Bank Policy Institute

01/17/2025 | Press release | Distributed by Public on 01/17/2025 04:05

CFPB and the Law: Assessing Regulatory Overreach Under Director Chopra

Under its current leadership, the Consumer Financial Protection Bureau has pursued a host of rules, guidance documents and enforcement actions that have been procedurally and substantively improper. The Bureau has regulated based on its own conception of how banks and other financial companies should operate, rather than faithful application of the statutes that Congress has tasked it with enforcing. In the waning days of the current Administration, the Bureau has pursued a host of eleventh-hour actions that extend its pattern of legal overreach, including the recent Zelle enforcement action (Consumer Financial Protection Bureau v. Early Warning Services, LLC, et al.). This memorandum begins with the Bureau's general approach under its current leadership and then turns to the Early Warning Services action.

I. The CFPB Has Consistently Overstepped Its Legal Authority

Congress tasked the Consumer Financial Protection Bureau with "ensuring that consumer debt products are safe and transparent." Seila Law LLC v. Consumer Fin. Prot. Bureau, 591 U.S. 197, 202-203 (2020). As part of that mandate, Congress gave the Bureau the power to administer pre-existing consumer finance laws. Id. at 206. It also gave the Bureau the power to prohibit "unfair, deceptive, or abusive act[s] or practice[s]" in the consumer-finance industry. Id.; 12 U.S.C. §§ 5531(a), 5536(a).

Under its current leadership, the Bureau has relentlessly attempted to expand its own jurisdiction by rejecting the plain meaning of statutory language, ignoring its own precedent, and avoiding notice-and-comment rulemaking to shield its actions from judicial review.[1] Indeed, much of the Bureau's regulatory agenda these past four years can be described as an effort "to solve an imaginary problem with no real evaluation of what the 'solution' would cost [the business community] or consumers." PayPal, Inc. v. Consumer Fin. Prot. Bureau, 728 F. Supp.3d 31, 45 (D.D.C. 2024). These efforts have imposed vast uncertainty and costs on regulated entities and ultimately harmed consumers.

Courts have not been reluctant to curb the Bureau's overreach. See, e.g., Consumer Fin. Prot. Bureau v. Snap Fin. LLC, No. 2:23-cv-00462, 2024 WL 3625007 (D. Utah Aug. 1, 2024) (dismissing "first-of-its-kind" enforcement action); Chamber of Com. v. Consumer Fin. Prot. Bureau, 691 F. Supp. 3d 730, 734 (E.D. Tex. 2023) (vacating rule); PayPal Inc. v. Consumer Fin. Prot. Bureau, 728 F. Supp. 3d 31 (D.D.C. 2024) (vacating rule); Chamber of Com. v. Consumer Fin. Prot. Bureau, No. 4:24-cv-00213, 2024 WL 5012061, at *6 (N.D. Tex. Dec. 6, 2024) (preliminarily enjoining rule). Congress and regulated entities have also pushed back on the Bureau's overreach in various ways. The Bureau, however, has only doubled down in the last few months.

A. The Bureau Has Regularly Exceeded Its Statutory Authority

Time and again over these past four years, the Bureau has exceeded its mandate by attempting to regulate conduct outside the scope of existing consumer-finance laws. An agency's efforts to expand its jurisdiction are typically met with skepticism, and for good reason. See Federal Trade Comm'n v. Bunte Bros., 312 U.S. 349, 352 (1941) ("[J]ust as established practice may shed light on the extent of power conveyed by general statutory language, so the want of assertion of power by those who presumably would be alert to exercise it, is equally significant in determining whether such power was actually conferred."); Nat'l Fed. of Indep. Bus. v. Dep't of Labor, Occupational Safety & Health Admin., 595 U.S. 109, 119 (2022) ("[L]ack of historical precedent . . . is a telling indication that [an action] extends beyond the agency's legitimate reach.") (quotation marks omitted); Addison v. Holly Hill Fruit Prods., 322 U.S. 607, 616, 64 S. Ct. 1215, 1220, 88 L. Ed. 1488 (1944) ("The determination of the extent of authority given to a delegated agency by Congress is not left for the decision of him in whom authority is vested."). Yet the Bureau has charged ahead, often to the detriment of consumers and the economy.

1. For starters, the Bureau has attempted to expand the Consumer Financial Protection Act's directive to establish rules by which financial institutions must provide information to consumers about their accounts. See 12 U.S.C. § 5533(a). The Bureau recently issued a rule requiring financial institutions to provide consumer information to third parties. Required Rulemaking on Personal Financial Data Rights, 89 Fed. Reg. 90838 (Nov. 18, 2024). The rule purports to implement Section 5533(a), which provides that financial institutions "shall make available to a consumer, upon request, information in the[ir] control or possession . . . concerning the consumer financial product or service that the customer obtained from" the institution (emphasis added). But that provision only requires financial institutions to provide information to consumers; it says nothing about providing information to "innumerable, as-yet-unidentified third parties." Complaint ¶ 13, Forcht Bank, N.A. v. Consumer Fin. Prot. Bureau, 5:24-cv-304 (E.D. Ky.) (Nov. 18, 2024). Worse still, the rule "seeks to cut off . . . private development and replace it with a complicated, expensive, mandatory regulatory framework" that is "fundamentally unsafe, so the primary result of [the Bureau's] overreach will be to harm the very consumers it is charged with protecting." Id. ¶ 1.

2. The Bureau has likewise misread the CFPA's neighboring requirement that financial institutions "shall, in a timely manner, comply with a consumer request for information" about the institution's financial products and services. 12 U.S.C. § 5534(c)(1).

a. The Bureau purportedly relied on Section 5534(c)(1) in its Request for Information on "relationship banking and customer service," even though that provision "is not a customer service provision and does not authorize the [Bureau] to regulate customer service or set the terms of how, when, or where banks serve their customers." Letter from the Am. Bankers Ass'n, Bank Pol'y Inst., Consumer Bankers Ass'n to the Consumer Fin. Prot. Bureau (Aug. 22, 2022); see Request for Information Regarding Relationship Banking and Customer Service, 87 Fed. Reg. 43,253 (July 20, 2022). Section 5534(c)(1) requires that banks must provide timely replies to consumer requests for information, not that they must do so through particular methods.

b. The Bureau's advisory opinion asserting that Section 5534(c)(1) prohibits large banks from imposing "unreasonable impediments to a request for information about a consumer account" suffers from the same flaw. Consumer Information Requests to Large Banks and Credit Unions, Consumer Fin. Prot. Bureau (Oct. 11, 2023). This standard is "not found in [Section 5534(c)(1)], or anywhere else in the" Consumer Financial Protection Act. Letter from the Bank Pol'y Inst., Am. Fin. Servs. Ass'n, the Consumer Bankers Ass'n, and the U.S. Chamber of Comm. to the Consumer Fin. Prot. Bureau (Dec. 18, 2023).

