Author Archives | Randy Henrick Esq.

DoD Threatens Military GAP Sales

DoD Threatens Military GAP Sales

The Military Lending Act (MLA) is a law enacted by Congress in 2006 and amended in 2013. It was designed to protect the rights of service members in certain types of financial transactions. As originally crafted, the MLA covered three types of consumer credit: payday loans, auto title loans and tax refund anticipation loans.

That changed in 2013, when the MLA and regulations were broadened to cover consumer credit generally, except for mortgages and certain exempt transactions, which include purchase money auto financing secured by the vehicle. The MLA final rules and regulations are issued by the U.S. Department of Defense but enforced by the Department of Justice, the Federal Trade Commission and the Consumer Financial Protection Bureau.

Under the revised DoD regulations effective Oct. 3, 2016, the auto finance exemption covered financing of vehicles and vehicle-related products and services. It has been generally understood that credit insurance and GAP relating to vehicle financing do not bring the transaction outside of the auto financing exemption. However, if non-auto finance-related items were financed in the transaction — such as would be the case, for example, if the customer took a large amount of cash out of the financing — then the transaction would be covered by the MLA.

What the Military Lending Act Requires

If a transaction is subject to the MLA, federal regulations require detailed disclosure requirements, both written and oral, as well as the calculation and disclosure to the covered service member of a “military APR” in addition to the customary Truth in Lending (TILA) APR. The military APR adds a lot more things into the “finance charge” and hence the APR calculation such as fees, aftermarket products, GAP costs and credit-related insurance premiums. If including these things along with traditional finance charges creates a military APR of over 36%, the transaction is void and prohibited.

Mandatory Disclosures Under MLA Regulations

In addition to disclosing both the military APR along with the TILA APR, you must disclose in writing “a clear description of the payment obligation.” The regulations also give a 110-word model statement essentially describing the military APR. This, or some substantially similar disclosure, must also be given.

Additional oral disclosures (which may be made either personally or by using a dedicated toll-free telephone number) are another requirement. If you use the toll-free number, its number must be on the credit application or the written disclosures. In either event, you will need to effectively document your delivery of the written and oral disclosures in the deal jacket.

If this seems like a difficult process for your everyday sales or F&I manager, you are correct.

It is also difficult to identify who is a “covered borrower” under the MLA, to whom the law applies. The term is not synonymous with the general definition of “service members” and their dependents under the Service Members Civil Relief Act (e.g., dependents are more broadly defined for purposes of the MLA).

However, there is a “safe harbor” way to determine whether an individual is a MLA covered borrower. The individual can be checked against the DoD’s online database (for new transactions only) at and then link from there to for entry of one person. Alternatively, a dealer can get the person’s status as an MLA-covered borrower from a national consumer reporting agency in connection with their credit report.

Check with your credit report provider, who may impose an additional charge for this notation, but getting the covered borrower status on a credit report seems to be the easier way to go.

Department of Defense Changes to MLA Motor Vehicle Financing Exemption

On December 14, 2017, the DoD issued its second interpretation of the Military Lending Act. Its first interpretation, which took effect Oct. 3, 2016, issued revised regulations in response to MLA statutory amendments in 2013. As noted above, it effectively clarified that the exemption from the MLA for purchase money auto financing credit secured by the vehicle generally included within the exemption advances for financing items related to the vehicle, which included credit insurance and GAP.

DoD’s second interpretation indicated a transaction was exempt from the MLA “that finances the [vehicle] itself and any costs expressly related to that [vehicle] … provided it does not also finance any credit-related product or service.” This means if the auto financing transaction includes GAP or credit insurance, the whole transaction is arguably outside of the exemption and subject to the MLA.

The DoD further stated that its second interpretation did not change the original regulations that took effect in October 2016, but merely stated DoD’s “pre-existing interpretations an existing regulation.” This puts at risk any vehicle financing transaction beginning Oct. 3, 2016, that financed credit insurance or GAP for an MLA-covered borrower but which does not comply with the MLA’s extensive disclosure requirements or fails to disclose the “military APR” complex calculation, which is capped at 36%.

