CFPB Complaint RFI - CBA Comment Letter

Monica Jackson, Office of the Executive Secretary

Bureau of Consumer Financial Protection

1700 G Street NW

Washington, DC 20552

 

Dear Ms. Jackson,

 

The Consumer Bankers Association (“CBA”) appreciates the opportunity to comment on potential changes to the Bureau of Consumer Financial Protection’s (“Bureau”) Public Reporting Practices of Consumer Complaint Information.

 

CBA and its member institutions believe a well-functioning Bureau is critical to maintaining a thriving and stable consumer finance marketplace.  Our concerns lie not with the Bureau’s mission but with the methods the Bureau has used at times to pursue that mission.  Regarding the Consumer Complaint Database (“Database”), we believe the publishing of bank complaint data is flawed for several reasons discussed below in detail. 

 

CBA’s members are dedicated to complaint resolution and customer satisfaction and believe the goal of the Bureau’s complaint data collection ought to be to improve industry performance and service quality, and to provide consumers with an avenue to deal with complaints when the company is unresponsive or is not providing a satisfactory resolution.  It should not be used as a way to create disharmony between consumers and the financial services industry.  It is important to note that keeping customers satisfied is a vital component of running any business.  CBA members strive to ensure customers receive swift and complete review of all complaints and inquiries.  In fact, the overwhelming majority of complaints filed with the Bureau are “closed with an explanation.”  However, the Database contains more than one million unverified complaints.  This raw, un-normalized data is provided to the public, including complaint narratives.  The Bureau does not authenticate the identity of the individual filing the complaint, creating the potential for sensitive financial data to be shared with an unauthorized third party. 

 

We believe the Bureau’s efforts should be to ensure every company has a strong complaint resolution process, assist in the resolution of complaints and red, flag potential problems for further evaluation.  The public release of complaint data increases privacy risks to the consumer and offers no value.  

 

CBA strongly believes:

 

  • The Database creates consumer harm and privacy concerns - The Database does not protect consumers from re-identification risks and creates consumer harm.  The Bureau has in the past claimed privacy is not a serious concern because “modern scrubbing standards” can de-identify nonpublic, personal information to “acceptable levels.”  However, recent audits of the database have revealed many cases of re-identification.

 

  • The Database does not enhance consumers’ ability to compare - According to the Bureau, the purpose of the Database is “to provide consumers with timely and understandable information about…products and services, and improve the functioning, transparency, and efficiency of markets.”  The public database with unverified information that is not collected for depositories below $10 billion in asset size does a disservice to consumers and does not improve the functioning, transparency or efficiency of markets.  In fact, the publication of raw complaint narratives subjects companies to inaccurate and unfair criticism that is often subjective and potentially misleading without institutional proprietary context or facts.  As such, this information may actually misinform consumers; doing the exact opposite of what the Bureau is mandated to accomplish.

 

  • The Dodd-Frank Act does not require or contemplate the Database be public – The authors of Dodd-Frank did not intend for Bureau to publicly share complaints.

 

Accordingly, due to the lack of a statutory mandate to publicly disclose complaints and to ensure consumer privacy and prevent the dissemination of misleading information, the Bureau should retain from publicly releasing filed complaints and stop all monthly/snapshot reports.

 

DISCUSSION

 

The Bureau established its Database pursuant to section 1013(b)(3) of the Dodd-Frank Wall Street Reform and Consumer Protection  Act (“DFA”). That section calls for the Bureau to create a toll-free phone number, a website, and a database (or utilize an existing database) for the centralized collection, monitoring and response to consumer complaints regarding consumer financial products or services.  It calls for an annual report to Congress by March 31st of each year regarding the complaints received in the prior year.  Section 1013 requires nothing further and we believe the Database has far exceeded the scope of the section.  By publishing the unverified and un-normalized complaints, which include customer narratives, the Bureau has exceeded its mandate. 