3. More broadly, the Bureau has also sought to expand the CFPA's prohibition on "unfair, deceptive, or abusive act[s] or practice[s]," 12 U.S.C. § 5536(a)(1)(B), beyond any reasonable understanding. For example, Congress explicitly gave the Bureau authority to address discrimination through statutes like the Equal Credit Opportunity Act, which prohibits "discrimination" and defines specific protected classes, elements of a claim, and exclusions from liability. 15 U.S.C. § 1691(a), (b). Instead of adhering to that limited and specific mandate, in 2022 the Bureau announced that it considered "discrimination" to be an "unfair, deceptive, or abusive act or practice." Consumer Fin. Prot. Bureau, CFPB Targets Unfair Discrimination in Consumer Finance (Mar. 16, 2022). The Bureau thus declared that it would scrutinize whether companies were "adequately 'testing for' discrimination in their advertising, pricing, and other activities." Chamber of Com., 691 F. Supp. 3d at 734. And it announced that it would consider not just whether companies were purposefully discriminating, but also whether their actions had a disparate impact, despite the fact that the "authority to prohibit disparate-impact discrimination is something Congress rarely authorizes." Id. at 741. The Bureau also sought to evade the APA's notice-and-comment requirements by making this major change through an amendment to its examination manual.

A district court correctly set aside the Bureau's amendment because "whether the CFPB has authority to police the financial-services industry for discrimination against any group that the agency deems protected, or for lack of introspection about statistical disparities concerning any such group, is a question of major economic and political significance." Chamber of Com., 691 F. Supp. 3d.at 739, 740-741. The Bureau therefore needed to identify "exceedingly clear language" authorizing it to treat discrimination as an "unfair, deceptive, or abusive act or practice." Id. The Bureau could not "clear that high bar," given its limited mandate from Congress to address discrimination only in specific circumstances. Id. at 741.

4. The Bureau has also overreached in attempting to expand the Truth in Lending Act's definition of "credit." 15 U.S.C. § 1602(f) ("The term 'credit' means the right granted by a creditor to a debtor to defer payment of debt or incur debt and defer its payment."). TILA attempts to ensure the "informed use of credit" through "meaningful disclosure of credit terms." 15 U.S.C. § 1601(a). The Bureau has attempted to enlarge the scope of those provisions by applying the Act's disclosure requirements to products and services that are not credit.

a. For instance, as part of its crusade against overdraft fees, the Bureau issued a rule in 2024 that reinterpreted TILA to treat such fees as "credit." See Overdraft Lending: Very Large Financial Institutions, 89 Fed. Reg. 106,768 (Dec. 30, 2024). The Act, however, "in no way supports the final rule." Complaint ¶ 1, Miss. Bankers' Ass'n v. Consumer Fin. Prot. Bureau, 3:24-cv-792 (S.D. Miss.) (Dec. 12, 2024); Overdraft Lending: Very Large Financial Institutions, 89 Fed. Reg. 106,768 (Dec. 30, 2024). Overdraft services are not "credit" as the Act defines the term, and yet the new rule requires large banks to comply with the Act's disclosure requirements if they assess overdraft fees above a price cap set by the Bureau. Id. ¶¶ 1, 6. The rule purports to impose "an expansive and complex new regulatory regime on overdraft services offered by large financial institutions" that the statute does not permit. Id. ¶ 1.

b. In the same vein, the Bureau recently sued Snap Finance, claiming that Snap violated TILA's disclosure requirements by failing to provide consumers with certain disclosures related to its lease-to-own program. Snap Fin. LLC, 2024 WL 3625007, at *2. The Bureau argued that Snap was subject to the Act's requirements because certain features of its program rendered the program "credit." Response to Motion to Dismiss, at 1. The district court rejected the Bureau's interpretation, explaining that it "has been roundly rejected by the federal courts" and that the Bureau had "los[t] sight of the statutory text and salient characteristics" of lease-to-own programs. Id. at *6. Despite the "unconventional" nature of Snap's lease-to-own program, it was not credit because it did not "grant consumers the right to defer payment" or incur debt. Id. at *8; see 15 U.S.C. § 1602(f).

c. The Bureau also has misinterpreted TILA's penalty fee provision as part of its campaign again credit-card late fees. TILA authorizes credit-card issuers to impose a "penalty fee or charge" when a consumer makes a late payment. 15 U.S.C. § 1665d(a). The Act tasks the Bureau with determining whether those penalty fees are reasonable and proportional, and allows the Bureau to set a safe harbor, below which card issuers may presume that their penalty fees are reasonable. Id. Earlier this year, the Bureau radically narrowed the safe harbor by issuing a rule that lowered the safe harbor by 73% from $30 to $8 and capped late fees at 25% of the customer's missed payment. 12 C.F.R. § 1026.52. A district court preliminarily enjoined the rule, holding that "[a] plain language reading reveals that the [safe-harbor provision of the] Final Rule violates the CFPB's statutory authority under the CARD Act." Chamber of Com., 2024 WL 5012061, at *6. The Bureau justified lowering the safe harbor to $8 because that amount was sufficient to cover issuers' "collection costs," 2024 WL 5012061 at *6. But the Act "explicitly allows card issuers to impose 'penalty fee[s].'" Id. A fee limited to "collection costs" is not a "penalty" because it is meant only to "restore the status quo," not to "punish and deter." Id. Although the Bureau had statutory authorization to regulate penalty fees, it did not have the license to prohibit them altogether.

