RegFi Episode 62: The Expanding Role of State AGs in Consumer Financial Protection
29 min listen
Rob McKenna, Orrick partner and former Washington State Attorney General, joins RegFi co-hosts Jerry Buckley and Caroline Stapleton to discuss the expanding role of state attorneys general in consumer financial protection. The conversation explores how state AGs and regulators are setting standards for privacy, crypto and other digital assets, artificial intelligence, bank/fintech partnerships and other issues impacting the financial services industry.
-
Jerry Buckley:
Hello, this is Jerry Buckley, and I’m here with RegFi co-host Caroline Stapleton.
Caroline and I are struck by increasing role that the states are playing in shaping federal financial services regulatory environment. States are taking a lead in the regulation of fintech companies, data protection, money transmission, privacy, and in establishing rules that govern cryptocurrencies and, most recently, the use of artificial intelligence.
To help us understand this increasing state presence in the consumer financial service protection space, we are joined by Rob McKenna, who leads the State Attorney General team in the firm’s State & Federal Government Solutions group. Rob served as Washington State Attorney General for eight years and was president of the National Association of Attorneys General in 2011 to 2012. He helped negotiate three of the largest consumer protection settlements in national history, all involving mortgage lending and servicing. And he’s also a recognized leader in developing data protection and privacy regulation.
Rob, let’s start by your giving our listeners an overview of the role that state attorneys general have historically played in protecting consumers, particularly in the area of consumer finance.Rob McKenna: Well, the AGs have been active in consumer protection since roughly the 1960s when states began adopting their own consumer protection laws. I think California might have been the first state to do that. Sometimes they’re called mini-FTC acts. They apply a standard we call UDAP, U-D-A-P, unfair, deceptive acts or practices, which is to say these statutes prohibit unfair or deceptive acts or practices by businesses.
Most AGs oversee the consumer protection functions for their state, the consumer protection role. There are a few states that have separate consumer protection departments, but in the vast majority of states, it’s the AG who is the leading consumer protection enforcer. And that means that they pretty much get to decide where they want to enforce. A lot of its driven by complaints that they receive from consumers, not surprisingly.
And in the area of consumer finance, we really began to see an upswing in complaints around consumer finance issues as consumer finance options for consumers really began to grow. The multiplication of various services and products companies providing consumer finance over the last 20, 30 years has been directly correlated to the level of complaints that AG offices received.
Just think about what life was like before modern consumer finance. When everyone went to their savings and loan, they’d go to their bank. Finance was heavily regulated, very simple. We just didn’t see a lot of complaints. I mean, historically, most complaints to consumer protection offices with the AGs come from consumers worried about used cars or cable TV, things like that.
But certainly over time, we’ve seen an increase in consumer complaints, although I would say that consumer finance probably still barely breaks into the top five by category. But just the sheer volume, Jerry, of consumer finance transactions and options inevitably leads to more complaints from consumers. And that includes services provided by newer companies who may not always understand the rules, may not have strong back-office support to deal with consumer complaints themselves.
And so, the AGs, with their broad, broad authority under the UDAP standard, will respond to those complaints. They’ll investigate. And then maybe later in this conversation, we’ll talk about how they investigate on a multi-state basis, which is where a lot of the power of AGs comes from.Jerry: And as mentioned, the state legislatures are filling a void that seems to be created by the failure of the federal government to respond. For instance, there isn’t a national privacy law still, even though many states, led by California, have been involved in that area. And we’ll talk more about privacy and data protection later on. But it’s certainly not the only area where the states have been active, both from a regulatory and a legislative point of view, which of course, then increases the mandate for the attorney general to be attentive to those state laws Rob: Exactly right, Jerry. An example that comes to mind that I dealt with when I was in office is payday lending. Payday lending became a big topic in state legislatures, partly driven by concerns raised by military personnel and their advocates, who noticed the proliferation of payday lending stores right outside of military bases, and they were really worried about more and more military personnel getting into these revolving situations with payday lenders. So, the legislature started to act on that, and the AGs became the enforcers.
A much more recent example, even more recent than data privacy, is that states that are adopting regulations of artificial intelligence are putting the enforcement authority in the AG office. And so that’s happening fairly fast. And it’s happening quickly in part because a lot of states just went through this with data privacy regulation, where they generally locate the enforcement authority in the AG office.