MLA Penalties for Noncompliance

Since financing of credit insurance or GAP now may put a transaction outside of the MLA exclusion for purchase money auto financing, substantial penalties for violating the MLA could apply to non-MLA conforming transactions, both looking back to Oct. 3, 2016, and looking forward.

These penalties include federal criminal misdemeanors imposing fines and up to one year in prison for knowing violations; voiding of contracts from inception; civil liability of actual damages or $500 statutory damages recoverable in class actions; punitive damages; costs and attorney’s fees. The MLA expressly forbids and will not enforce arbitration clauses and requires other protections for the MLA-covered borrower as well.

Possible Actions in Response to the DoD’s December 2017 Interpretation

Until legislative, judicial, or agency clarification can be obtained, it appears dealers have two options. One is to simply not offer credit insurance or GAP to any customer, which will avoid the MLA problem totally.

The second alternative is not to offer credit insurance or GAP to MLA covered borrowers. This means you will have to check every customer using one of the “safe harbors” described above (DoD MLA site or a credit report indicating the person’s MLA status) before selling them GAP or credit insurance. Do so at the time the consumer submits a credit application or within 30 days earlier if, for example, you are doing a prescreening mailing. Document your doing so in the deal jacket.

At least 11 states have military antidiscrimination statutes. Each state interprets its law differently. In response to a claim of military discrimination for not selling GAP to MLA-covered borrowers, the dealer could argue that it has a legitimate business interest in not doing so. The legitimate business interest would be not wanting to incur the excessive compliance costs imposed by the federal government (principally oral disclosure requirements and calculation of the military APR) to be able to sell these products to MLA covered borrowers.

I don’t believe this argument — which derives from successful cases under the federal Equal Credit Opportunity Act charging disparate impact discrimination on federally protected classes of people — has been tested under any state’s anti-military discrimination act case. Plus, each state’s law is different. Consult your local attorney or compliance professional on the law in your state to get a sense of whether a “legitimate business interest” is a defense to alleged credit discrimination against protected military members under your state’s law.

Summary and Conclusion

There are good arguments to be made that the DoD exceeded its authority in issuing the December 2017 interpretation and trying to make it retroactive. It did not publish proposed regulations or seek comments for this new “interpretation,” which sure seems like a regulation. Its attempt to give it retroactive effect is also very dubious. These arguments, and others, will be raised in court cases or before the agency. But you don’t want to be the one who has to incur the expense to do that.

I think the approach of offering GAP and credit insurance to every customer — except a safe harbor-checked MLA-covered borrower — is the best business approach, subject to a state anti-military lending discrimination statute that might suggest otherwise. The legitimate business defense in not incurring the compliance cost and burden of MLA transactions seems reasonable to me.

Also, lobby your federal and state legislators on this one. Dealerships near large military bases stand to lose a lot of revenue if the DoD’s interpretation is legitimized. I know NADA will work this issue hard in Washington, and hopefully a more rational interpretation that GAP and credit insurance on a vehicle financing transaction do not risk the auto financing MLA exemption will prevail.

Posted in Industry0 Comments

F&I Faces Regulatory Uncertainty

F&I Faces Regulatory Uncertainty

It is tempting to speculate that the regulatory environment for the auto finance industry in the months ahead may be more favorable. Don’t count on it.

A recent federal case held unconstitutional that portion of the Dodd-Frank Act which permits the Consumer Financial Protection Bureau (CFPB)’s director to be fired only for cause. This decision has been appealed to the entire federal D.C. Circuit Court. And they won’t even hear arguments until late May. Although President Trump’s Department of Justice has filed a brief in support of the earlier decision, it is unlikely that he will remove Richard Cordray as CFPB director until the full court rules sometime later this year, assuming they affirm the lower court’s ruling.

Various bills have been introduced in Congress to cut back the CFPB’s authority in one form or another as well. One of these bills would eliminate the agency’s authority to bring enforcement actions for unfair, deceptive and abusive practices, which is the basis for challenging many aftermarket or add-on product sales.

These bills will most likely be subject to filibustering in the Senate and require 60 votes to close off debate. It is questionable whether enough Democrats would join Republicans to make more than simple changes to the CFPB, such as making it subject to congressional appropriations instead of being funded as a percentage of the Federal Reserve Board’s budget as it is today. With issues such as immigration, reforming Obamacare, and the federal tax code getting more attention, the timing of any CFPB legislation before the summer is questionable.