5. The Bureau has also overread its authority under the Fair Credit Reporting Act to regulate medical-debt information. The Bureau recently issued a rule that "will ban the inclusion of medical bills on credit reports used by lenders and prohibit lenders from using medical information in their lending decisions." Consumer Fin. Prot. Bureau, CFPB Finalizes Rule to Remove Medical Bills From Credit Reports (Jan. 7, 2025). But the FCRA "permits [consumer reporting agencies] to include certain medical debt information on consumer reports and permits creditors to use that information in making credit determinations." Complaint ¶ 2, Cornerstone Credit Union League v. Consumer Fin. Prot. Bureau, No. 4:25-cv-16 (E.D. Tex.) (Jan. 7, 2025). The rule also "violates the FCRA's preemption provisions" by "incorporating various state law prohibitions on the information creditors may consider when making credit decisions." Id. ¶ 6. Once again, the CFPB has sought to usurp Congress's prerogative. Moreover, prohibiting creditors from considering medical debt would only harm consumers, as it would "undermine creditors' ability to engage in risk-based underwriting," thus leading to higher costs, reduced availability of credit and more frequent defaults by consumers. Letter from the Bank Pol'y Inst. and Consumer Bankers Ass'n to the Consumer Fin. Prot. Bureau (Aug. 12, 2024).

6. The Bureau has similarly misconstrued its mandate under the Equal Credit Opportunity Act. The Bureau issued a rule in 2023 expanding the types of data that financial institutions are required to collect and report on applications for credit filed by women- and minority-owned businesses. Small Business Lending Under the Equal Credit Opportunity Act (Regulation B), 88 Fed. Reg. 35,150 (May 31, 2023). Later that year, Congress issued a bipartisan joint resolution invalidating the Rule. S.J. Res. 32, 118th Cong. (2023). The joint resolution passed by a vote of 221-202 in the House of Representatives and 53-44 in the Senate. Actions on S.J. Res. 32-118th Congress (2023-2024), Congress.gov (accessed Jan. 4, 2025). The Joint Resolution's sponsor explained that the Rule "totally perverted" the Equal Credit Opportunity Act. 118 Cong. Rec. S5061 (October 18, 2023) (statement of Sen. Kennedy). Though the President vetoed the resolution, and the rule was later upheld in court, see Texas Banker's Ass'n v. Consumer Fin. Prot. Bureau, No. 7:23-cv-144, 2024 WL 3939598, at *1 (S.D. Tex. Aug. 26, 2024), it demonstrates that Congress too has taken note of and rebuked the Bureau's misguided regulatory efforts.

B. The Bureau Has Regularly Disregarded Its Own Regulations

The Bureau's approach to its own regulations is no different. It consistently adopts strained readings of those regulations in an effort to expand its jurisdiction and impose its current leadership's vision on the business community.

1. For example, the Bureau recently asserted-outside the prescribed notice and comment procedure-that banks should retain specific records to demonstrate compliance with Regulation E, which is the implementing regulation for the Electronic Fund Transfer Act. Specifically, the Bureau claimed in a circular that Regulation E requires financial institutions to retain signed forms or recordings of phone calls as "proof that it has obtained consumers' affirmative consent before levying overdraft fees." Consumer Fin. Prot. Bureau, Circular 2024-05, Improper Overdraft Opt-In Practices (Sept. 17, 2024). But as the Bank Policy Institute and other industry groups have explained, "no provision" in Regulation E (or elsewhere) provide[s] support for" the Bureau's assertion. Letter from Am. Bankers Ass'n et al. to Consumer Fin. Prot. Bureau (Oct. 22, 2024).

2. The Bureau also has distorted Regulation B, the implementing regulation for the Equal Credit Opportunity Act. The Bureau has asserted-again in a mere circular-that creditors must explain adverse credit decisions made using artificial intelligence or "complex" credit models. According to the Bureau, creditors must "affirmatively explain their decisions" and provide "specific details about the consumer's purchasing history or patronage that led to the reduction or closure." Consumer Fin. Prot. Bureau, Adverse Action Notification Requirements and the Proper Use of the CFPB's Sample Forms Provided in Regulation B (Sept. 19, 2023). But as the ABA noted, "Regulation B simply requires that the reasons given be the principal reasons for adverse action" and "neither the rule nor the commentary require[s] creditors to explain th[ose] reasons." Letter from the Am. Bankers Ass'n to the Consumer Fin. Prot. Bureau (Oct. 22, 2024). Indeed, the Bureau said the opposite several years earlier. See Consumer Fin. Prot. Bureau, Innovation Spotlight: Providing Adverse Action Notices When Using AI/ML Models (July 7, 2020) ("[A] creditor need not describe how or why a disclosed factor adversely affected an application.").

3. Along these lines, the plaintiffs challenging the Bureau's recent medical-debt rule allege that the Bureau ignored Regulation Z, the implementing regulation for the Truth in Lending Act. Complaint ¶ 10, Cornerstone Credit Union League v. Consumer Fin. Prot. Bureau, No. 4:25-cv-16 (E.D. Tex.) (Jan. 7, 2025); see Part A.7, supra. They assert that "the CFPB does not even try to reconcile the new [rule's] prohibition on a creditor considering medical debt obtained from a consumer report with the requirement [under Regulation Z] that it consider that same medical debt if it is self-disclosed by a consumer." Complaint ¶ 10. "This makes no sense, and the CFPB makes no effort to reconcile these dueling mandates." Id.

C. The Bureau Has Regularly Acted Arbitrarily And Capriciously

It would be bad enough if the Bureau's overreach had been limited to misreading the language of statutes and its own regulations, but the agency also often has failed to engage in reasoned decisionmaking. Agency actions violate the Administrative Procedure Act if they are "arbitrary and capricious." 5 U.S.C. § 706(2)(A). "This standard requires that agency decisions be reasonable and reasonably explained." F.C.C. v. Prometheus Radio Project, 592 U.S. 414, 423 (2021). The Bureau has not consistently adhered to that requirement.

