Here’s our monthly article on selected legal developments we think might interest the auto sales, finance, and leasing world. This month, the developments involve the House Financial Services Committee, Federal Deposit Insurance Corporation, President Trump, Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Reserve Board. As usual, our article features the “Case(s) of the Month” and our “Compliance Tip.” Note that this column does not offer legal advice. Always check with your lawyer to learn how what we report might apply to you or if you have any questions.
Federal Developments
On July 31, House Financial Services Committee Chairman French Hill (R-AR) and Financial Institutions Subcommittee Chairman Andy Barr (R-KY) issued a request for feedback from the public on potential changes to current federal consumer financial data privacy law. Comments must be received by August 28, 2025. Specifically, the House Financial Services Committee requests feedback on the following questions concerning Title V, Subtitle A, of the Gramm-Leach-Bliley Act: (1) Should we amend the GLBA or consider a broader approach? (2) Should we consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach? (3) If the GLBA is made a preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws? (4) How should the GLBA relate to other federal consumer data privacy laws? (5) How should we define “non-public personal information” within the context of privacy regulations? (6) Do the definitions of “consumer” and “customer relationship” in the GLBA require modification? (7) Does the current definition of “financial institutions” sufficiently cover entities such as data aggregators? (8) Are there states that have developed effective privacy frameworks? (9) Should we consider requiring consent to be obtained before collecting certain types of data, such as PIN numbers and IP addresses? (10) Should we consider mandating the deletion of data for accounts that have been inactive for over a year? (11) Should we consider requiring consumers to be provided with a list of entities receiving their data? (12) Should we consider changing the structure by which a financial institution is held liable if data it collects or holds is shared with a third party and that third party is breached? (13) Should we consider changes to require holders of consumer financial data to minimize data collection to only collection that is needed to effectuate a consumer transaction and place limits on the time period for data retention?
On August 5, the Federal Deposit Insurance Corporation released a Financial Institution Letter that updates the agency’s supervisory approach regarding whether an FDIC-supervised institution can use pre-populated customer information for the purpose of opening an account to satisfy Customer Identification Program requirements. According to the FIL, “[t]he CIP rule, 31 C.F.R. § 1020.220, implements Section 326 of the USA PATRIOT Act, which, among other things, requires financial institutions to implement reasonable procedures for verifying the identity of a person seeking to open an account, to the extent reasonable and practicable, and maintain records of the information used to verify a person’s identity. The CIP rule requires an institution to collect certain information from a customer opening an account. It is the FDIC’s position that the requirement to collect identifying information ‘from the customer’ under the CIP rule does not preclude the use of pre-filled information. A commonly encountered example is the opening of an account electronically where fields in a digital form are automatically pre-populated (or ‘pre-filled’) with a customer’s identifying information.” “Under the FDIC’s interpretation, a financial institution could use information from current or prior accounts or relationships involving the bank or its agents, or other sources, such as parent organizations, affiliates, vendors, and other third parties to pre-fill information that is reviewed and submitted by the customer. The FDIC considers such information from the customer for purposes of the CIP rule. When examining an FDIC-supervised institution that collects identifying information from a customer where some or all of the information was pre-populated, FDIC examiners will consider the pre-filled information as from the customer provided that (1) the customer has opportunity and the ability to review, correct, update, and confirm the accuracy of the information, and (2) the institution’s processes for opening an account that involves pre-populated information allow the institution to form a reasonable belief as to the identity of its customer and are based on the institution’s assessment of the relevant risks, including the risk of fraudulent account opening or takeover.”
On August 7, President Trump issued a new executive order – “Guaranteeing Fair Banking For All Americans.” The EO states that “[f]inancial institutions have engaged in unacceptable practices to restrict law-abiding individuals’ and businesses’ access to financial services on the basis of political or religious beliefs or lawful business activities,” resulting in unlawful discrimination against individuals and businesses in credit transactions and undermining public trust in banking institutions and their regulators. The EO states that “[i]t is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views, and to ensure that politicized and unlawful debanking is not used as a tool to inhibit such beliefs, affiliations, or political views. Banking decisions must instead be made on the basis of individualized, objective, and risk-based analyses.” The EO requires federal banking regulators to eliminate “reputation risk or equivalent concepts that could result in politicized or unlawful debanking” from their guidance documents, manuals, and other materials used to regulate or examine financial institutions. Federal banking regulators must also conduct reviews to identify financial institutions that have had any past or current policies or practices that have influenced the financial institution to engage in politicized or unlawful debanking and to take remedial action, including levying fines and issuing consent decrees. During reviews of their supervisory data, federal banking regulators must also identify any financial institution that has engaged in unlawful debanking based on religion and refer the matter to the Attorney General. Financial institutions subject to the Small Business Administration’s jurisdiction and supervision must “make[] reasonable efforts to identify and reinstate any previous clients of the institution or any subsidiaries denied service through a politicized or unlawful debanking action.”
