The Consumer Financial Protection Bureau: A New Financial Privacy Regulator Emerges (and Not Without Controversy)

20 January 2012 Privacy & Security Source Publication

The federal Consumer Financial Protection Bureau (the Bureau) was created by 2010’s massive Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) and officially “opened for business”—at least in part—on July 21, 2011. Now, the new federal Consumer Financial Protection Bureau has assumed rulemaking powers, and many supervisory and enforcement powers, for Gramm-Leach-Bliley Act financial privacy matters for all financial institutions and any other persons and entities which offer or provide any consumer financial product or service, including their affiliates which act as a service provider to such persons or entities (Covered Persons).  

Financial privacy rules had previously been issued and enforced by a variety of similar rules issued and enforced by different federal regulators: 

  • the Federal Reserve Board (Regulation P) for state-chartered banks which are members of the Federal Reserve System;
  • the Office of the Comptroller of the Currency for national banks;
  • the now-abolished Office of Thrift Supervision for federal savings banks and savings associations;
  • the Federal Deposit Insurance Corporation for state-chartered banks which are not members of the Federal Reserve System;
  • the National Credit Union Administration for credit unions;
  • the Commodity Futures Trading Commission for certain commodity futures commission merchants, trading advisors, pool operators and introducing brokers;
  • the Securities and Exchange Commission (Regulation S-P) for securities brokers, dealers, investment companies, and registered investment advisors; and
  • the Federal Trade Commission for all other entities. 

The Dodd-Frank transferred rulemaking authority over financial privacy matters to the Bureau effective July 21, 2011, and the Bureau has just republished, and made conforming modifications to, the financial privacy rule. It has been published as the Bureau’s new Regulation P, at 12 C.F.R. Part 1016. 

In addition to its rulemaking authority, on July 21, 2011 the Bureau acquired supervisory and enforcement powers with respect to financial privacy matters over large banks, savings banks, savings associations and credit unions (with assets over $10 billion). Other federal regulators retained supervisory and enforcement authority with respect to smaller depository institutions. 

On January 4, 2012, President Obama made a controversial recess appointment of Richard Cordray to act as the Bureau’s first director. Under the Dodd-Frank Act, upon the appointment of a director, the Bureau acquired additional powers to supervise and regulate (i) mortgage brokers, originators and servicers, (ii) “larger participants” in a market for consumer financial products or services (to be determined by a future rule by the Bureau), (iii) persons or entities who offer or provide private education loans, and (iv) other persons or entities whom the Bureau determines engage in conduct which poses risks to consumers in the offering or provision of consumer financial products or services. Senate Republicans and certain financial companies have signaled that they believe the recess appointment of Cordray was flawed because the Senate had been holding pro forma sessions, and it is a distinct possibility that the Bureau’s future attempts to supervise and exercise supervisory powers over these non-depository institutions may be challenged in court.