A panel of federal judges recently ruled that the structure of the Consumer Financial Protection Bureau, which is led by a single director, is unconstitutional. The CFPB has asked the full court to review the ruling. But cybersecurity attorney Chris Pierson says a change in the bureau's structure would not affect the CFPB's regulatory authority over banks.
Regardless of how the bureau is structured, it will continue to monitor for deceptive and/or fraudulent practices, as well as for practices that violate consumer privacy, he says in an interview with Information Security Media Group.
The CFPB oversees many different programs, laws and regulations, says Pierson, who serves as general counsel and CISO at payments and invoicing provider Viewpost. "Some of those were created by Dodd-Frank," he notes. The bureau also oversees consumer lending laws and Regulation P, the privacy regulation of the Gramm-Leach-Bliley Act.
Raising a Constitutional Question
The case that spurred questions about the CFPB's structure involved PHH Corp., a mortgage lender that was penalized by the CFPB for its use of a wholly owned mortgage reinsurer. The CFPB's enforcement resulted in a $109 million fine against PHH. But the panel of judges reversed the CFPB's decision, finding that the CFPB's status as an independent agency headed by a single director violates Article II of the U.S. Constitution.
"The court did not hold the CFPB to be unconstitutional," Pierson says. "Rather, the majority held that there is a constitutional defect in the actual structure of the CFPB. The court contends that having a sole director of an independent agency only be removable 'for cause' sets forth an important separation of powers issue under the Constitution. So, unless the director acts in a negligent or reckless manner, they are in for the entirety of their [five-year] term."
In September, the CFPB got financial institutions' attention when it fined banking giant Wells Fargo $185 million for allowing employees to access customers' personal information - and in some cases forging data - to subscribe them to products, such as credit cards, that generated revenue for the bank and commissions for salespeople.
The Future of CFPB
Coupled with President-Elect Donald Trump's expressed interest in dismantling the Dodd-Frank Wall Street Reform and Consumer Protection Act, which established the CFPB in 2010, the federal court's ruling has raised questions among banking institutions about the future of the CFPB.
But Pierson says the CFPB's oversight of banks isn't likely to change, even if the bureau's governance structure changes. The CFPB also is one of the five regulatory agencies that comprise the Federal Financial Institutions Examination Council, he notes.
During this interview (see audio link below photo), Pierson also discusses:
- The president's power to replace the director of the CFPB if the federal panel's ruling stands;
- The long-term impact dismantling Dodd-Frank could have on the CFPB; and
- The likelihood the ruling in the PHH Corp. case will be reviewed.
In addition to serving as executive vice president, general counsel and CISO for Viewpost, Pierson serves on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee. Before joining Viewpost, Pierson was the first chief privacy officer for the Royal Bank of Scotland's U.S. banking operations. He also formerly served as a corporate attorney at the law firm Lewis and Roca, where he established the firm's cybersecurity practice.