 

CBA Actions

 

From the start, CBA vocally opposed the manner in which the Bureau made complaint information public.  Despite the vast resources invested by the Bureau and industry, no study has been conducted on the utility of the database and benefit to consumers.  The information remains unverified and out of context; however consumers are potentially subjected to privacy risks from data breaches, sensitive information being released in the narratives, and re-identification of narrative information.

 

Since the inception of the Database, CBA has met with the Bureau’s Office of Consumer Response on numerous occasions and formally advocated for our members by:

 

  • Meeting with the Director and Bureau staff (including the Ombudsman’s Office) on a regular basis;
  • Submitting comments on the narratives proposal (September 22, 2014);
  • Responding to the positive comment RFI (May 26, 2015);
  • Meeting with the CFPB’s Office of Inspector General regarding privacy risks posed by the Complaint Database and following up with a letter voicing our concerns (June 4, 2015); and
  • Responding to the normalization RFI (August 31, 2015).

 

On September 30, 2016, CBA submitted comments to the Office of Management and Budget (“OMB”) in response to the Bureau’s request for comment on a “Consumer Response Company Response Survey.”  In the letter, we respectfully asked the Bureau not to go forward with its information collection and, instead, stop and study the effectiveness of the Database in its current form.  We also argued the proposed rating survey would:

 

  • Put into the public under governmental seal unreliable, subjective information that could be misleading to financial consumers;
  • Erode customer privacy;
  • Impair the confidential nature of the exchange between customer and banker; and
  • Compromise the supervisory process. 

 

On December 28, 2016, CBA submitted second round comments in response to the Bureau’s request for comment on a “Consumer Response Company Response Survey.”  Again, we urged OMB to reject the proposal and hoped the denial would lead the “Bureau to examine more adequately the Database’s utility to consumers and the risks it presents to consumer privacy before the Bureau expends additional taxpayer money collecting and reporting additional information unlikely to benefit consumers and more likely to mislead them.”

 

  1. The Database creates consumer harm and significant privacy concerns

 

As financial institutions, CBA member banks remain dedicated to maintaining the privacy of our customers’ information.  As such, financial institutions are subject to strict legal prohibitions restricting the release of personally identifiable information, with severe penalties for noncompliance.

 

We believe the Database does not protect consumers from re-identification risks and creates consumer harm.  The CFPB has claimed in the past that privacy is not a serious concern because “modern scrubbing standards” can de-identify nonpublic, personal information to “acceptable levels.”  However, the financial services industry is concerned about re-identification risks inherent in the Database and their potential harm to consumers.  CBA believes the Bureau does not provide enough detail on how a consumer’s sensitive information is scrubbed.  The Bureau’s current practice of publishing complaint data raises significant risks that the public will readily be able to use the Database to discover information that should be protected.  Any standard for scrubbing sensitive data that the Bureau may employ will never fully guarantee that all sensitive personal and financial information will be kept confidential.  For example, while a consumer’s name and address could be scrubbed from a narrative, reference to his or her profession, location and other specific, un-redacted information could be used to re-identify the person.  In fact, the Bureau has acknowledged that the Database could enable someone to re-identify a consumer who files a complaint.  The implications of re-identification in this context could have very real negative consequences for a large group of consumers.  Even if just a very small percentage of consumers utilizing the Database were to be re-identified, the consequences could still be great.  For example, if just one percent of the roughly million complainants currently logged in the Database were re-identified and used for malfeasance, tens of thousands of Americans would be put at risk of severe harm, creating a significant problem for a large number of consumers.

 

Concerns are amplified in light of recent data breaches.  Re-identification is easily done and is common practice for sophisticated criminals.  The associated unlawful activities that usually result from re-identification including fraud and identity theft impose great harm on consumers and may impose mitigation costs for monitoring, new cards/account numbers, and a variety of security measures that financial institutions will have to take on as a result.  This Database is low-hanging fruit for criminals looking for highly sought after financial information.  Most consumers likely do not understand these associated risks and simply trust the Bureau to adequately protect their confidential information.  To the best of our knowledge, the Bureau has yet to conclude any testing of its methodology for scrubbing sensitive and confidential consumer data. 

