Latest CFPB Supervisory Highlights Identify Novel Violations Across Host of Financial Products and Services

Cooley alert
August 1, 2023

On July 26, 2023, the Consumer Financial Protection Bureau (CFPB) issued its Summer 2023 Supervisory Highlights describing key findings and violations identified during examinations conducted between July 2022 and March 2023.

The findings cover a broad range of areas – including debt collection, deposits, fair lending, information technology, payday and small-dollar lending, remittances, auto origination and servicing, and mortgage origination and servicing. The report also describes the CFPB’s efforts to assess how technology used by supervised entities may impact consumers and affect compliance with federal law. Although certain practices are attributed to the offering of a specific financial product or service, the themes from each section are worthy of consideration, as many are generally applicable and can help with the internal assessment of practices that might be criticized as unfair, deceptive or abusive.

Auto lending and servicing

With respect to auto lending, examiners identified as deceptive auto finance origination practices whereby lenders utilized advertisements for loan offers that depicted larger, newer and more expensive cars for which the offers did not actually apply. On the auto servicing side, examiners identified as unfair and abusive practices where auto servicers collected and retained interest on add-on options that were financed into the loan amount even though the vehicle securing the loan did not contain those options. Examiners also identified as unfair situations where servicers suspended recurring payments without providing adequate warnings, as well as where they cross-collateralized loans and required consumers to pay off other debts before redeeming repossessed vehicles.

Furnishing credit report information

Examiners found a host of technical violations associated with furnishing consumer report information to credit reporting agencies. This included failing to:

  1. Periodically review and update policies and procedures to facilitate the accuracy and integrity of furnished information.
  2. Conduct reasonable investigations of direct disputes.
  3. Notify consumers that a dispute is frivolous or irrelevant.
  4. Provide adequate address-related disclosures for notices of inaccuracy.

The CFPB directed these institutions to revise policies and procedures, update furnishing systems and train staff regarding dispute handling.

Fair lending

Examiners identified fair lending concerns with respect to mortgage lender administration of pricing exceptions and consideration of criminal records and public assistance income in underwriting criteria. In the mortgage origination space, examiners identified that mortgage lenders were less likely to grant pricing exceptions for competitive purposes to protected class consumers, including with respect to race, national origin, sex or age. Lenders were criticized with respect to enforcement of pricing exception policies and procedures, failing to take corrective action to address observed disparities, failing to maintain sufficient documentation to justify the exceptions and offering inadequate training about pricing exceptions.

With respect to underwriting practices, the CFPB indicated that consideration of prior contact with the criminal justice system creates a heightened risk of disparate impact and identified concerns with respect to incorporation of this factor in mortgage origination, auto lending, credit card offerings and small-business lending. Regarding consideration of public assistance income, examiners identified instances where lenders inappropriately excluded certain types of public assistance income from consideration or imposed stricter standards on income derived from public assistance programs. The CFPB also highlighted concerns with respect to failing to consider Section 8 Housing Choice Voucher Homeownership Program income, not offering mortgage credit certificate benefits and maintaining extended continuity-of-income requirements for public assistance income.

Debt collection

Examiners identified Fair Debt Collection Practices Act (FDCPA) violations where debt collectors continued collection attempts for work-related medical debt, despite receiving information that the debt was no longer collectible under state worker’s compensation law. This is consistent with the CFPB’s continued focus on issues related to the collection of medical debt and recent announcement that it is partnering with other agencies to address how medical debt is impacting consumers. Examiners also identified situations where debt collectors told consumers they would reverse accrued interest if a debt was paid by a certain date, but then did not actually waive that interest.


Examiners identified as unfair the practice of assessing both a nonsufficient funds (NSF) fee and a line of credit transfer fee on the same transaction. The CFPB noted that the supervised institutions believed they had controls in place to avoid charging two fees on the same transaction, but system-programming limitations failed to prevent the practice.

Payday lending

Examiners identified as unfair, deceptive and abusive practices where lenders drafted language in loan agreements that prohibited consumers from revoking their consent for the lender to call, text or email the consumer about collection attempts, or where lenders made false collection threats to garnish the wages of borrowers when they did not have the authority to do so. Examiners also identified risks associated with lenders failing to determine, before engaging in a transaction, whether a consumer was protected pursuant to the Military Lending Act.


Examiners found that institutions failed to develop and maintain proper error resolution policies and procedures for remittance transfers. As an example, some institutions utilized an anti-money laundering policy and procedure in lieu of a remittance rule policy that failed to cover all requirements of the remittance rule.

Information technology and privacy

Examiners determined certain institutions engaged in unfair acts by failing to implement adequate IT security controls that could have prevented or mitigated cyberattacks. The lack of controls caused harm due to bad actors gaining unauthorized access to consumer bank accounts and withdrawing substantial amounts of funds. The CFPB directed these institutions to implement multifactor authentication and enhance password management practices.

Mortgage lending

Examiners determined institutions inappropriately based loan officer compensation on the terms of a transaction where they maintained a policy of varying compensation based on whether a product was brokered out rather than originating in house, even where the brokered product could not be originated by the lender. Examiners also identified a technical violation of Regulation Z where an institution’s loan origination system was not programmed to properly round the interest rate on a promissory note and reflect the terms of the legal obligation.

Mortgage servicing

Examiners identified a host of technical violations regarding:

  1. The timing, as well as representations regarding the timing, for processing loss mitigation applications.
  2. Ensuring customer service personnel were sufficiently available to borrowers, or were able to timely access information regarding a borrower’s account.
  3. Failing to credit payments after a servicing transfer.
  4. Failing to identify missing information after a servicing transfer.

Examiners also found that a servicer’s Spanish-language acknowledgement notices lacked regulatory-required information, even though the English-language notices contained the required information.

Nonbank supervisory authorities

The Supervisory Highlights also touched upon other nonbank supervisory developments, including with respect to larger market participants and organizations identified based on the CFPB’s risk-based analysis. The CFPB states that, to date, it has already issued “several” Notices of Reasonable Cause to commence risk-based supervision, and in some cases, after discussion with supervision, entities voluntarily agreed to be supervised.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.