By Ken Rishel
Rishel Consulting Group
Many retailers don’t worry very much about their compliance responsibilities because they are not lending. Many engaged in lending do worry about the Consumer Financial Protection Bureau and state licensing authorities, but don’t worry about other regulators.
Both groups are making potentially serious mistakes by not understanding the role of a state attorney general. The truth is, retailers and lenders may not even know how much authority and appetite the attorney general’s office in any state may have for making their life miserable regarding compliance issues.
While it is well known that attorneys general possess a wide variety of powers and have a long history of using them in areas from antitrust to the environment and everything in between. Apparently, it is not well known that attorneys general wield even greater enforcement power than ever before in conjunction with federal agencies, through multistate partnerships with fellow attorneys general, and on their own, through new enforcement powers granted to states under various federal laws.
The hottest areas for attorney general enforcement, discussed in more detail below, is consumer financial services and laws relating to identity theft and privacy. A recent meeting between the CFPB, U.S. Department of Justice and numerous state attorneys general made clear the fact the federal agencies were ready and able to assist any state attorney general who wanted to use federal laws to regulate and prosecute scofflaws and other unfortunates who were not complying with federal laws that related to lending.
News coverage of the CFPB and its broad authority to investigate companies that offer consumer financial products or services has obscured the fact that the Consumer Financial Protection Act (CFPA) provides state attorneys general nearly the same broad authority to prevent “unfair, deceptive or abusive acts or practices” (UDAAP). This means that attorneys general can seek remedies that may not be available under state law. For example, they can seek penalties of up to $1 million per day for knowing UDAAP violations, and they can seek redress on behalf of consumers outside their state’s borders.
CFPB attorneys have said many times that they are eager to partner with state attorneys general and bank regulators.
One of the bureau’s first actions — before it even assumed its enforcement authority — was to sign a joint statement of principles with the attorneys general, committing to sharing information, consulting and conducting joint investigations.
CFPB Director Richard Cordray is a former Ohio attorney general, and he makes clear in his regular speeches to attorneys general how much he values their partnership. Beyond this, the CFPB has several enforcement attorneys who are alumni of attorney general offices, including from Massachusetts and Illinois. These partnerships allow attorneys general and bank regulators to leverage the CFPB’s resources, and they often lead to joint settlements.
For example, in December, the CFPB along with Virginia and North Carolina settled with a furniture finance company on claims that it filed illegal lawsuits and debited consumers’ accounts without their permission. These independent actions are especially hard to anticipate and prevent, because states don’t necessarily follow the same enforcement protocols or have the same enforcement priorities as the CFPB or other federal agencies.
In addition, the state attorneys general have the ability to go after non-lenders, like retailers, on other issues — and they have and are continuing to pursue enforcement of both the Red Flag Rule and the Safeguard Rule as well as the Disposal Act and the Privacy Rule. The truth is, if consumer finance is hot, consumer privacy is even hotter.
While the Federal Trade Commission has not pursued the federal regulations under their authority with any real vigor until recently, the state attorneys general have not waited to act. Many have demonstrated a keen interest in data loss, both pushing for the enactment of substantive privacy laws as well as vigorously engaging in enforcement.
On the data loss front, breach notification laws exist in 47 states. New state laws are also springing up regarding identity theft and the responsibilities of all businesses to assist in preventing the use of stolen identities as well as assisting in the catching of those attempting to do so.
State attorneys general are investigating businesses failing to institute a compliance management system that addresses their specific privacy laws, as well as under their laws regulating unfair or deceptive acts or practices, and they work together with other states and with the FTC to settle those actions. The states convene monthly multistate calls on privacy. Thus, if one state learns of a privacy-related enforcement or identity theft issue, all states likely will know about it in short order.
As with the legal exposure from the CFPA, when dealing with privacy and data protection issues, companies must examine their policies and security measures on an ongoing basis, with an eye to how they comport with the issues attorneys general have focused on. There are no one-size-fits–all solutions; rather, companies must proactively take steps to identify and eliminate practices that have drawn the ire of attorneys general.
For retailers who do not lend money, there are, as this newsletter has repeatedly written, very real laws that require them to have a compliance management system in place and effectively operational. This system needs to have written policy and procedure manuals that address all of the compliance issues they are required to deal with, and a provable and effective employee training program to assure employees are, in fact, doing what the manuals dictate.
These businesses must also have an audit system to check the effectiveness of the compliance effort. All of this needs to be run by a properly trained compliance officer.
Ken Rishel is an industry consultant on compliance issues that pertain to a variety of state and federal regulations. His specialty is working with manufactured housing retailers and communities, but many of the laws impact RV dealers and campgrounds that lease sites long-term. He can be reached by calling 312.878.2802 or by e-mail at email@example.com