For instance, a federal district court in D.C. vacated the Bureau's rule declaring that digital wallets are subject to disclosure requirements under the EFTA. The Court held that the rule was arbitrary and capricious because the Bureau "fail[ed] to identify a well-founded, non-speculative reason" for the rule. PayPal, Inc., 728 F. Supp. 3d at 34. In doing so, the court could not have been clearer that the Bureau had significantly overstepped: "The [Bureau] . . . tried to solve an imaginary problem with no real evaluation of what that 'solution' would cost digital wallet providers or consumers." Id. at 45. In a particularly harsh rebuke, the court remarked: "Administrative arrogance of this magnitude is hardly deserving of judicial imprimatur!" Id.

Several similar challenges are currently pending:

  • Plaintiffs challenging the Bureau's rule requiring disclosures of consumer data to third parties allege that the rule is arbitrary and capricious because it "substantially increases security risks to consumers while refusing to increase-or even reducing-the level of security protection that will be afforded to those customers' deposits and data." Complaint ¶ 14, Forcht Bank, N.A. v. Consumer Fin. Prot. Bureau, 5:24-cv-304 (E.D. Ky.) (Nov. 18, 2024); see Part A.1, supra.
  • The plaintiff challenging the Bureau's buy-now-pay-later rule alleges that the Bureau "neglected serious reliance interests in its prior policy," "overlooked that certain obligations that the New Rule purports to impose are a poor fit for BNPL products," and "overlooked that the New Rule grants insufficient time for BNPL providers to come into compliance with the new obligations the New Rule purports to impose." Complaint ¶ 5, Fin. Tech. Ass'n v.Consumer Fin. Prot. Bureau, No. 1:24-cv-2966 (D.D.C.) (Oct. 18, 2024); see Part A.5, supra.
  • Plaintiffs challenging the Bureau's rule restricting overdraft fees allege that "the CFPB . . . fail[ed] to consider the costs and benefits associated with" and that the Bureau "acknowledge[d] the numerous ways the Final Rule could harm consumers." Complaint ¶¶ 9, 10, Miss. Banker's Ass'n v. Consumer Fin. Prot. Bureau, 3:24-cv-792 (S.D. Miss.) (Dec. 12, 2024); see Part A.4, supra.
  • Plaintiffs challenging the Bureau's rule prohibiting creditors from considering medical-debt information allege that the Bureau "failed to account for" changes in industry practices and "more recent studies," which "undermines its cost-benefit analysis." Complaint ¶¶ 8-9, Cornerstone Credit Union League v. Consumer Fin. Prot. Bureau, No. 4:25-cv-16 (E.D. Tex.) (Jan. 7, 2025); see Part A.7, supra.

In the coming months, we should expect yet more judicial decisions holding that the Bureau has acted arbitrarily or outside the bounds of permissible agency behavior.

D. The Bureau Has Regularly Circumvented Notice-and-Comment Requirements

1. The Bureau has often attempted to adopt its policy changes through informal guidance rather than rulemaking subject to public scrutiny through the APA's notice-and-comment procedures. Rulemaking, of course, ensures that agencies "examine the relevant data and articulate a satisfactory explanation" for their decisions. Motor Vehicle Mfrs. Assn., Inc. v. State Farm Mut. Auto. Ins. Co., 463 U.S. 29, 43 (1983). It also ensures that regulated entities have fair notice of what the agency requires of them. See Christopher v. SmithKline Beecham Corp., 567 U.S. 142, 156 (2012). The opportunity for notice and comment is particularly important when an agency changes position because agencies may not "depart from a prior policy sub silentio or simply disregard rules that are still on the books." F.C.C. v. Fox Television Stations, Inc., 556 U.S. 502, 515 (2009). That is why agencies must "use the same procedures when they amend or repeal a rule as they used to issue the rule in the first instance." Perez v. Mortg. Bankers Ass'n, 575 U.S. 92, 101 (2015).

Time and again, the Bureau has ignored those principles:

  • The Bureau has sought to impose new substantive obligations on the offerors of buy-now-pay-later products through an interpretive rule. Use of Digital User Accounts to Access Buy Now, Pay Later Loans, 89 Fed. Reg. 47,068 (May 31, 2024); Complaint ¶ 3, Fin. Tech. Ass'n v. Consumer Fin. Prot. Bureau, No. 1:24-cv-2966 (D.D.C.) (Oct. 18, 2024); see Part A.5, supra.
  • The Bureau has attempted to regulate discrimination as an unfair, abusive, or deceptive practice by updating its examination manual. Consumer Fin. Prot. Bureau, CFPB Targets Unfair Discrimination in Consumer Finance (March 16, 2022); see Part A.3, supra.
  • The Bureau declared in a circular that overdraft fees assessed in compliance with the Truth in Lending Act, the Electronic Fund Transfer Act and their implementing regulations could be an unfair, abusive, or deceptive act or practice. Consumer Fin. Prot. Bureau, Circular 2022-06, Unanticipated Overdraft Fee Assessment Practices(Oct. 26, 2022); see Part A.3, supra.
  • The Bureau announced in a circular its view that creditors had to explain adverse credit decisions made using artificial intelligence or complex credit models. Consumer Fin. Prot. Bureau, Adverse Action Notification Requirements and the Proper Use of the CFPB's Sample Forms Provided in Regulation B (Sept. 19, 2023); see Part B.2, supra. This view flatly contradicted existing guidance. See Letter from the American Bankers Ass'n to the Consumer Fin. Prot. Bureau (Oct. 22, 2024).
  • The Bureau asserted in a circular that levying overdraft fees could violate the Electronic Fund Transfer Act. Consumer Fin. Prot. Bureau, Circular 2024-05, Improper Overdraft Opt-In Practices (Sept. 17, 2024); see Part B.1, supra.
  • The Bureau claimed in an advisory opinion that Section 5534(c)(1) of the CFPA prohibits large banks from imposing "unreasonable impediments to a request for information about a consumer account." See Consumer Information Requests to Large Banks and Credit Unions, Consumer Fin. Prot. Bureau (Oct. 11, 2023); see Part A.2, supra.
  • The Bureau claimed in an amicus brief that the Electronic Fund Transfer Act gave it the authority to regulate portions of wire transfers. See New York v. Citibank, N.A., 1:24-cv-659, Docket No. 28-1 (S.D.N.Y.) (May 28, 2024). But as the Bank Policy Institute and other industry groups explained, the Bureau's view is "wrong as a matter of law" because all portions of wire transfers are exempt from the Act's requirements, and its announcement was "improper as a matter of process" because it was made through an amicus brief filed in an enforcement action brought by the New York Attorney General. Letter from the Bank Pol'y Inst., the Clearing House Ass'n, LLC, N.Y. Bankers Ass'n, & Am. Banker's Ass'n to the Consumer Fin. Prot. Bureau (June 22, 2024). Worse still, the Bureau's view "reflect[s] a complete reversal from the Bureau's regulations and longstanding position of it and its predecessor regulatory agencies." Id.