Remember also that the Dodd-Frank Act gives state attorneys general the authority to enforce Dodd-Frank consumer protection laws as well as state law. The most likely regulator to show up at your door is your local attorney general. Some AGs, like those in New York, Massachusetts, Illinois and California, have been very vigorous in policing what they consider to be unfair, deceptive or abusive practices in aftermarket product selling.

Did you know that the National Association of Attorneys General has an auto finance subgroup that looks at auto dealer conduct and ways to police it? Aftermarket products are high on their agenda. The Federal Trade Commission (FTC) is also actively looking at aftermarket product selling by dealers.

Best Practices in the Current Regulatory Environment

The value of products sold to consumers, how they are sold, and discrimination issues if products are sold on different terms or different prices to protected classes of consumers are likely going to continue to be the focus of regulators as well as plaintiffs’ lawyers. For example, there is a case pending in West Virginia challenging the value of etch as an effective theft-deterrent device.

Here are some practices you may want to consider to mitigate these risks:

1. Don’t Be “That Guy”: The New York AG has collected over $17 million since 2015 for deceptive sales of a credit repair and identity theft protection product. The provider was put out of business, leaving the dealers to foot the bill. Don’t be that guy.

Do you stand behind your products and have the financial ability to do so? Are you up to speed on legal and regulatory challenges to aftermarket product selling and have your scripts been vetted by legal or compliance professionals? Can you prove that to the satisfaction of your agent and dealership clients? What is your track record with litigation and claims?

2. Value to Consumers: If challenged by a regulator or in court, could you credibly defend the value of all your aftermarket products to customers in relation to the price and the customer’s needs? What steps do you take to prevent price gouging involving your products?

Some products such as extended service contracts can protect the customer from expensive repairs since many vehicles today are so computerized that entire systems need to be replaced if something goes wrong. This can cost over a thousand dollars.

The days of routine wrench and socket repairs are coming to an end. Other products like etch may be more difficult to defend. To bring the theoretical question down to brass tacks, what is the average customer-paid service repair charge in your client dealerships over the last 90 days? How does that relate to the selling price of your VSCs?

3. Transparent Explanations. The average U.S. consumer reads at between a 7th- to 9th-grade education level. Have a lawyer or compliance advisor review your selling scripts. Do they clearly and accurately describe the product and its limitations?

Be careful of “slick” fast-talk selling that confuses the customer with misleading math or other what-ifs. Encourage the use of menus that give the prices of the products, individually and in packages, and don’t just sell based on monthly payment amount. That can open your dealership clients up to payment packing charges, which hurt everyone.

4. Discrimination. The CFPB cited aftermarket products as an area they are investigating for the same kind of “disparate impact” credit discrimination they charged with dealer rate participation. Encourage dealerships to charge standard prices by vehicle, and document that expectation.

If your dealership clients lower a standard price for a customer, recommend that they keep a record in the deal jacket of a legitimate business reason why they did so such as a sale on the product by the manufacturer or the dealership. You don’t want to be implicated in potential discrimination by your dealership clients.

5. Consumer Complaint Resolution: The CFPB expects your dealership clients to have a compliance management system (CMS). One necessary element of a CMS is a process to resolve consumer complaints, either with an uninvolved senior dealership officer or a neutral third party.

However the process works, it needs to be able to document who made the complaint, what the nature of the complaint was, the steps taken to address it, and the fact that the complaint is resolved within 15 days. You don’t want the customer filing a complaint with the CFPB, FTC or local attorney general, which is how investigations get started.

Understand that aftermarket product selling is near the top of regulators’ agendas when it comes to the retail automotive business. That is not likely to change very much in the near future. Position yourself and your dealers to reduce the risk of being the next headline.

Posted in Industry0 Comments

Out of the Breach

Out of the Breach

Auto Remarketing News recently reported a study finding that 84% of consumers would not do business with a dealer who had experienced a data security breach of customer information. Earlier studies found that 60% of data breaches target small and mid-size businesses and six in 10 victims go out of business within six months of a breach. This is your dealer clients’ biggest financial risk, as dealerships are prime targets of hackers and criminals seeking valuable personal identity data.

