Three California laws that affect fintech companies will go into effect on January 1, 2021. The California Consumer Financial Protection Law (CCFPL) expands the scope of the Department of Business Oversight’s (DBO) current regulatory and enforcement powers, and renames it as the Department of Financial Protection and Innovation (DFPI). The Debt Collection Licensing Law (DCLL) requires, among other things, that persons engaged in the collection of consumer debts, including first- and third-party debt collectors and debt buyers, obtain a license from the DFPI. The Student Loan Borrower Bill of Rights gives the DFPI broader authority to regulate student loan servicers, including depository institutions and servicers of federal student loans, in addition to providing consumers with a private right of action to enforce the law’s substantive requirements.
This Fintech Flash provides the key takeaways that fintech companies need to know about their “new” regulator and discusses how the three new California consumer finance laws may impact fintech companies.
- The DFPI Is Now the Primary State Regulator For Most Fintech Companies The CCFPL brings most fintech companies under the purview of the DFPI. The CCFPL gives the DFPI broad authorities over any “covered person,” which includes “[a]ny person that engages in offering or providing a consumer financial product or service to a resident of [California],” “[a]ny affiliate of a person ... if the affiliate acts as a service provider to the person” that offers or provides the product or service, and “[a]ny service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.” In turn, a “service provider” “means any person that provides a material service to a covered person in connection with the offering or provision by that covered person of a consumer financial product or service.” This ultimately means that the DFPI has jurisdiction over most consumer-facing fintech companies, including companies offering consumer credit, digital banking services, and digital wallets, and fintechs that provide services to such companies, such as payment processors. Though the CCFPL exempts companies subject to existing DBO licensing requirements and regulations, including banks, bank holding companies, credit unions, and residential mortgage lenders and servicers, payday lenders and, as explained in more detail below, student loan servicers are not exempt from DFPI oversight.
- The CCFPL Requires Most Fintechs to Register With the DFPI The CCFPL authorizes the DFPI to create by rule “registration requirements applicable to covered persons engaged in the business of offering or providing a consumer financial product or service, including requiring a filing be made under oath, and requiring the payment of registration fees.” The DFPI may require registration of any “covered person” except entities already licensed by the DFPI or another state agency, provided that all financial products being offered by the entity are regulated by the licensing agency. The registration process is a practical way for the DFPI to onboard those entities not previously subject to its jurisdiction. But fintechs should prepare for the DFPI to use its new authorities long before the agency identifies which entities must register, thereby bringing them into the fold, because the DFPI is only required to promulgate such rules within three years of its second enforcement action. The DFPI has said that registration rules likely would not be finalized until the end of 2021, with an effective date of January 2023. But fintechs should assume that they are subject to the full authority of the DFPI starting January 1, 2021.
One final note about registration is that the CCFPL authorizes the DFPI to “require registration through the Nationwide Multistate Licensing System and Registry” (NMLS). Even if not ultimately required by the DFPI, any recognition by the DFPI that NMLS registration satisfies the CCFPL’s registration requirements would alleviate much of the regulatory burden associated with the registration provisions. This is perhaps one reason why, during a recent conference call with industry participants, the DFPI touted its ability to lower regulatory hurdles for the industry. Fintechs should consider using the NMLS because more and more states are accepting NMLS registrations in lieu of state-specific registrations.
- Fintech Companies Should Prepare For the DFPI to Use Its Broad Enforcement Powers The DFPI now has enforcement authority over more than 50 California consumer finance laws, and some 20 federal consumer protection laws, including the federal Consumer Financial Protection Act of 2010. The DFPI’s enforcement authorities include the power to seek, through either a civil or administrative action, rescission of contracts, restitution for consumers, disgorgement, injunctive relief, and monetary penalties, among other remedies. The CCFPL sets a sliding scale of maximum monetary penalties: $5,000 per day, or $2,500 per act or omission, increased to $25,000/$10,000 for reckless violations and for knowing violations the lesser of one percent of the covered person’s total assets or $1 million per day or $25,000 per occurrence.
Though it is too early to say how the DFPI will wield its newly acquired enforcement authority, because the department’s new mandate specifically includes “Innovation,” fintech companies should expect the DFPI to pay them particular attention. Because most fintech companies have historically fallen outside of the DBO’s purview, one purpose of the DFPI’s early investigations may be to understand key industry participants and close its knowledge gap of the fintech space.