On August 8, the Consumer Financial Protection Bureau issued advance notices of proposed rulemaking related to defining larger participants in the vehicle financing, consumer debt collection, and consumer credit reporting markets. Comments on the ANPRs must be received by September 22, 2025. Under the Consumer Financial Protection Act of 2010, the CFPB has the authority to supervise “larger participants” in certain markets for consumer financial products and services, as defined by rules issued by the CFPB. To date, the CFPB has issued six rules defining larger participants in markets for consumer financial products and services. The CFPB published its vehicle financing larger participant rule on June 30, 2015. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in the vehicle financing market. Currently, a nonbank entity is a larger participant in the vehicle financing market if it has at least 10,000 aggregate annual originations. In the ANPR, the CFPB suggests raising the threshold to 300,000, 550,000, or 1,050,000 annual originations. Raising the threshold to 1,050,000 annual originations would reduce the number of entities estimated to qualify as larger participants by more than 90 percent, from 63 entities (which account for an estimated 94 percent of market activity) to five entities (which account for an estimated 42 percent of market activity). At present, the five entities with the highest number of originations are captives, which focus on prime lending. By raising the threshold to 550,000 annual originations, the CFPB estimates that 11 entities would qualify as larger participants and that the updated rule would cover approximately 66 percent of originations. At present, this threshold would include nine entities that focus on prime lending and two entities that engage in at least some subprime lending. The third option provided by the CFPB would be to raise the threshold to 300,000 annual originations. Under this threshold, the CFPB estimates that 17 entities would qualify as larger participants and that the updated rule would cover approximately 79 percent of originations. At present, this threshold would include 12 entities that primarily engage in prime lending and five entities that engage in at least some subprime lending. The CFPB published its consumer debt collection larger participant rule on October 31, 2012. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in the consumer debt collection market. Currently, a nonbank entity is a larger participant in the consumer debt collection market if the entity has more than $10 million in annual receipts resulting from debt collection activities, as those terms are defined in the rule. The CFPB published its consumer reporting larger participant rule on July 20, 2012. The CFPB is seeking feedback concerning whether to propose a rule to amend the test to define larger participants in this market as well. Currently, a nonbank entity is a larger participant in the consumer reporting market if the entity has more than $7 million in annual receipts resulting from relevant consumer reporting activities.
On August 15, the Federal Reserve Board announced that it will end its Novel Activities Supervision Program and return to monitoring banks’ novel activities through the normal supervisory process. The FRB established the program on August 8, 2023, “to enhance the supervision of novel activities conducted by banking organizations supervised by the Federal Reserve. The Program … focus[ed] on novel activities related to crypto-assets, distributed ledger technology, and complex, technology-driven partnerships with nonbanks to deliver financial services to customers. The Program [was] risk-focused and complement[ed] existing supervisory processes, strengthening the oversight of novel activities conducted by supervised banking organizations.” According to the FRB’s current press release, “the Board has strengthened its understanding of … [crypto and fintech] activities, related risks, and bank risk management practices. As a result, the Board is integrating that knowledge and the supervision of those activities back into the standard supervisory process and is rescinding its 2023 supervisory letter creating the program.”
On August 22, the Consumer Financial Protection Bureau issued an advance notice of proposed rulemaking seeking comments and data concerning the implementation of Section 1033 of the Dodd-Frank Act and its implementing Personal Financial Data Rights rule. Section 1033 provides that covered data providers must make available to a consumer, upon request, data in the control or possession of the data provider concerning the consumer financial product or service that the consumer obtained. The Personal Financial Data Rights final rule, issued in October 2024, implements Section 1033 by providing specificity to the scope of data providers subject to the rule, the data that must be provided to consumers upon request, the interfaces through which data is to be made available, and how third parties may access such information through the consumer’s access right. The ANPR sets forth a list of questions for comment, which generally address issues concerning: who may make a request on behalf of a consumer; how the costs of effectuating consumers’ rights under Section 1033 should be shared between the consumer and the “covered person” providing the data; information security concerns when consumers exercise their rights under Section 1033; privacy concerns when consumers exercise their rights under Section 1033, where the data contains information that the consumer may not want disclosed, but the consumer does not fully understand that the data may be disclosed by the third party through which it has made a request; and the appropriateness of the compliance dates in the Personal Financial Data Rights rule. Comments must be received by October 21, 2025.