No one can guarantee the dealerships you serve will never be breached. But there are relatively simple things your clients can do right now to reduce their risk from a hacker or disaffected insider who wants to steal your customers’ information. The goal of data security is to make yourself a less attractive target in the hopes that the bad guys will move on to someone else.

To do this, you must first understand that people are your biggest data breach risks. Hackers find it much easier to get into the dealership’s system through the back end, by using social media schemes and other tricks, than by trying to blast through the front end of the system, which is typically better protected. Think of data security in terms of the Three Ps: people, patching and processes.

  1. People: People are your biggest risk. A well-trained employee is your best protection against a data breach. A poorly trained employee is your biggest nightmare. Criminals use “phishing” emails that look legitimate to encourage the reader to click on a link or attachment that downloads malware and viruses into your system. Or they call and pretend to need the user’s name and password to troubleshoot. Or users go to unsafe websites. Only 55% of websites are believed to be safe. Collectively, these schemes and more are called “social engineering,” and employees must be trained repeatedly and monitored to not fall victim.
  2. Patching: Ongoing software patching is critical so that all your software, especially security software, is always up to date. An IBM study found that 98% of companies that experienced a data breach in 2014 had not installed patches released up to a year earlier. Windows 2003 and Windows XP are no longer supported. Failing to frequently patch software opens huge holes in the front end of your system. So does not changing the default passwords on software, especially security software.
  3. Processes: A main goal of data security is to limit points of entry into your system as well as to secure your paper documents. Here are a few things your dealers can easily do to address these risks:
  • A dealership should restrict access to customer information. Permissions should be limited to only those employees who need customer information to do their jobs and only to the extent they need it. Also disable all administrator privileges as if these are compromised, a hacker can work substantial damage and change your system with a few clicks on a keyboard.
  • Train your employees frequently and make data security a dealership priority. Create a culture of security. Conduct periodic system penetration tests (“white hat” hackers) that attempt to break into your system and vulnerability assessments that detect viruses on PCs and use fake phishing emails to see how many employees click on them. There should be penalties or incentives for employees’ compliance with your security procedures to make it real.
  • Disable the ability of anyone to download customer information onto external devices such as USBs, external hard drives, and even PCs. Disable the ability to transmit it by email as well. Install data protection software that will help prevent data from leaving your system.
  • Reduce your risk of an employee being tricked by social engineering by systematically prohibiting access to Web-based email such as Gmail or Yahoo. Avoid malware-laden sites by enabling employees to only go to Internet sites approved by your IT department or consultant. Proxy servers that identify and block access to dangerous sites can also help. These steps alone will substantially reduce the risk of social engineering. A recent study found that one in 11 people click on links in phishing emails.
  • Require complex passwords and frequent changes. Systems that require log-ins usually provide for audit logs of access and activity. Keep and review periodically the audit logs of users as they can warn you of unusual activity such as spikes in an employee’s access to customer data which may indicate their credentials have been compromised. In the event of a breach, audit logs of system activity will be an important resource to assess and understand the breach.
  • Adopt clean desk and short PC screen timeout policies so criminals can’t take pictures of documents or information left out in the open. Similarly, wipe the hard drives of digital devices like PCs and copiers when you trade in or discard them; “deleting” data only removes pointers to it and the information can be accessed from the hard drive. Lock up all paper files and put a “gatekeeper” in charge to track who accesses them and why. These reviews should be combined with audit logs to gain a full picture of each user’s activity.
  • Do security background checks on vendors such as mail houses and credit portals that will have access to your customer data. Review their security policies, certifications, and penetration test results. Require notice immediately for any security incidents that could impact your information. Try to get an indemnity for inadequate security or a data breach, although many vendors may resist giving you this protection.
  • Investigate getting cyber insurance, which covers the costs of various elements of a data breach such as forensics, legal, regulatory, PR, customer service vendors and more. In 2014, a typical cyber insurance policy for $1 million of coverage cost about $16,000, whereas breached records were estimated to cost $201 for each one compromised taking into account all attendant costs and losses. Significantly, an estimated 40% of cyber insurance policyholders made claims in 2014.
  • The Federal Trade Commission (FTC) requires your Safeguards program to include a security incident response plan consisting of senior members of your team and outside specialists (IT, legal, PR, forensics, breach response vendors) who have assigned tasks if a breach occurs. Test the plan with tabletop exercises so that people will know their responsibilities as workflows develop. The first 48 hours after a breach are most critical, and having a response team in place will help you preserve evidence and manage the process more efficiently. Also get to know the cybersecurity specialist at your local FBI office. The FBI offers assistance to companies that are victimized by a data breach and a law enforcement investigation will give you cover to delay sending out notices to affected consumers (required by 48 states and the District of Columbia) until you are in a position to know what happened.
  • Be sure to encrypt all your customer data from the moment it is received or entered on your website until you securely destroy it. Make a disaster recovery (DR) copy of your data and applications and place it on another system. “Ransomware” attacks are increasing. In these attacks, a hacker encrypts your entire system so it is inaccessible. You are given a ransom amount to pay in virtual anonymous currency called bitcoins to get the encryption key. A DR system can limit your ransomware risk.
  • Mobile devices need to be managed. Obtain mobile device management (MDM) software which inventories every mobile device used to access your system and doesn’t let any others get in. Couple this software with “containerization” software that sends your information to the mobile device through a separate secure stream that you control. Adopt a bring-your-own-device policy that requires employees who want to use their personal phones and tablets to register them with the mobile device management software and allows you to install the container feature. This should help prevent your information from being accessed by any viruses the device picks up.