- Fintech Companies Should Closely Monitor How the DFPI Interprets the Terms “Unfair,” “Deceptive,” and “Abusive” The CCFPL grants the DFPI authority to police “unfair,” “deceptive,” and “abusive” acts or practices (collectively, UDAAP) engaged in by “covered persons” and “service providers.” The CCFPL also authorizes the DFPI to publish rules applicable to any covered person or service provider interpreting UDAAP, subject to a number of statutory qualifications and prerequisites. Though the statute requires the DFPI to interpret the terms “unfair” and “deceptive” consistent with the California Unfair Competition Law, and the term “abusive” consistent with Dodd-Frank, the potential exists for the DFPI to interpret these terms differently than under existing law, either explicitly through rulemaking or as applied to specific industries or products. During a recent industry call the DFPI signaled that it anticipates a 2023 effective date for any new rules (other than rules governing debt collector licensure, discussed below). Fintechs should closely monitor the DFPI’s rulemakings and enforcement actions to understand where the DFPI’s interpretations may diverge from existing law in order to accurately assess compliance risk.
- Fintech Companies Will Be Subject to More Specific and Onerous Procedures in Responding to Complaints Submitted by Consumers to the DFPI Like the CFPB, the DFPI provides a mechanism through which consumers can submit complaints to the DFPI about the conduct of any covered person. Though the CCFPL requires the DFPI to establish procedures governing how companies must respond to consumer complaints submitted to the DFPI, the statute itself requires a timely response that identifies the steps taken by the company, any responses made to the consumer, and the follow-up actions planned or taken. However, unlike the CFPB’s public complaint portal, the DFPI’s database is non-public and no provision of the CCFPL mandates public disclosure of complaints or complaint responses. The DFPI’s new complaint process is likely to be particularly influential in how the DFPI selects industries and companies to investigate. Fintech companies should not wait for DFPI rulemaking before implementing a comprehensive complaint management response system that covers all types of complaints, regardless of their origin.
- Fintechs Collecting or Purchasing Consumer Debt Must Obtain a License Though the number of fintech companies engaged in third-party debt collection activities may be small, the California DCLL also requires the licensure of entities collecting debts on their own behalf. The DCLL does exempt depository institutions and fintech companies already licensed under certain state laws (including the California License Law). In addition to the licensure requirement, the DCLL requires that licensed entities disclose their license numbers in debt collection communications with consumers. The DCLL gives the DFPI authority to issue regulations under the DCLL, so fintech companies should monitor the DFPI’s rulemaking to understand their compliance responsibilities in advance of the January 1, 2022 enforcement date.
- The DFPI Is Likely to Continue to Target Certain Bank-Fintech Partnerships The CCFPL gives the DFPI some discretion to determine what constitutes a covered “financial product or service” by expanding the definition to include any product or service “[e]ntered into or conducted as a subterfuge or with a purpose to evade any consumer financial law,” or “[p]ermissible for a bank … to offer or provide … [but] has, or likely will have, a material impact on consumers,” with certain exceptions. Fintech companies should carefully analyze existing business relationships and practices to understand what products or services could be at target for DFPI enforcement or regulation under this provision of the CCFPL.
- Fintech Companies in the Student Loan Servicing Space Should Expect More Regulation, Enforcement, and Litigation The Student Loan Borrower Bill of Rights grants the DFPI the power to regulate student loan servicers, including those servicers like depository banks and servicers of federal student loans otherwise exempt from the Student Loan Servicer Licensing Law. Though this provision of the law may be subject to challenge on preemption grounds, fintechs in the student lending space should prepare for increased scrutiny from regulators. Perhaps the biggest impact of the law, however, is that it creates a private right of action, including in certain cases treble damages, punitive damages, and legal fees, for failure to comply with either the substantive provisions of the Borrower Bill of Rights or any applicable federal law. Fintech companies should expect to see more lawsuits from borrowers that cite the substantive provisions of the new law and seek the broad remedies authorized by the Borrower Bill of Rights.
- The DFPI Will Have the Resources to Hit the Ground Running California will appropriate at least $10 million in additional funding to the DFPI each of the next three fiscal years. Beginning in the 2023-24 budget cycle, the DFPI will be funded exclusively through the licensing fees discussed above and from the civil penalties it collects in connection with enforcement actions. This funding mechanism gives the DFPI the ability to act quickly and the incentive to utilize its enforcement powers. The DFPI’s self-funding mechanism also insulates the agency from pressure that otherwise could have been brought to bear on the agency through the political process.
- Fintech Companies Should Look to the Obama-Era CFPB For Guidance on How the DFPI May Act The DFPI has been termed the “mini-CFPB” because both agencies have broad rulemaking and enforcement authority over a vast number of consumer financial protection laws. But the similarities don’t end there. The DFPI’s Commissioner, Manuel Alvarez, previously worked at the CFPB as a lawyer and developed a close relationship with Richard Cordray, the Bureau’s inaugural director. One would expect to see even more CFPB alumni among the nearly 100 new staff joining the DFPI as a result of its expansion.