So, I’ve noticed that the speed with which legislatures are moving on AI and the involvement of AGs in shaping AI’s legislation and regulation directly correlates to the fact they just went through all of this a few years ago with data privacy.Jerry: And interestingly, Rob, the data privacy rules as adopted in California and in many states have varying degrees of exemption for financial services firms subject to the Gramm-Leach-Bliley Act or the Fair Credit Reporting Act. But I don’t believe that same type of exemption is available in the AI space.
So, I think if we were advising our listeners who are in the financial services business this is an area where they have to pay attention to the states and they have to establish good relations with their AGs and let them know what they’re doing. I want to talk about that just a little bit.
I think that the client that isn’t known to an AG, when a complaint is filed and they then show up and have to deal with a civil investigative demand or other request for information, is at a huge disadvantage. Very important to be known to your attorney general.Rob: That’s such a good insight, Jerry. You’re absolutely right. A lot of the work we do at Orrick for our clients in the state AG space is all about familiarizing AGs with industry sectors and specific companies. And new entrants to the marketplace who are disrupting the marketplace are particularly well-advised to come in and get to know the AGs because it’s just easier to address a problem when it does come up if you already have a relationship with the AG and the AG’s office. And that’s particularly true with new companies and new product lines with market disruptors.
I always say about market disruptors that the pattern is nearly always the same. Market disruptors trigger a reaction by market incumbents, who then run to the regulators they’ve been working with for decades. The market incumbents go to the regulators and say, “Hey, they can’t do that, can they?” And the regulator says, “Yeah, they can’t do that.” And they just try to figure out how to fit this new financial services model, for example, within an existing framework of regulation until and unless the legislature catches up and modifies the law.
A recent example of this that I’ve been working on involves equity sharing arrangements that a number of companies are offering that allow you to tap the home equity that you built up without taking out a loan. Basically, you’re sharing the future capital gain when you do sell your house with someone who will give you hundreds of thousands of dollars in some cases in order to have a stake in that growth. They’re also taking the risk, of course, if the house goes down in value, they’re not going to get their money back.
But this is a new model. And sure enough, when companies that built these models came out and started offering product, conventional lenders and consumer advocates ran to regulators first and then to legislators to say, “Hey, this is mortgage lending. You need to regulate this.” And we’ve been dealing with that in the legislatures.
So, my principal client in that space actually was smart and they started asking me for help early on. Back when they were just a venture-funded startup, it was the venture capital firm that introduced me to them and said, “Hey, these guys could use your help.” And they’ve really been the most successful company in my view because they started early, not just educating attorneys general and their staff about equity sharing arrangements, not just reaching out to regulators proactively and, for example, reaching out to the Department of Financial Institutions in Washington State where I helped them, but also helping these AGs get to know them as a company, getting to know the personalities of the founder and the general counsel and so forth. And they’ve also made some smart moves. They decided to get licensed as a mortgage lender in every state, even though there’s a pretty good argument they didn’t need to be. They made that choice. It was a smart choice. It took the bullseye off of them. And it shows the value of early proactive engagement.
I always say, think of what our team does, what Orrick does, as calling the fire marshal to come in and check your smoke detectors and your fire prevention systems to keep the fire from happening, instead of waiting until your house is on fire, then calling us. Believe me, we’re happy to also be firefighters. It’s just a lot more expensive to hire the firefighters than the fire marshal.Jerry: Right. Caroline, let’s bring you into this. And I know you have a question. Caroline Stapleton: Yeah. Rob, you mentioned it’s not just the AGs who are in this space, particularly with novel products or companies that are leveraging technology in the financial services space. You mentioned state banking commissions, state licensing authorities.
How does that interaction work between state AGs and these other state authorities that have jurisdiction over financial institutions and their service provider? Can you speak to that?Rob McKenna: Yeah, excellent question. So, first of all, the regulator, you know, they have their own authority. And I will caution as I give this general explanation that it varies from state to state, what I’m about to tell you. But in general, the regulator like the Department of Financial Institutions, they have their own authority. They’ll often have staff attorneys. Some states allow them to have general counsel offices, but they’re running their regulatory function themselves. They might seek guidance from the attorney general’s office on a question of statutory interpretation, for example, but otherwise, they don’t involve the AGs.