The FTC will not sue you merely because you experience a data breach. They and other regulators will look at the reasonableness of your program and practices, including your security incident response plan. Make sure to continually update your program as new threats develop.

These are just a few of the steps you can easily take to make your dealers’ customer information more secure and reduce their risk of being the next breach victim. These practices also will make their programs more reasonable in the event of a regulatory inquiry or lawsuit. Finally, please note that, due to the general nature of this article, it is not intended as legal or compliance advice to any person. It raises issues your dealers may want to discuss with their attorneys or compliance professionals.

Posted in Industry0 Comments

Smart Chip Cards: Now at Your Dealership

Smart Chip Cards: Now at Your Dealership

Until recently, Americans could be a bit old school when it came to credit card processing. Before this past fall, the U.S. was one of the only countries in the world that continued to rely on credit cards with magnetic stripe technology on the back.

As a result, more than half of the world’s credit card fraud takes place in this country. However, in October 2015, that changed, and dealers who accept credit or debit cards for payment in both sales and service need to be prepared for this change.

Similar to the rest of the world, electronic payment associations and regulators have mandated that U.S. card issuers embed smart chips into their cards. Through this new electronic payments industry initiative called EMV (Europay, MasterCard and Visa), retailers (including automotive dealers) were required to upgrade their card readers to be able to read encrypted information and authorizations communicated from the chip card by October 1, 2015.

The purpose is to reduce credit card fraud, which is rapidly on the rise in the U.S. given the static nature of cards with magnetic stripes and the ease with which to counterfeit them. The new chip card provides a different sequence of credentials (a unique one-time transaction code) for every use. If a hacker steals the chip information from one transaction, the stolen transaction number wouldn’t be usable again and the card would be denied. This makes chip cards very difficult to counterfeit.

Payment Liability Shift

In addition to implementing the latest chip-card technology, this initiative includes a payment liability shift for disputed charges between merchants and their customers for point-of-sale transactions. The liability shift means that retailers using non-EMV-compliant devices that choose to accept transactions made with EMV-compliant chip cards assume liability for any and all transactions that are found to be fraudulent.

MasterCard defines it this way: The party, either the card issuer or the merchant, who does not support EMV, assumes liability for counterfeit card transactions. They will also assume chargeback liability for customers who dispute charges. In effect, the liability will shift to whichever party is the least EMV-compliant.

So if a dealer is still using the old system, she can still run a transaction with a swipe and a signature. But the dealer will be liable for any fraudulent transactions if the customer has a chip card. The converse also holds true: If the dealer has a new EMV terminal, but the bank has not issued a chip and PIN card to the customer, the bank would be liable.

Cards-Not-Present and Mobile Payment Liability

The EMV liability shift only relates to face-to-face card-present transactions and not to card numbers you key-encrypt where the card is not present, such as an Internet or phone sale.