At best, forgoing notice-and-comment procedures has meant that the Bureau's interpretations have been underinformed and lacked consideration of industry and consumer perspectives. At worst, the Bureau has been attempting to avoid judicial and even legislative scrutiny.

2. The Bureau has also sought to avoid the APA's requirements in a second and related way-by waging a campaign of regulation through novel enforcement actions that left regulated parties without sufficient notice. The Bureau's recent efforts to regulate lease-to-own programs are one example. Rather than issuing a rule to bring lease-to-own programs under its jurisdiction, the Bureau initiated a "first-of-its-kind" enforcement action against Snap Finance. Snap Fin. LLC, WL 3625007, at *2; see Part A.4, supra. The district court dismissed the suit because the CFPB's theory "ignores Congress's policy decisions" and "asks this court to step beyond interpretation and into the business of legislating." Id. at 11.

E. The Bureau Has Engaged In Improper Litigation Tactics

The Bureau's disregard for procedural requirements extends to the courtroom as well. In Consumer Financial Protection Bureau v. Brown, the Eleventh Circuit affirmed a district court's dismissal of an enforcement action due to the Bureau's "dramatic abuse of the discovery process." 69 F.4th 1321, 1323 (11th Cir. 2023). The Bureau "violat[ed] the district court's clear orders and derail[ed] multiple depositions." Id. And this was not an isolated incident. Consumer Fin. Prot. Bureau v. Ocwen Fin. Corp., No. 17-cv-80495 (S.D. Fla.), Docket No. 813 (May 2, 2023) (dismissing enforcement action as barred by prior consent judgment); Consumer Fin. Prot. Bureau v. TransUnion, 2024 WL 2892836 (N.D. Ill. June 10, 2024) (rejecting CFPB attempt to breach attorney-client privilege).

* * *

This survey reveals an unmistakable pattern. Under its current leadership, the Bureau has repeatedly shown that it views its statutory duties as unbounded by the legal limits on its jurisdiction. The Bureau also has ignored evidence that its policies are harming the consumers it is charged with protecting. And the Bureau's efforts have only intensified in recent weeks. It has issued a flurry of new rules and filed several new enforcement actions in the waning weeks of the current Administration. Within the past month alone, the Bureau has filed five new enforcement actions and issued a new substantive rule.[2] This represents a sharp upswing in enforcement activity, as it appears the Bureau filed only 28 enforcement actions in all of 2024. See Consumer Fin. Prot. Bureau, Enforcement Actions (last accessed Jan. 8, 2025). In short, the Bureau's current leadership is trying in its waning days to leave a lasting mark on the American financial system. The next section focuses on one of the Bureau's recent enforcement actions-its case against several operators of the Zelle payment platform.

II. The Zelle Litigation

On Dec. 20, 2024, the Bureau sued Early Warning Services-the company that owns Zelle-and the three largest banks operating on Zelle-Bank of America, Chase, and Wells Fargo. Complaint ¶¶ 2-3, CFPB v. Early Warning Serv., 2:24-cv-03652 (D. Ariz.). The Bureau alleges that these entities knew that there was "significant fraud" on Zelle but failed to take steps to make it more difficult for fraudsters to operate on Zelle. Id. ¶¶ 8-9. According to the Bureau's novel approach, the defendants' failure to establish stricter anti-fraud measures amounts to an "unfair act or practice" in violation of the Consumer Financial Protection Act. Id. ¶¶ 317, 324, 331, 338. The Bureau also alleges that the banks violated the Electronic Fund Transfer Act and the Consumer Financial Protection Act by inadequately investigating consumer complaints about fraudulent Zelle transfers. Id. ¶¶ 347-348, 351-352, 355-356, 360, 364, 368. The action has a number of legal flaws and represents the most recent effort by the Bureau to establish important policy through enforcement rather than formal rulemaking.

A. Alleged Violations Of CFPA

Counts 1-4 allege that Early Warning Services and the banks have "engaged in unfair acts or practices" in violation of the Consumer Financial Protection Act through their failure to take various anti-fraud measures on Zelle. Compl. ¶¶ 316-343. The CFPA grants the Bureau the authority to prevent "a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice … in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service." 12 U.S.C. § 5531(a). The Bureau may "declare an act or practice . . . to be unlawful on the grounds that such act or practice is unfair" if the Bureau "has a reasonable basis to conclude" that (1) "the act or practice causes or is likely to cause substantial injury to consumers" that (2) "is not reasonably avoidable by consumers" and (3) "such substantial injury is not outweighed by countervailing benefits to consumers or to competition." 12 U.S.C. § 5531(c)(1).

The Bureau contends that Early Warning Services and the banks failed to have appropriate measures for "authenticating, verifying, and registering Zelle users"; "providing information to consumers about the identity of recipients"; "pausing or blocking suspicious or risky transfers"; and "suspending or restricting bad actors from using Zelle." Compl. ¶¶ 318, 325, 332, 339. The Bureau also contends that Early Warning Services should have required the banks to notify the company about fraud when it occurred, and that the banks should have timely reported such information to Early Warning Services to prevent future fraud. Id. ¶¶ 318e, 325f, 332f, 339f. According to the Bureau, these failures caused injury to consumers in the form of lost funds sent to fraudsters, that injury was not avoidable and there was no countervailing benefit from the lack of sufficient fraud protection. Id. ¶¶ 319-321, 326-328, 333-335, 340-342.