There are a couple of reasons for that. One is they have their own authority. They know what they’re doing. They’re deeply experienced. Two, they have to pay for legal services from the attorney general. So, they’re not going to just run to the attorney general every time they have a question. They’re figuring things out for themselves. Now, where the AG and AG staff, the assistant attorney general, will get involved, again, sometimes it’s around client advice. But always, almost always, I should say, depending on the state, they’re going to need to involve the AG if the enforcement action rises to the level of going to court.
So typically, administrative proceedings will be handled in-house, by in-house attorneys, administrative law judges and the like. But if the company on the receiving end of that enforcement action decides to appeal from the administrative action to the court, then they’re going to involve the attorney general. And the assistant attorney general is going to represent them in that court proceeding, defending the agency’s decision.
Now, having said all of that, we already talked about enforcement under the State Consumer Protection Act. There, you might see the AG, and often we’ll see the AG come in and bring an enforcement action alleging an unfair or deceptive act or practice. We certainly saw that with some payday lending companies. We’ve seen it with some other types of consumer finance. But that is, of course, enforcement under the statute the AG is responsible for enforcing, as opposed to enforcement under the state’s finance laws, which the state financial regulator is responsible for enforcing.
And of course, it’s possible that the AG, if they decide to really go after a company, will bring an action under both working with the regulator because the consumer protection law acts as a multiplier. It multiplies potential penalties. It gives them the power to seek restitution. And importantly, it also empowers the AG to seek injunctive relief, as we call it. In other words, in a settlement or in a lawsuit, to force the company that’s the target to change their practices.
So nearly every settlement of any kind of consumer protection action, including consumer finance, is going to include an injunctive provision. An example would be strengthening the disclosures on the website. If you’re talking about an online company that is offering a consumer financial product, there may be a claim that they didn’t disclose the fees adequately. You’ve got the opt-in, opt-out model for consumer choice, particularly for subscription models. Did you disclose that adequately? If it’s opt-out, where you’re automatically enrolled for a subscription unless you opt out of it, standards are going to be higher.
So injunctive relief is a big part of what AGs are after, right? They’re trying to get at the core problem that has generated consumer complaints or has just created the potential for unfair deceptive treatment of consumers. It’s important to understand that an attorney general under a consumer protection statute, under the UDAP standard, is not required to show anyone has already been deceived or treated unfairly. They just have to show there’s the potential or deceiving or treating unfairly a consumer from a particular act or practice. It’s a very powerful standard. I say UDAP is in the eye of the AG beholder right what is unfair deceptive well it’s what the AG thinks and what the AG thinks they can prove in court if they have to go that far.Jerry: You know, Rob, I know certainly in the federal context, if there’s a serious issue, it is not uncommon to appoint a monitor. Is that something that you see in the state AG space very often? Rob: It is, but not for routine enforcement actions typically. For big ones, like there was a wave of attorney general enforcement against for-profit universities and colleges that in several cases resulted in a monitor being put in place to monitor the college or universities, the corporation’s compliance with the settlement terms. We’ve also seen that in other big multi-state settlements. But it’s not a routine feature of a settlement that’s between even a group of AGs and a single company.
Now, what they will do, however, is put real teeth in the consent decree that settles the case. And by the way, most of these cases settle. Very few companies will litigate because, again, unfair or deceptive is pretty subjective. You’re in state court. The AG has a lot of advantages. So, most companies choose to settle rather than take their chances in court. But when they settle, they’re going to enter into a consent decree. Sometimes it’s an assurance of voluntary compliance, but it’s court enforceable.
And so, if the company fails to abide by the terms of the settlement, the AG can come after them and repeat offenders as the AGs see it, are going to be subject to even bigger penalties and fines. And so, there’s a lot of juice behind that settlement that basically causes people to stay in line. They don’t want to get in trouble a second time. And the AG doesn’t monitor actively in most cases. The AG simply waits for new consumer complaints.
