that banks often have "convoluted settlement processes," that assess illegal overdraft fees.

Other regulators have made similar claims. In April, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. said that one specific type of overdraft practice — known as "authorize positive, settle negative," or APSN — is unfair and deceptive. ASPN occurs when a bank authorizes a debit when an account is positive, but then charges a fee when other transactions that come in are paid and the account ultimately settles negative. The OCC also identified three additional types of overdraft fees as risky.

In a separate rulemaking, the CFPB will address nonsufficient funds fees, returned-item fees, that have largely been eliminated among the top 20 banks.

Bankers say regulators never had a problem with NSF fees until the Biden administration took on the mantra of eliminating so-called "junk fees," and lumped all bank fees into the mix, including those that were long considered to be legal.

Consumers should know who has their data and how it is used

The CFPB's most consequential rule in 2024 gives consumers control over their financial data by restricting the data that companies can collect, retain and sell. The CFPB's personal financial data rights rule, also known as "1033," for its section in the Dodd Frank Act, requires that banks give bank account transaction data to fintechs at a customers' request. Industry experts often refer to the rule as "open banking."

In October, the CFPB issued a proposal that would give consumers some control and protection over their data once it moves from a bank to a data aggregator or fintech. A consumer would reauthorize the data access each year.

Chopra has found common ground with Republicans lawmakers that want to restrict secondary uses of data. In a move favored by banks, Chopra said that companies that gain access to a consumer's data would only be able to use it for the specific reason authorized by the consumer.

"Companies receiving data can only use it to provide the product people ask for — and for nothing else," Chopra said in October on a press call with reporters. "When a consumer permits their data to be used by a company for a specific purpose, it is not a free pass for that company to exploit the data for other uses."

Companies that get the data from a consumer cannot use it or sell it for their own benefit — including by feeding it into algorithms or artificial intelligence for unrelated activities such as targeted marketing. The move is opposed by so-called data aggregators that have argued for the broad collection and use of consumers' financial data.

Chopra has been clear that the 1033 rulemaking differs from past approaches in which consumer disclosures have been the primary means of protecting a consumer's privacy, which he has claimed is inadequate. Although the Gramm-Leach-Bliley Act allows consumers to opt out of having their data shared, experts say the provision is largely ineffective.

The CFPB's proposal also would cement the market shift away from the practice of screen scraping, whereby consumers provide a third party with their username and passwords to access their financial data. The CFPB wants to move the market away from risky data collection practices even though millions of consumers have already provided third-party firms access to their bank account transaction data. The proposal also would impose new data storage requirements and access restrictions.

Banks want the CFPB to address the issue of liability if a third-party data aggregator suffers a data breach or can be held liable for fraudulent and erroneous transactions. Currently, the proposal requires third parties to make certifications relating to a wide range of issues, which falls short of what depositories want.

Chopra, a former board member on the Federal Trade Commission, has spent a huge amount of time thinking about financial data as a technology regulator.

The CFPB set a 60-day comment period that ends on Dec. 29. Hoping to avoid working on the comment letters over Christmas, about 15 trade groups asked the CFPB for a 30-day extension of the comment period. The CFPB has not extended the comment period, arguing that the industry has had plenty of time to solidify a position on the issue given that an advance notice of the proposed rulemaking was issued in late 2020. The bureau expects to finalize the rule by the fall of 2024.

CFPB to crack down on third-party data brokers, aggregators

Any company that aggregates and sells data could potentially be subjected to the Fair Credit Reporting Act under a proposal by the CFPB that has far-reaching implications for consumers, data aggregators and data brokers. Technology companies that are currently in the process of creating new financial products face massive new regulations ahead — and may not yet know it.

CFPB Director Rohit Chopra has found a way to stop a wide range of companies from buying and selling consumer data by folding them into an existing privacy law from 1970. Technically, the CFPB plans to amend the Fair Credit Reporting Act to reclassify data brokers and aggregators as "credit reporting companies." If enacted, data companies would be prohibited under the FCRA from selling any data for advertising, artificial intelligence and other uses. Companies also would have to give consumers the right to access and dispute their data, and could be sued for violating the FCRA's requirements, leading to increased compliance costs.