On August 26, the Consumer Financial Protection Bureau published in the Federal Register a proposal to adopt a standard definition of “risks to consumers with regard to the offering or provision of consumer financial products or services” for its use in proceedings to designate nonbank covered persons for supervision. Section 1024(a)(1)(C) of the Consumer Financial Protection Act of 2010, codified at 12 U.S.C. 5514(a)(1)(C), authorizes the CFPB to supervise a nonbank covered person that it “has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond, … is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” The CFPB noted that it has not issued a rule addressing the meaning of “risks to consumers” in this context but has instead issued orders in individual cases. The CFPB is concerned that its application of “risks to consumers’ may not be consistent, institutions facing potential designation may be uncertain about what standard will apply to their case, and it may not be conforming to the best reading of the statute in individual cases. The CFPB’s proposed rule provides that, “[f]or purposes of 12 U.S.C. 5514(a)(1)(C), conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services consists of conduct that: (a) Presents a high likelihood of significant harm to consumers; and (b) Is directly connected to the offering or provision of a consumer financial product or service as defined in 12 U.S.C. 5481.” The CFPB requests comment on all aspects of this standard, specifically whether ‘risks to consumers’ must be potential violations of law. Comments on the proposed rule are due by September 25, 2025.
On August 27, the Federal Trade Commission announced a revised fee structure for entities accessing the National Do Not Call Registry, effective October 1, 2025. All telemarketers calling consumers in the U.S. are required to download the numbers on the DNC Registry to ensure they do not call consumers who have registered their phone numbers. Telemarketers must subscribe each year for access to DNC Registry numbers. Beginning on October 1, 2025, the annual fee to access the DNC Registry will increase to $82 per area code of data, up from the current figure of $80 per area code. The amount charged to access the entire DNC Registry, covering all area codes nationwide, will increase to $22,626, up from the current figure of $22,038. The cost to access an additional area code for six months will increase to $41 per area code, an increase of $1 from FY 2025. The first five area codes will remain free, and organizations that are exempt from the DNC rules, such as some charitable organizations and political organizations, may obtain the entire list for free.
Case(s) of the Month
Car Buyer Agreed to Arbitration Agreement that Was Incorporated into Buyers Order She Signed, Whether or Not She Gave Consent to Have Her Electronic Signature Affixed to Arbitration Agreement: An individual selected a car to purchase from a dealership and signed a Retail Buyers Order, among other documents. Her electronic signature also appeared on an arbitration agreement. When the dealership was unable to obtain financing for the individual, it repossessed the car. The individual sued the dealership and the finance company to which she had applied for financing for violating the Ohio Consumer Sales Practices Act, among other state law claims. The defendants moved to compel arbitration of the individual’s claims, and the trial court granted the motion. The individual first argued that the trial court erred in allowing arbitration because she did not consent to having her electronic signature placed on the arbitration agreement. The Court of Appeals of Ohio found that whether or not the individual signed the arbitration agreement, there was no dispute that she signed the RBO, and the RBO incorporated the terms of the arbitration agreement by reference. The appellate court also addressed, among other claims, the individual’s claim that the finance company, as a nonsignatory to the arbitration agreement, should not be able to seek arbitration of her claims because it is not an “assign” of the dealership. The appellate court determined, based on precedent, that the dealership, as a signatory, has a right to demand arbitration and to have the issue of whether the finance company qualifies as its assign heard by an arbitrator. See McCreary v. Taylor Cadillac, Inc., 2025 Ohio App. LEXIS 2490 (Ohio App. July 21, 2025).
This Month’s CARLAWYER© Compliance Tip
The case above shows how important it is for the dealer’s documents to “work” together for a common goal; in this case arbitration. The dealer’s buyer’s order incorporated the terms of the arbitration agreement by reference and the court found that whether or not the buyer signed the arbitration agreement, there was no dispute that she signed the buyer’s order, and the buyer’s order incorporated the terms of the arbitration agreement by reference. As it took going to the Court of Appeals to get this result however, it was likely an expensive endeavor. What about your documents; do you have the buyer(s) sign a buyer’s order that includes an arbitration agreement or do you have a separate arbitration agreement? If separate, do your documents “work” together and incorporate other documents like the arbitration agreement by reference? Time to pull your customer facing documents out and talk to your trusty compliance lawyer!
So, there’s this month’s roundup! Stay legal, and we’ll see you next month.