The Bureau's claims fall well outside the scope of the CFPA for several reasons. First, the alleged injuries were reasonably avoidable by consumers through the exercise of ordinary prudence. Users of Zelle that take ordinary care to verify recipients' identifying information, like recipients' phone numbers, are not susceptible to fraud on the platform. According to Early Warning Services' internal estimates, 99.95% of payments made through Zelle in 2023 were sent without a report of scam or fraud. See Zelle, Zelle Responds to the CFPB's Meritless Lawsuit (Dec. 20, 2024). Second, the defendants' conduct is not the proximate cause of any injury; the fraudsters' conduct is. And in any event, because the vast majority of Zelle transactions take place without any report of fraud and because the vast majority of consumers can avoid any meaningful risk by exercising ordinary prudence, any alleged injury is easily "outweighed" by the significant "countervailing benefits" that consumers have enjoyed from using a quick, seamless peer-to-peer payment system that is easily accessible and affordable for ordinary Americans. 12 U.S.C. § 5531(c)(1)(B).

1. As a matter of first principles, the statutory requirement that injury "is not reasonably avoidable by consumers" effectively imposes a tort-like standard of care on consumers. Courts have long assumed that "[s]tatutes which invade the common law . . . [should] be read with a presumption favoring the retention of long-established and familiar principles." Isbrandtsen Co. v. Johnson, 343 U.S. 779, 783 (1952). That presumption applies with particular force in this context because much of what the Bureau regulates would otherwise rest within the realm of contract law and tort law. Thus, absent express evidence to the contrary, the CFPA's "reasonably avoidable" language should be read to require consumers to act with ordinary prudence. In other words, Congress sensibly decided that consumers could only complain that practices were unfair if they had reasonably tried to avoid the harms from those practices in the first place. Put differently, the CFPA is not a strict-liability statute, although that is effectively how the Bureau reads it.

Applying the reasonable-avoidance standard here, the alleged injuries-namely, the loss of funds by way of fraudulent inducement-were avoidable by a customer exercising reasonable care. A consumer exercising reasonable care would take steps to verify a recipient's identity. For example, suppose that a person receives a request on Zelle from a friend asking for the immediate transfer of emergency funds. The person could simply call, email or text his friend to confirm the legitimacy of the request. Along those same lines, a reasonable consumer would be suspicious of an unsolicited or unfamiliar request to transfer funds, particularly if the recipient is someone the consumer does not even recognize. In short, much, if not all, of the fraud described in the complaint was avoidable through the exercise of reasonable care.

Some courts have reflexively interpreted the reasonable-avoidance requirement in the CFPA by looking to similar language in the FTCA. See, e.g., Community Fin. Serv's Ass'n of Am., Ltd. v. Consumer Fin. Prot. Bureau, 51 F.4th 616, 628 (5th Cir. 2022); Consumer Fin. Prot. Bureau v. ITT Educ. Servs, Inc., 219 F. Supp.3d 878, 916 (S.D. Ind. 2015). Under the FTCA, courts ask "whether the consumers had a free and informed choice" in determining "whether consumers' injuries were reasonably avoidable." Federal Trade Comm'n v. Neovi, 604 F.3d 1150, 1158 (9th Cir. 2010). That approach does not make sense under the CFPA for several reasons, including that the CFPA's separate prohibition of abusive practices protects against a lack of consumer choice or information. Compare 15 U.S.C. § 45(a)(1), (n) with 15 U.S.C. §§ 5531(a), (d); cf. Marx v. General Revenue Corp., 568 U.S. 371, 386 (2013) ("[T]he canon against surplusage is strongest when an interpretation would render superfluous another part of the same statutory scheme.").

Under any standard, however, consumers "have reason to anticipate the impending harm" alleged here, Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152, 1168 (9th Cir. 2012), because financial transactions carry risk when conducted remotely through peer-to-peer platforms like Zelle and its competitors. Consumers are aware that they have to verify transactions or recipients because otherwise they may be deceived into sending a fraudulent transfer. See id. And consumers had "the means to avoid that risk" by exercising greater care before sending money through Zelle. See id. at 1169. Indeed, Zelle takes repeated steps to warn consumers about the possible risks of fraud and scams on the platform. For instance, Zelle maintains a "Pay it Safe Education Center" that provides its consumers with training and resources to identify and avoid fraud or scams. See Zelle Pay it Safe​ Education Center, https://www.zellepay.com/safety-education/pay-it-safe (last visited Jan. 6, 2025). Perhaps because of these protections, Zelle "has a lower share of disputed transactions"-including allegations of fraud-than its competitors. Bank Policy Institute, The Data Shows That Zelle Is The Safest Way For Consumers To Move Their Money (Sept. 19, 2022).

2. The CFPA also requires the unfair act or practice to "cause[]" the substantial injury. In light of background principles of statutory interpretation, this language must be read as requiring the CFPB to demonstrate that the allegedly injurious act or practice constituted the proximate cause of the injury asserted. See Lexmark Intern., Inc. v. Static Control Components, Inc., 572 U.S. 118, 132 (2014) ("[W]e generally presume that a statutory cause of action is limited to plaintiffs whose injuries are proximately caused by violations of the statute."). But the CFPB cannot make this showing because the Zelle defendants are not the proximate cause of the alleged fraud; that label belongs to the third-party fraudsters who directly hoodwinked the customers notwithstanding the defendants' policies and anti-fraud safeguards.

The Second Circuit, which is home to much of the country's financial industry, recognizes that the CFPA incorporates a traditional proximate-cause test. There, the agency must make a showing that the defendant, "with knowledge of the deceptive nature of the scheme, . . . either participates directly in the practices or acts or has authority to control them." Federal Trade Comm'n v. LeadClick Media, LLC, 838 F.3d 158, 169-170 (2d Cir. 2016) (quotation marks and brackets omitted). In Neovi, the Ninth Circuit uses similar language to explain that the defendant's allegedly injurious conduct is the proximate cause only if the defendant's acts or practices "facilitate, or contribute to, ill-intentioned schemes" and the injury "was a predictable consequence." 604 F.3d at 1156. In other words, the agency must show that the defendant took an active and knowing role in the creation of the injury, whether as a direct participant or through a third party susceptible to the defendant's control.