Dealers using mobile payment devices such as Square also have to purchase new equipment to read the chips on EMV cards. Square has designed two EMV-compatible card readers for Android and iOS devices — one for swiping and one for dipping. These will cost approximately $29 and $39 respectively but also will require programming changes. Until the dealer upgrades, the new EMV cards will be processed without the additional layer of encryption security the chip provides.

Transitioning to a Smarter Card

EMV compliance begins with acquiring new point-of-sale card readers. Systems conversions to accept the cards and training is also required. In effect, you are changing from swiping a card to “card dipping,” which is inserting the chip card into the new terminal reader and waiting for it to process.

The new terminals contain a slot to insert the card on the top or side that looks like a sim card. They also allow you to swipe the old magnetic stripe cards but also insert the portion of the card with the chip in it into the reader to read the chip data. The new chip cards will have a magnetic stripe on the back to be used with merchants who have yet to upgrade to EMV.

The card-dipping chip-verification process takes a little longer than a magnetic stripe card swipe. The card issuer determines whether the customer will use a PIN or a signature; most chip cards use a signature. Like today, the customer will sign on the point-of-sale terminal to take responsibility for the payment.

What Should I Do Next?

If your dealers have not already converted their card acceptance devices, they should contact their merchant acquirer who processes their card transactions and discuss appropriate solutions for implementing EMV at the dealership. There will be a lag time in obtaining the new chip card-reading devices and making software changes to be able to read the chip cards and implement the EMV technology. The dealership’s acquirer should be familiar with these processes and work with the dealer for an EMV-compliant solution that is cost-effective for the dealership.

Also, the liability shift risk should be weighed against the compliance costs. It doesn’t take many sales or service transactions that are disputed to make the liability shift generate significant losses for your dealership. What is your chargeback history or experience with counterfeit cards in all aspects of your business — sales, service and parts? Fraud losses on magnetic stripe cards have doubled over the past seven years and swiping magnetic stripe cards is clearly yesterday’s technology. The time to start planning is now and it should begin with a call to your acquirer. Get a sense of costs and timing (don’t forget to include training of employees) and go from there.

Posted in Industry0 Comments

CFPB Auto Finance Guidance Losing Momentum: What’s Next?

CFPB Auto Finance Guidance Losing Momentum: What’s Next?

The much-heralded CFPB Auto Finance Guidance issued in March 2013 appears to be losing its momentum in the first part of 2015.

You will recall that the Consumer Financial Protection Bureau (CFPB), which lacks jurisdiction under the Dodd-Frank Act over most franchised automotive dealers, claimed that lenders allowing dealers to mark up lender buy rates on credit sales had a “disparate impact” effect on protected classes of persons, principally women and minorities, under the Equal Credit Opportunity Act (“ECOA”). This, they claim, is credit discrimination. Very little detail was given to back up these assertions but the CFPB settled with a large lender for $98 million in December 2013 and several other lenders in September 2014.

In their recently issued 2014 Fair Lending Report, the CFPB indicated it “investigated a number of indirect auto lenders and has a number of authorized lawsuits.” Yet, no such suits have been filed. Also, the CFPB has announced no confidential supervisory settlements of auto finance credit discrimination since September 2013. That’s a long time for what the CFPB had previously characterized as a priority issue.

Debunking the Auto Finance Guidance

The original Auto Finance Guidance was very general and conclusory. It didn’t explain how the CFPB reached its conclusions. You can’t collect racial and demographic information in automotive finance transactions the way you can with mortgages. It took a while, but the CFPB announced it had identified racial and minority persons and their discriminatory rates by using a “proxy” known as the Bayesian Improved Surname Geocoding or BISG proxy. BISG estimates race and ethnicity based on an applicant’s name and census data. But in November 2014, AFSA released a study by the Charles River Associates Group that essentially blew away the credibility of the BISG as a legitimate and accurate way to identify classes of persons.

