Digging Into CFPB's Overdraft Fee Consent Guidance
Editor's note: Authored by Michelle Rogers, Josh Kotin and Obrea Poindexter, this article was originally published in Law360.
On Sept. 17, the Consumer Financial Protection Bureau issued Circular 2024-05, which expounds on overdraft fee-related record retention obligations under the Electronic Fund Transfer Act and Regulation E.[1]
On its face, a circular about record retention seems like something of a snooze fest given the frequent and novel pronouncements coming from the CFPB these days.
However, a closer read reveals that the circular has little to do with standard record retention, and instead expands beyond the requirements of Regulation E to what the CFPB claims financial institutions must retain to evidence a consumer's prior consent when continuing to assess overdraft fees.
The circular reminds institutions they bear the burden of proof prior to levying overdraft fees and offers examples of such proof.
The EFTA and Regulation E prohibit financial institutions from charging overdraft fees on ATM and one-time debit card transactions without the consumer's affirmative consent.[2] Specifically, Regulation E requires financial institutions to:
- Provide the consumer with a notice in writing or, if the consumer agrees, electronically, separate from other information, that describes the financial institution's overdraft service.
- Provide consumers a reasonable opportunity to affirmatively consent, or opt in, to overdraft services.
- Obtain the affirmative consent from the consumer before charging the consumer any overdraft fees.
- Provide the consumer with confirmation of the consent that includes a statement informing the consumer of their right to revoke that consent.[3]
The CFPB's circular describes what might constitute acceptable evidence that a consumer has opted in to overdraft services. Where the consumer indicates their intent to opt in to covered overdraft services by mail or in person, the circular provides that the institution can simply retain a copy of the signed or initialed form evidencing affirmative intent to opt in.
Where the consumer provides consent via phone, the CFPB indicates that it would be sufficient to retain a recording of the phone call in which the consumer clearly states they have elected to opt in to covered overdraft services.
For online enrollment, or enrollment via a mobile application, the circular indicates sufficient evidence could be "a securely stored and unalterable 'electronic signature'" that conclusively demonstrates the specific action taken by the consumer to affirmatively opt in.
The CFPB also states the institution would need to retain the date the consumer undertook the specified action.
The CFPB claims institutions may need to keep evidence of affirmative consent longer than Regulation E's record retention requirements.
The interesting rub, buried within a footnote in the circular, however, is the CFPB's attempt to expand Regulation E's two-year record retention requirements.
Regulation E requires a person "to retain evidence of compliance with the requirements of [the EFTA and Regulation E] for a period of not less than two years from the date disclosures are required to be made or action is required to be taken."[4]
However, the circular proclaims that the obligation to have evidence of compliance with the affirmative consent requirement for assessing an overdraft fee is "an independent legal obligation" and "does not change the fact that the absence of records proving that an opt-in occurred is suggestive that a consumer did not opt in."
Based on the circular's opening statement — that a financial institution can be in violation of the EFTA or Regulation E if there is no proof that it obtained affirmative consent — the only way to square these "independent legal obligations" is to conclude that the CFPB believes that the financial institution must retain records of affirmative consent beyond the two-year record retention requirement.
The CFPB is using its entire toolbox to pressure institutions on overdraft fee practices.
The CFPB's march against overdraft practices started in its research arm, made its way to supervision and enforcement, and is now also being carried out in the rulemaking area.
In a late 2021 report, the CFPB accused banks of becoming "hooked on overdraft fees to feed their profit model."[5] Supervisory and enforcement actions soon followed, with the CFPB taking aim at a variety of overdraft practices — including the practice of charging fees in connection with transactions that were authorized positive but settled negative, (commonly known as APSN), the assessment of fees on represented transactions, and even the adequacy of the original opt-in practices themselves.
Of late, the CFPB is utilizing its regulatory function and deploying formal rulemaking, advisory opinions and this most recent circular to shape its oversight of not only overdraft fees, but also other deposit-related fees.
In January, the CFPB issued a proposal that would require large banks to treat overdraft services as credit subject to Regulation Z,[6] and in July, the CFPB warned banks against assessing fees for providing information services to consumers as part of its update on implementation of its Section 1034(c) advisory opinion.[7]
With this circular, the CFPB is pressuring financial institutions to reaffirm that they do, in fact, have proof of consumer consent to overdraft fees before they can actually assess such fees — despite specific statutory language that arguably requires no such thing.
What's a financial institution to do?
Although the CFPB touts its circulars as mere statements of policy to provide background about applicable laws, there is certainly the possibility that financial institutions adhering to Regulation E's two-year record retention requirement may no longer have documentation of a consumer who consented to overdraft services long ago. At the same time, existing retention practices that are mapped to the statutory requirement may not be designed to capture this nuance.
Absent a challenge to this new position, financial institutions may want to review their record retention policies and existing documentation to assess how they stack up against the CFPB's latest position — and whether additional measures may be required to ensure they have evidence of prior consent.
[1] CFPB, Circular 2022-06, Unanticipated Overdraft Fee Assessment Practices, October 26, 2022.
[2] It is important to note that these rules do not apply to overdraft fees charged on written checks, recurring debit transactions or Automated Clearing House (ACH) transactions.
[3] 12 CFR 1005.17(b)(1).
[4] 12 CFR § 1005.13(b)(1).
[5] CFPB Research Shows Banks' Deep Dependence on Overdraft Fees, December 1, 2021.
[6] 89 Fed. Reg. 13,852.
[7] CFPB, Supervisory Highlights: Servicing and Collection of Consumer Debt, Issue 34 (Summer 2024).
This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.