 

The Bureau should refrain from publishing the complaint data outside its statutory mandate.  We believe publishing such data puts consumers at harm for risk of re-identification and subsequent fraud.

 

  1. The Database does not enhance consumers’ ability to compare

 

According to the Bureau, the purpose of the Database is “to provide consumers with timely and understandable information about …products and services, and improve the functioning, transparency, and efficiency of markets.” The public Database with unverified information does a disservice to consumers and does not improve the functioning, transparency or efficiency of markets. 

 

Complaint Validation

 

The Bureau does not validate whether a complaint is actually a complaint or just an inquiry by the customer.  This includes “complaints” that are not valid indications of the performance of the institution or that do not fit the stated definition of “complaint.”  The Bureau states the definition to be: “Consumer complaints are submissions that express dissatisfaction with, or communicate suspicion of wrongful conduct by, an identified entity related to a consumer’s personal experience with a financial product or service.”  Categories that might not fall within the definition include:

 

  • Disputes that address issues not affecting the performance of the institution (e.g. 16% of credit card disputes are billing errors; 8% are ID theft/fraud.  Often these do not allege wrongdoing by the card issuer),
  • Service requests and other inquiries (e.g. consumer’s inquiry about the workings of a product or service, provided no allegation of a disclosure or other violation is being made, and
  • Bogus complaints intended to make difficulty for an institution or as a prelude to litigation.

 

Also, the Bureau does not currently attempt to verify the legitimacy or accuracy of the information provided by the consumers, except to ensure the consumer is in fact a customer of that company, and the company is a covered financial service provider.  While this is stated on the database website, this fact alone does not give consumers adequate information to draw conclusions about the data.  If the Bureau is releasing results, consumers can be excused for believing the information is legitimate, notwithstanding any disclaimer to the contrary.  The releasing of narrative information on each complaint only makes this worse and does not give enough information for the public to draw any information on the validity of the complaints.

 

Since the Bureau places excessive importance on the total number of complaints by institution, the Bureau should validate complaints before evaluating the information.  Because of the extremely broad definition of complaints referenced above, including them among the total complaints by category serves no valid purpose.  For example, many complaints related to debt collection may be submitted merely because debt is being collected and without any real allegation of wrongful conduct.  Other types of complaints do not allege wrongdoing by the institution at all, but are submitted to the Bureau because it advertises itself as a place to send complaints.  Billing errors, for example, often do not involve any claim of wrongdoing by a bank and are often quickly resolved once brought to the bank’s attention.  Yet in some cases consumers will file complaints with the Bureau rather than directly with their bank.  Similarly, it is important for consumers to contact their bank about issues of ID theft or fraud, but in most circumstances these are not alleging any wrongdoing by the bank.  Instead, they are asking the bank to assist by closing an account or reissuing a card.  Other submissions to the Bureau which may get inappropriately logged as complaints are essentially service inquiries, with no real allegation of wrongdoing.  It is incumbent upon the Bureau to identify these submissions, so they do not become complaints merely because they have been entered into the Database.  And of course, there will always be some complaints from those with an ax to grind and no legitimate complaint. 

 

The addition of narratives to the public Database fails to provide the public with more information upon which to draw a conclusion about the legitimacy of these complaints, because the public has none of the information available to the Bureau to assess the complainant’s veracity or the merits of the complaint itself.  The details accompanying a complaint are simply details, and without the ability to confirm their accuracy or analyze their context, the public cannot use them to draw valid conclusions.  Indeed, the color provided by narratives can often mask facts by creating sympathetic details that seem to lend credibility to the complaint.  It is the role of a supervisory agency to draw the correct conclusions after research and inquiry. 