Under a reasonable application of the proximate-cause test, the Zelle defendants cannot be found liable. For starters, the defendants neither participated directly in the fraud nor exerted control over the fraudsters. And unlike in Neovi, where the defendant "expected the site would be used for fraudulent purposes" because of the "high [nearly 50%] rate of fraud," the agency here cannot point to a single action that the defendants took which knowingly rendered fraud a "predictable consequence" or "provided substantial assistance" to the fraudsters when more than 99.95% of transactions on Zelle take place without issue. Id. at 1155-1157. Without these findings, the Bureau cannot establish that the defendants knowingly took any steps that would predictably facilitate or contribute to fraud on Zelle.

Without any conventional hook, the Bureau presses the novel theory that the Zelle defendants are liable for their failure to use anti-fraud measures that the agency, armed with the benefit of hindsight, now deems appropriate. The implications of the Bureau's theory are profound, and the facts of this case show why. The Bureau's complaint does not identify any particular act or practice that the defendants took that clearly violates the law. Instead, the complaint reads like an internal audit report that wades through the minutiae of the defendants' complex anti-fraud programs to identify a cluster of practices that collectively amount to an allegedly insufficient anti-fraud scheme. At bottom, the Bureau is looking to overhaul the defendants' anti-fraud program "to meet an indeterminable standard of reasonableness" without identifying the precise next steps defendants must take to avoid liability under the CFPA. LabMD, Inc. v. Federal Trade Comm'n, 894 F.3d 1221, 1236 (11th Cir. 2018).

To be sure, the Bureau does identify some steps-like two-factor authentication-that it currently faults the Zelle defendants for not adopting. But as an initial matter, it is exceedingly odd to think that the defendants engaged in an "unfair, deceptive, or abusive act or practice" under the CFPA simply by failing to adopt whatever the Bureau believes to be the best anti-fraud practice. Moreover, there is no safe harbor in the Bureau's approach, whether two-factor authentication or anything else. If fraudsters circumvented those systems, the Bureau could declare tomorrow that payment-platform operators were liable for failing to adopt some other anti-fraud measure. The Bureau would not have to show operators had failed to meet prevailing industry standards; it would merely have to show that the failure to adopt some preventive measure that it deemed appropriate harmed consumers-which would effectively convert the CFPA into a strict-liability statute. And to add insult to injury, the Bureau could impose its regulatory decrees through litigation rather than the rulemaking process.

In short, the Bureau believes that the CFPA empowers it to find that any fraud-prevention scheme is itself unfair, deceptive or abusive, at least unless that specific system has been blessed by the Bureau-and every state attorney general intent on enforcing the statute. See 12 U.S.C. § 5552. The Act's text cannot bear that weight because Congress must speak "exceedingly clearly" when it delegates power to an agency to intrude on core state concerns like consumer financial safety or to answer major questions. See United States Forest Serv. v. Cowpasture River Preservation Ass'n, 590 U.S. 604, 622 (2020) (Congress must "enact exceedingly clear language if it wishes to significantly alter the balance between federal and state power[.]"); Biden v. Nebraska, 143 S. Ct. 2355, 2375 (2023) (agency must identify "clear congressional authorization" to justify addressing a major question).

B. Alleged Violations Of EFTA

The remaining counts allege that the banks violated the Electronic Fund Transfer Act and that those violations also amount to violations of the CFPA. Specifically, Counts 5-7 allege that the banks violated the EFTA and its implementing regulation, Regulation E, by failing to investigate complaints of fraudulent Zelle transactions. Compl. ¶¶ 348, 352, 356. Counts 8-10 allege that these violations are themselves violations of the CFPA. Id. ¶¶ 360, 363, 368; 12 U.S.C. § 5536(a)(1)(A) ("It shall be unlawful [under the CFPA] to . . . commit any act or omission in violation of a Federal consumer financial law."). Liability for all the remaining counts thus turns upon whether the banks have violated the EFTA. Consumer Fin. Prot. Bureau v. Frederick J. Hanna & Assocs., P.C., 114 F. Supp. 3d 1342, 1350 n.2 (N.D. Ga. 2015).

The Bureau contends that the banks "failed to reasonably investigate" complaints of fraudulent Zelle transfers because the banks did not "consider[] relevant information held by EWS or other participating financial institutions" and "rel[ied] on incomplete and non-dispositive information"; "failed to reasonably investigate" complaints "concerning token-directory errors" or "determine that such misdirected transfers are errors under Regulation E and the EFTA"; and "failed to reasonably investigate" complaints "concerning unauthorized transfers executed by third parties who fraudulently induced consumers into providing account access or had obtained account access through theft" or "to determine that such transfers are errors under Regulation E and the EFTA." Compl. ¶¶ 347, 351. Wells Fargo, according to the Bureau, is only liable for the first and third failures, while Chase and Bank of America are liable for all three. Compare id. ¶¶ 347, 351 with ¶ 355. These allegations fail for two reasons.

1. Many of the fraudulent transfers that the banks allegedly "failed to reasonably investigate" are not covered by the EFTA. The Act provides that a "financial institution" "shall investigate" any "alleged error" upon receipt of "oral or written notice" from a consumer, so long as the notice allows the financial institution to identify the consumer's account and describes the alleged error. 15 U.S.C. § 1693f(a). Upon completion of that investigation, the financial institution must inform the consumer of the results and correct the error, if one occurred, unless the Act's consumer-liability provision applies. Id. § 1693f(a), (b).

As relevant here, the Act defines an "error" as requiring one of two events: an "unauthorized electronic fund transfer" or an "incorrect electronic fund transfer[.]" 15 U.S.C. § 1693f(f). An "unauthorized electronic fund transfer" is "an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate such transfer and from which the consumer receives no benefit." § 1693a(12). The Act does not define what constitutes an "incorrect" transfer, but the Bureau's guidance "strongly suggests that 'incorrect' refers to transfers sent in an 'incorrect' amount or to an 'incorrect' recipient." Sanchez v. Navy Federal Credit Union, No. 23-cv-285, 2023 WL 6370235, at *22 (C.D. Cal. Aug. 14, 2023).