So, my advice to every company out there that’s listening, every representative of a company, is the best thing you can do to avoid getting into the crosshairs of any attorney general in their consumer resource division, is to resolve consumer complaints yourself as quickly as possible.Jerry: Exactly. Well, Rob, you know, the Dodd-Frank Act conferred on state attorneys general the authority to enforce federal consumer protection laws. Of course, in doing so, the AGs must coordinate with the CFPB, and the CFPB can intervene to take charge of the case if they choose.
Using this delegated authority, state AGs have brought cases related to mortgage servicing and foreclosure, as we mentioned you were involved in, and debt collection, payday lending, student loan servicing, and auto financing. Whether the new leadership at the CFPB will encourage the use of this Dodd-Frank authority remains to be seen.
However, I wonder if it’s possible that even without explicit Dodd-Frank delegation of authority or CFPB enforcement, the state AG might use this general UDAP authority to bring actions for violations of federal consumer protection statutes. And you’ve prefigured the answer to that in your earlier comment, but maybe you could expand on that because there is some question of whether taking a different view than the attorney general, the CFPB might intervene and try to take charge of a case.Rob: Well, it certainly could happen. I will say that in general, where we see state AG enforcement under the federal statute, it’s because the CFPB is coordinating actively with the attorneys general and maybe actually reaching out to encourage it and suggest joint enforcement, if not stall enforcement by a state. I think usually it’s going to be joint enforcement.
I will tell you that at a recent meeting of the Democratic Attorneys General Association in Los Angeles, Rohit Chopra made an appearance. He’s now a private law firm. And he was there to actively encourage those AGs to bring enforcement actions. And by the way, hire his law firm to help them do that.Jerry: A special attorney general? Oh, that’s interesting. Yeah. Rob: Yeah. Yeah. So, but he was, to your point, Jerry, he was there to remind the AGs they can bring enforcement actions and they don’t have to wait for the CFPB to ask them to do that.
But I’ll also say that the level of coordinated enforcement between CFPB and the states, between the FTC and the states, really varies from administration to administration. And that’s true in areas like antitrust enforcement as well, by the way, where DOJ is involved. It really varies from administration to administration. The line attorneys in the consumer protection units, in the antitrust units of AG offices will often have relationships with the attorneys and leaders of the Department of Justice, the FTC, and the CFPB.
In fact, when the CFPB was stood up, which took place when I was in office, they populated their office with a lot of current assistant attorneys general who moved over to the CFPB. I lost one of my best people who wanted to go back to DC to work for them. Now the resource is happening to some extent, and you’re seeing some CFPB attorneys come back out and go to AG offices.
But, there are close relationships. And these assistant AGs who specialize in this kind of work are typically in their offices for long stretches of time. They’re career government attorneys, just like in the federal government, you’ll see that commonly. And they build up relationships with each other from state to state. They build up relationships with their federal counterparts in many cases. My chief of consumer protection antitrust left after I left office and went to work for the FTC in the region and is doing similar work over there. So, they have relationships.
It makes it easier and more common for you to see joint enforcement because they’ll talk to each other. And, you know, states don’t always decide to come in, but you’ll see, for example, in merger activity, but also in some investigations by entities, even including the Federal Communications Commission, but certainly the FTC and DOJ, CFPB, that states will ask for confidentiality waivers when an investigation is underway.
And in order to get access to the documents that the federal agency, the investigative agency is collecting, and then they’ll decide, do we want to do this or not?
And one of the factors that line AGs, assistant AGs will use, one of the factors affecting their decision is what their colleagues are doing in the other states. And they talk to each other all the time. The National Association of AGs, and you mentioned I serve as president of that group, has a series of staff who play a coordinating function, coordinating the work — or just facilitating, not coordinating, and they’re not the boss — but they facilitate communications and regular interaction and meetings of the antitrust staff, of the consumer protection staff, and so forth. They also provide training.