 

As previously discussed, the Bureau has made comparisons to existing public complaint databases, such as the database maintained by the CPSC.  However, unlike the Bureau’s Database, the CPSC will take steps to verify accuracy of complaints when requested. Under regulation, any person and/or company may make a request for determination of materially inaccurate information on the CPSC complaint database and the agency will make an inquiry.  If a report is determined to be materially inaccurate, the CPSC will take steps to ensure the inaccuracy is corrected.   If the CPSC determines the information is materially inaccurate before publication, the CPSC will not add the information to the database, correct the materially inaccurate information, or add information to correct the inaccuracy.  If the CPSC determines the information is materially inaccurate after publication, within seven days of the determination, the CPSC will remove information, correct the materially inaccurate information, or add information to correct inaccuracy.

 

The data in the portal is not normalized

 

The skewed nature of the Database create harm for consumers as the information contained within the system is not normalized and gives the consumer no real basis to make an informed decision. The Database currently contains nearly one million complaints, so the everyday consumer cannot peruse every complaint and response for a particular product or institution.  Consumers will be left to rely on browsing a limited number of complaints and raw numbers compiled by someone outside of the Bureau.  These raw numbers can be used to paint an unjustified picture of certain institutions represented in the Database.  For example, a 2014 article entitled “America's 10 Most Hated Banks” singled out banks represented in the Database with the highest levels of complaints.  The title was followed by a caption reading, “According to the Consumer Financial Protection Bureau, these financial institutions draw the most complaints,” giving the impression that the institutions with the most complaints corresponds with having the most unscrupulous practices. To the contrary, this headline could have instead easily read “America’s Most Popular Banks” as the banks listed are by far some of the largest banks in the country with the most customers.  It would stand to reason banks with more customers would receive a higher overall number of complaints because they are serving more people.  Instead, the data was used to demonize large banks because the data in the Database is difficult to normalize and can easily be taken out of context by consumers or manipulated by industry critics.  While the Bureau did not write the above-referenced article, the Bureau’s endorsement of the use of the data to make interpretations is inappropriate since the data is difficult to normalize.  Moreover, the article shows that consumers will misinterpret the database and use it to draw statistically unsound conclusions.

 

Misleading and non-contextualized information in the Database and in reports is in and of itself enough to create reputational risks for the entities represented.  For example, the Bureau began collecting federal student loan servicing complaints in February of 2016 without much fanfare, only a footnote in its next report.  While the Bureau can claim jurisdiction over private student loans and large federal student loan servicers, the Department of Education’s (“ED”) Office of Federal Student Aid has responsibility over federal loan complaints.  Since about 90 percent of student loans are federal, with the vast majority owned by the government, the addition of federal loans to the complaints reports by the Bureau highlighted a huge increase in student loan complaints, but revealed why only in footnotes.  In fact the increase was caused by the intake of federal loan servicing complaints, giving the impression that the large spike in student loan complaints was a bank issue, not one of the ED student loan programs.

The Bureau does not collect complaint data for banks under $10 billion in assets

 

It is important to note the Bureau’s Database is limited to those companies that fall within its supervisory and examination authority.  Complaints about banks are limited to those with assets of $10 billion or more.  The inclusion of identifying information, including narratives, only results in a misrepresentation of financial institutions included in the Database – approximately 110 depository institutions out of nearly 6,000 commercial banks and nearly 6,000 credit unions in the country.  Coupled with un-normalized data, the representation of just a minor portion of U.S. financial institutions in the portal gives the illusion that larger financial institutions are “bad actors” and should be avoided.  By making this information public, the Bureau—the agency created to “level the playing field”— has contributed to an un-level playing field in this area, providing little value to the consumer when trying to make informed decisions about which financial firms they would like to do business with. 

 

Comparisons to other customer feedback services

 

The Bureau appears to have considered the publication of complaint data, including complaint narratives, as an enhancement to the value of the Database as a consumer product review site, equivalent to websites such as Yelp that may be helpful for consumers’ purchasing decisions. “Research has shown,” the Bureau’s 2015 narratives proposal said, “that consumer word of mouth (which includes consumer reviews and complaints) is a reliable signal of product quality that consumers consult and act upon when making purchasing decisions.”  However, we believe this is not the case with the Bureau’s Database, which gives voice only to complaints and not endorsements.