The Charles River Study calculated BISG probabilities against a test population of mortgage data, where race and ethnicity are known. Among the findings:

  • When the BISG proxy uses an 80 percent probability that a person belongs to an African American group, the proxy correctly identified their race less than 25 percent of the time.
  • Applying BISG on a continuous method overestimates the disparities and the amount of alleged harm and provides no ability to identify which contracts are associated with the allegedly harmed consumers.
  • When appropriately considering the relevant market complexities and adjusting for proxy bias and error, the observed variations in dealer reserve are largely explained. In looking at approximately 8.2 million new and used motor vehicle retail installment contracts originated during 2012 and 2013, the researchers found little evidence that dealers systematically charge different reserves on a prohibited basis and instead found that reserve variations could “largely be explained by objective factors other than race and ethnicity.”

Remember that $98 million CFPB consent decree in December 2013? As if to confirm the Charles River Study’s findings, not one customer refund check has been issued almost 18 months after the fact. Apparently, the CFPB can’t figure out who to send the refund checks to.

Judicial and Congressional Action

The CFPB is also facing a problem in the U.S. Supreme Court. In a case brought challenging the legitimacy of disparate impact credit discrimination under the Fair Housing Act—a law that has exactly the same language as ECOA in prohibiting only intentional discrimination and not disparate impact claims—the Supreme Court is expected to rule on the legitimacy of the disparate impact claim possibly before this article reaches print. In 2005, the Supreme Court ruled in an employment law case, that a disparate impact cause of action had to be legislated by Congress in the very words of the law and not be a product of a regulator’s concoction of what the Congress may have intended. Depending on how the Court rules now, the CFPB may be hard pressed to continue to assert that disparate impact credit discrimination is a viable legal theory.

The Congress has also gotten into the act. Last September, 130 House members of both parties sponsored a bill to repeal the 2013 Auto Finance Guidance. While that bill died at the end of the session, a bill to cut back the CFPB’s budget to a lower portion of the Federal Reserve’s budget (the CFPB is not appropriated by Congress) was recently passed out of Committee and sent to the House floor. Other bills to make the CFPB headed by a panel instead of a single Director and making at least a part of the agency’s funding dependent on Congressional appropriations are also making their way through the Congress.

In the meantime, few lenders have gone to flat fee pricing as the CFPB wants and dealer participation is alive and well. Even the CFPB has hinted that rate markups of 100BP or less have a good probability of not creating statistically significant rate variances.

A Possible Solution

So where will this end? In 2007, the Department of Justice (DOJ) settled two disparate impact credit discrimination claims with automotive dealers and their methodology in doing so may provide the impetus for a resolution now. The DOJ told the dealers to adopt a standard rate markup for all customers. They could deviate downwards (but not upwards) only if there existed a “legitimate business reason” and the DOJ identified seven of them. Every deal jacket would contain a worksheet indicating whether the standard markup or a lower markup was used and, if lower, the legitimate business reason that justified doing so. The DOJ’s Chief of Enforcement confirmed his agency’s support for that solution at a CFPB hearing in November 2013.

NADA has essentially put into words the DOJ’s solution in its Fair Credit Compliance Policy and Program (available at and it is a program that all dealers should consider adopting. As in 2007, you establish a standard rate markup and apply that to all customers unless one of the seven legitimate business reasons applies to justify a lower markup. You document in each deal jacket what the standard rate markup is and whether you used it or a lower amount. If lower, you indicate which of the seven legitimate business reasons justified doing so and keep that worksheet in the deal jacket.

The CFPB is trying to claim that even if every dealer adopted the NADA program, different rate markups by different dealers would create a “portfolio-level disparate impact” for lenders who buy from many dealers. There is no legal authority that supports this position and that argument was pretty well disposed of by the U.S. Supreme Court several years ago in a case against Wal-Mart. In the Wal-Mart case, the Court held that the hiring decisions of individual store managers could not be imputed to Wal-Mart as a whole to prove Wal-Mart was discriminating. In the auto finance context, dealers are independent business people and trying to make a lender liable for rate differences among individual dealers is at least as tenuous as the argument against Wal-Mart for its individual store managers.

So on all fronts—legislative, judicial, statistical—the CFPB is having a hard time defending the 2013 Auto Finance Guidance. That would be consistent with why no actions have been filed or consent decrees issued for almost nine months. The tone of this “disparate impact” issue has definitely changed and is changing and not in a way the CFPB would like.

Posted in Compliance0 Comments