So, these line staff will often take a look at a potential action brought by the CFPB, decide whether to do something with them or parallel to that, without the AG and being aware of it. I mean, there’s so much going on in any attorney general office, the line staff have a lot of latitude, and they’ll make the initial determination, and then they’ll tell the chief deputy attorney general and maybe the AG will be informed as well, you know, before it gets too far down the road. But There’s a lot of, I wouldn’t call it autonomy, but a lot of initiative that these assistant AGs can take. And that includes deciding in the first instance whether to respond to outreach from the CFPB or whether to just use that authority without coordinating with the CFPB.Jerry: All the more reason to get to know your financial assistant attorney general well before so that their disposition toward you is not one of ignorance or hostility. Rob: Yeah, that’s true. We make a point in our team of maintaining good working relationships with the chief deputy AGs, with chiefs of staff. We attend the NAG, again, National Association of AGs, two consumer protection conferences that are held each year. Typically, the first day is open to all comers, and then they go into closed session on the second and third days. But we’ll be there again in May in Chicago for the spring’s Consumer Protection Conference, just for the reason that you’re citing, that we want to know those folks.
And since everyone on my team is from an attorney general’s office themselves, you know, we have credibility and we’re able to build those relationships. And since AGs turn over regularly as AGs leave office or run for higher office, the National Association of AGs is also known as the “National Association of Aspiring Governors.” You know, there is regular turnover. And so, every time we get a new group of AGs who were recently elected, we come in and start building relationships with them.
Often, they’ll carry over the career staff, but they’ll also almost always bring in their own chief deputy, their own chief of staff that we make a point of building relationships there as well. Just so that, you know, they’ll return our call, they’ll answer our question. You know, our clients will have a chance to explain, you know, hopefully before they get the civil subpoena, the CID from the AG office.Caroline: So, Rob, we’ve talked a lot about the UDAP authority that state AGs have and how broad that is. But another prominent area that where states are stepping up to establish new rules and enforce existing laws is in privacy and data protection. And especially for data protection, state AGs have long had a role related to data breaches. Rob: Yes. Caroline: As an active member of the Orrick Privacy & Data Security team, I’m hoping you can share with our audience your perspective on the role that state AGs play in dealing with ransomware attacks and privacy protection generally. Rob: Yeah, that’s a great question. You know, it’s interesting that that was all fairly new when I joined Orrick in 2013, coming out of office. And the first year I worked on a major data breach for a big company where someone had gotten access to login credentials and gotten into their database. And fortunately, no consumers were harmed in that instance.
And that was an early example of AGs really trying to get their arms around a data breach. And it was kind of quaint because the way it was done was just like the credentials got stolen and someone was able to get into the system. Now, of course, the cyber attacks are much more sophisticated and dangerous, including the ransomware attacks that you referenced.
The AGs, even before data privacy laws were being enacted, were bringing enforcement actions against companies that suffered cyber attack. In other words, where companies themselves were the victims of criminal action. And it seems kind of odd at first blush, like, well, why would they be liable?
Well, the reason is that these companies all make promises to their consumers, to their customers about how they’re going to take care of the data that the customers are entrusted to them. And so the attorney general is going to want to know, “Were you up to standard? Did you have adequate protections in place?”
And what’s happened since my first data breach matter 12 years ago is that the AG offices, their staff, have become increasingly sophisticated about these questions. They know a lot about what constitutes being at standard, having implemented best practices. They know what those best practices are. And they will look carefully at a major data breach in order to evaluate whether or not the company was doing everything they were supposed to do. It’s like investigating a bank that forgot to lock its front doors. Okay, you were wrong, someone came in, but you didn’t lock the front doors. Maybe you’re responsible here because you told consumers you were protecting their money and you had the vault secured. It’s analogous there to data privacy and consumer protection.
Now, the data privacy statutes that the states have been enacting further increase the enforcement authority and expand the standards that the AGs are applying. So now, since the California Consumer Protection Act was adopted and other states adopted analogous statutes and regulations, the AGs have even more tools to work with. But again, that UDAP standard turns out to be sort of the Swiss army knife of enforcement for AGs. And they weren’t waiting for those laws to be enacted to go after data breaches and really scrutinize them.Jerry: Rob, I’m sorry to say our time has run out. We could go on with you. It’s been fascinating. And thank you so much for being available and to provide your insights to our listeners. I know they’ll appreciate it. Rob: It’s been a real pleasure. Hope we can do it again. It’s a fast-moving world we’re living in. We could spend an entire segment just talking about AI, what’s going on there. So, thanks so much for this opportunity, and we’ll see you guys soon. Caroline: I was thinking the same thing. Thanks so much, Rob. We appreciate you being on. Rob: My pleasure. Thank you.