 

Yelp, and most other sites consumers use as shopping review services, contain both negative and positive remarks about businesses, services, and products.  Shoppers can read the narratives for both types of comments and draw their own conclusions.  The Bureau’s Consumer Response Database is a misnomer.  Despite the name, it is, and was always intended to be, a complaint site.  The website and attendant advertising campaigns have encouraged “complaints” only, and if a comment is posted that is not negative, it is still filed as a complaint and logged in among the total of complaints.  If a consumer has a positive comment to make, the Bureau steers them to a different site where narratives of all types are included.  None of these are compiled or reported in the Bureau’s regular reports.  Thus, if a consumer is using the Database for shopping, they are getting a one-sided view of the companies. 

 

Additionally, unlike Yelp or any other independent complaint tool, the publication of complaint data in a government sponsored database provides immediate legitimacy of “truthfulness” to un-vetted, un-adjudicated complaints, thereby causing substantial and likely irreversible reputational harm.  Consumers understand sites like Yelp may contain inaccurate information; however, consumers will give more credibility to a governmental site and are likely to believe what is published is true as government databases are supposed to imply validity.  These databases can move markets and often become standard baseline data sources.  Here we have a government agency charged with protecting consumers in the financial market creating a data set that lacks integrity and is being served up to the consuming public leaving the impression that it has received an imprimatur of the federal government.  Potentially inaccurate, unverified and misguided complaints could become the basis on which consumers will make judgments about their financial relationships.

 

Accordingly, we believe the Bureau should eliminate public complaint reports not required by law.  There is no evidence the reports and analysis benefit consumers as the reports are based on unverified data.  The non-aggregated data in the reports could result in consumers making poor financial choices based on misinterpretation about products or institutions.

 

  1. The Bureau as no statutory authority to publish consumer complaints

 

CBA maintains the Bureau should remove the public complaint database as DFA does not require or contemplate the database be made public.  We support the Bureau’s execution of its statutory obligation “to facilitate the centralized collection of, monitoring of, and response to consumer complaints regarding consumer financial products and services.” We believe the oversight of consumer complaints offers much value to consumers and financial institutions alike.  We also recognize that complaint monitoring plays an important role in the fulfillment of the Bureau’s mission to enforce the consumer protection laws under its purview.  However, there are no provisions in DFA, or any other law, that require or even contemplate public disclosure of complaint information.

 

Despite any legislative authority to publicly release sensitive complaint-specific information, the Bureau has asserted that the publication of the complaint database furthers a mandate to ensure consumers are treated fairly in the financial marketplace.  Prior Bureau leadership has claimed that publicly disclosing information from the Database will assist in this mission by providing outside parties with the ability to help identify trends and patterns that will in turn help better inform consumers when choosing financial products and services.  We disagree with this assertion.  We believe the public release of consumer complaint data offers little value and potentially harms prospective consumers by relying upon non-factual information.   

 

No Requirement or Contemplation of Publication

 

Congress did not intend for the Bureau to publicly share complaints.  In fact, a plain reading of the statute indicates that Congress did not specifically authorize publication, as it did in other contexts.  Accordingly, we believe that an analysis of the structure of Title X of DFA provides compelling evidence of Congress’ intent for the Bureau’s authorities and obligations with respect to consumer complaints.

 

Congress specifically ordered the Bureau to create a unit dedicated to “collecting and tracking of complaints” and clearly outlined the responsibilities of that unit as:

 

  • Facilitating the centralized collection of, monitoring of, and response to consumer complaints;
  • Routing complaints to the Federal Trade Commission (“FTC”), and other Federal and State Agencies, where appropriate;
  • Reporting to Congress; and
  • Data sharing with the FTC, other Federal and State agencies “to facilitate preparation of the reports [to Congress], supervision and enforcement activities, and monitoring of the market for consumer financial products and services.

 

None of the listed responsibilities include the publication of individual complaint data. 