Reining in data brokers has drawn bipartisan support in Congress despite lawmakers failing to pass a federal data privacy law. During a recent hearing on data brokers, Rep. Cathy McMorris Rodgers, R-Wash., said: "A stunning amount of information and data is being collected on Americans — their physical health, mental health, their location, what they are buying, what they are eating."

The FCRA, of 1970, strictly limits the use of credit report data from being sold for any reason other than what Congress has specified as having a "permissible purpose," such as credit underwriting. Many third-party data brokers that collect, aggregate, sell and resell personal information are not currently covered by the FCRA. The CFPB said they should be covered if they sell certain types of data including a consumer's payment history, income or criminal records. The rule would potentially subject a wide range of data collectors to the FCRA, which also mandates that the data being collected is accurate credit information.

In September, the CFPB released an outline of its plan to change Regulation V, which implements the FCRA, including seeking to ban all medical debt from consumers' credit reports. Addressing medical debt is just one-fifth of the proposal that is still in the "pre-rule,"stage. The CFPB already has reached out to trade groups asking for small-business experts to serve on a review panel, a prerequisite for any major rulemaking by the agency.

While pushback from the industry is to be expected, much of the friction in the rulemaking will center on the CFPB's plans to outlaw the sale of so-called "credit header data," which is the portion of a credit report that contains an individual's name, birth date, Social Security number, phone numbers and current and past addresses. Many companies rely on credit header data, and the rule could have a far-reaching impact not just on data brokers but also government entities including law enforcement that purchase credit header data from the three main credit bureaus to create dossiers on individuals.

Big Tech firms to get supervised, examined by the CFPB

Giant nonbank payment companies Amazon, Apple, Google and more than a dozen others face being examined and supervised by the CFPB under a rule to be enacted next year.

CFPB Director Rohit Chopra has been speaking for nearly two years about the need for more oversight of the financial products and services being offered by technology giants. In November, the CFPB issued a proposed rule to supervise nonbank companies that qualify as larger participants in the digital consumer payments market. The CFPB believes there are 17 entities that fall within its "larger participant" category, though some experts think the number could be larger given the low threshold of 5 million annual payment transactions to fall within the rule.

Being subject to CFPB supervision is an enormous sea change for an industry with roughly ten to 12 examiners embedded in a company for up to six weeks. Supervision allows the CFPB to understand a company's operations, look at internal reporting and gain access to data that enables the bureau to uncover potentially bad practices. Supervision is often the source of CFPB enforcement actions.

Chopra has repeatedly sounded the alarm that regulators must understand how technology is being used and be able to protect consumers from its harms. When Chopra served on the Federal Trade Commission, he frequently lambasted tech companies for using their size and market power to undermine fair competition. He has said that consumers know little about how large technology companies are using consumer data in their payments platforms.

Under the Dodd-Frank Act, the CFPB can designate so-called "larger participants" in a specific market, allowing the agency to conduct supervisory exams and test for compliance with federal consumer protection laws. Currently most technology and payments companies are licensed by states as money transmitters.

Last year, bank trade groups asked the CFPB to issue a larger participant rule over data aggregators, arguing that the explosive growth of aggregation services has created more risks for consumers — particularly to data privacy and security — which could result in uneven enforcement. Some experts suggest the CFPB will use its examination authority to determine if Big Tech firms are engaging in "unfair, deceptive and abusive acts and practices" that are prohibited by federal law.

Lawmakers from both parties who rarely agree on much appear to be receptive to Chopra examining the tech giants, given the scrutiny they have received for enabling child predators. The comment period for the CFPB's proposal closes on January 8, 2024. The rule is expected in the fall of 2024, with examinations expected to start in 2025.