Many of the fraudulent Zelle transfers discussed in the complaint are not "errors" under the Act. The Bureau acknowledges that many of the alleged fraudulent Zelle transfers were the result of "Induced Fraud," which "occurs when a consumer is tricked into sending a transfer to someone under false pretenses." Compl. ¶ 47. Many other transfers were the result of "Me-to-Me schemes," which "occur when a fraudster convinces a consumer to transfer money to a token that the consumer is led to believe is theirs, when, in fact, the consumer is transferring the money to a token in the fraudster's control." Id. ¶ 48.

Transfers caused by these schemes cannot, by definition, be errors under the Act. Such transfers are not unauthorized electronic transfers. See Holmes v. Capital One, N.A., 3:22-cv-0823, 2023 WL 6318883, at *8 (N.D.N.Y. Sept.28, 2023); Tristan v. Bank of Am., No. 22-cv-1183, 2023 WL 4417271, at *11 (C.D. Cal. June 28, 2023). An unauthorized electronic transfer must be initiated "by a person other than the consumer." § 1693a. The complaint affirmatively acknowledges that transfers resulting from "Induced fraud" or a "Me-to-Me scheme" are initiated by the consumer. Compl. ¶¶ 47, 48. Nor are these incorrect transfers, for the consumer intended both the fact and the amount of the transfer. Holmes, 2023 WL 6318883, at *7; Tristan, 2023 WL 4417271, at *10.

Complaints regarding these transfers would trigger the banks' statutory duty to investigate. But the banks could satisfy that duty by reviewing their own records. See 12 C.F.R. Pt. 1005, Supp. I. cmt. 11(c)(4) ("The extent of the investigation required may vary depending on the facts and circumstances."). Based on the allegations in the complaint, the banks did exactly that. Complaint ¶ 282 ("When investigating such Notices, each Defendant Bank has reviewed only records in its respective possession."). Accordingly, the banks' response to many of the fraudulent transfers did not violate the Act. See Merisier v. Bank of Am., N.A., 688 F.3d 1203, 1209 (11th Cir. 2012); Holmes, 2023 WL 6318883, at *8.

2. For the fraudulent transfers described in the complaint that do meet the Act's definition of an "unauthorized electronic fund transfer," the Act's consumer-liability provision applies. This provision allows financial institutions to hold consumers responsible up to a specified dollar amount for unauthorized electronic fund transfers if certain conditions are met.

Section 1693g of the EFTA provides that it is "[the] consumer [that] shall be liable for any unauthorized electronic fund transfer involving the account of such consumer only if" (1) the "means of access utilized for such transfer was an accepted . . . means of access" and (2) "the issuer of such . . . means of access has provided a means whereby the user of such . . . means of access can be identified as the person authorized to use it." An "accepted . . . means of access" is a "means of access to a consumer's account for the purpose of initiating electronic fund transfers when the person to whom such . . . means of access was issued has . . . used, or has authorized another to use, such . . . means of access for the purpose of transferring money between accounts." 15 U.S.C. § 1693(a)(1).

In other words, a financial institution may hold a consumer responsible for even an unauthorized electronic fund transfer if the transfer was made using legitimate methods, such as a duly issued card or code, and the financial institution took steps to verify that the transferor was authorized to use those methods. Regulation E also requires banks to provide certain disclosures to consumers. 12 C.F.R. § 1005.6(a). In such cases, the consumer "shall be liable" for any unauthorized electronic fund transfer and the financial institution need not correct the error if it falls below the Act's liability cap, generally $50.

It appears that this provision covers the unauthorized-fraud transfers described in the complaint, provided the banks complied with Regulation E's disclosure requirements. 12 C.F.R. § 1005.7(b)(1)-(3). The complaint alleges that consumers sign up for Zelle using a phone number or email address, also known as a "token." Compl. ¶ 29. This token is the "means of access" for the consumer's account. See 15 U.S.C. § 1693a(2); 12 C.F.R. § 1005.2(a)(2); 12 C.F.R. Pt. 1005, Supp. I cmt. 2(a). The token is an "accepted" means of access because the consumer has "used" the token "for the purpose of transferring money" through Zelle. 15 U.S.C. § 1693a(1); 12 C.F.R. § 1005.2(a)(2). And Zelle provides a "means whereby the user of such [token] can be identified as the person authorized to use it" by sending a one-time passcode to the phone or email address when the consumer registers the token with Zelle. Compl. ¶ 29; 15 U.S.C. § 1693g(a). All this means that § 1693g allows the Banks to hold consumers liable for unauthorized fraud transfers up to the Act's liability cap.

III. Conclusion

Under the current leadership, the Bureau has consistently exceeded its statutory remit and maneuvered to evade judicial or congressional scrutiny. Time and again, it has issued a rule or guidance that is unsupported by the statute it purports to implement or interpret. And time and again, it has sought to insulate its actions from review and even comment by adopting rules in the guise of guidelines, circulars, advisory opinions and enforcement actions. The Bureau's recent Zelle action demonstrates the same absence of fidelity to the law. Consumers and the business community would be better served by a Bureau that faithfully implements consumer-finance laws, rather than regulating based on its own misguided policy preferences.

[1] An annex to this memorandum summarizes the examples of the Bureau's overreach discussed in the remainder of this section.

[2] The enforcement actions are Consumer Fin. Prot. Bureau v. Experian Info. Solutions, Inc., No. 8:25-cv-24 (S.D. Cal.) (filed January 8, 2025); Consumer Fin. Prot. Bureau v. Vanderbilt Mort. and Fin., Inc., No. 3:25-cv-4 (E.D. Tenn.) (filed January 6, 2025); Consumer Fin. Prot. Bureau v. Walmart, Inc., et al., No. 24-cv-4610 (D. Minn.) (filed December 23, 2024); Consumer Fin. Prot. Bureau v. Rocket Homes Real Estate LLC, et al., No. 2:24-cv-13442 (E.D. Mich.) (filed December 23, 2024); and Consumer Fin. Prot. Bureau v. Early Warning Serv., et al., No. 2:24-cv-3652 (filed December 20, 2024). See also Consumer Fin. Prot. Bureau, CFPB Finalizes Rule to Remove Medical Bills From Credit Reports (Jan. 7, 2025).