 

Congress did provide the Bureau with authority for timely responses to consumers in response to consumer complaints.  Much like the Bureau, prudential regulators have similar responsibilities under section 18f of the Federal Trade Commission Act, which provides for each agency to establish a “separate division of consumer affairs which shall receive and take appropriate action upon complaints with respect to unfair and deceptive acts and practices.”   Although, there are variations in complaint monitoring systems established at the various prudential regulators, all of them have provided systems that account for timely processing of individual complaints to their respective financial institutions for individualized and confidential resolution.  Accordingly, the responses from financial institution to individual complaints are carefully monitored by the agencies, themselves, to ensure business corrections are taken that benefit the institution’s entire customer base as well as provide for resolution of individual complaints and the protection of individual privacy. 

 

Section 1013(b)(3) and Section 1034 are the two provisions in DFA that specifically outline the authority, purpose, function, and limitations of the consumer complaint system.  Section 1013(b)(3) outlines the establishment of the process for collecting and tracking complaints as part of the Bureau’s administrative function, including the development of the Database.  This includes the requirements for submitting reports to Congress on consumer complaints and the sharing of the information with other agencies.  Section 1034 provides specific details with regard to the process and limitations regarding the procedures for responding to consumer complaints.

 

Neither of these provisions specifically reference nor contemplate the public disclosure of information contained in the Database.  The only provision that references public disclosure is Section 1022(c)(3)(B).  While this provision clearly references the public disclosure of “aggregated” reports, at no point does it mandate the creation of a public database that would include complaint-specific information.  Reliance on this provision is misplaced because it refers to the Bureau’s general rulemaking authority and only references consumer complaints as one of a number of sources that the Bureau may use for monitoring risks to support rulemaking functions.  This does not justify the Bureau’s overreliance on this provision for publicly disclosing complaint-specific information, especially when there are two other provisions in DFA that specifically outline the authority and functions of the consumer complaint process.

 

If Congress intended to have the Database published, it would have said so directly.  The Bureau has stated its publication of complaint information is no different from the practices of the Consumer Product Safety Commission (“CPSC”) and the National Highway Traffic Safety Administration, which also publish consumer-specific notations in their respective complaint databases.  However, unlike the Bureau, Congress expressly required these other agencies to create consumer complaint databases.  And whereas Congress specified that those agencies’ databases shall be publicly available, it did not in the case of the Bureau.  We believe if Congress intended for a public database, it would have specified a public database and we believe an interpretation of the facts would indicate intent not to publish consumer-specific data. 

 

Specific Mandate to Ensure Consumer Confidentiality

 

Congress did specifically provide a mandate for the Bureau to protect confidential consumer information from public disclosure.  Section 1022 of DFA requires the Bureau to ensure that any “proprietary, personal, or confidential consumer information” the Bureau collects is protected from public disclosure.  DFA also requires the Bureau to observe “standards applicable to Federal agencies for protection of the confidentiality of publicly identifiable information” when it shares complaint information with other regulators. While DFA does not mandate the public release of complaints, it does mandate that complaint data may only be publicly disseminated “through aggregated reports or other appropriate formats designed to protect confidential information”[1] in accordance with designated privacy and confidentiality requirements governing the Bureau.[2]  These provisions indicate Congress intended the Bureau to share sensitive information only when doing so confidentially.  CBA does not believe the Bureau has adequately shown that it can safely and confidentially publish consumer complaint data without significant privacy concerns.

 

  Thus, with the affirmative duty to keep consumer-specific complaint information confidential and without a clear statutory mandate to do otherwise, the Bureau should refrain from publishing consumer complaint data.

 

 

********

Due to the lack of authority to publicly disclose complaints, to ensure consumer privacy, and prevent the dissemination of misleading information, the CFPB should refrain from publicly releasing filed complaints and stop all monthly/snapshot reports.

 

Again, CBA greatly appreciates the opportunity to share our thoughts and to work with the Bureau on these and other important issues.  Please do not hesitate to reach out to CBA directly at dpommerehn@consumerbankers.com or 202-552-6368 should you need anything further. 

 

Sincerely,

David Pommerehn

Associate General Counsel and Vice President

Consumer Bankers Association