Consumer Protection at the FTC and the CFPB

Contributors

James C. Cooper
Timothy J. Muris
Todd J. Zywicki

This paper was the work of multiple authors. No assumption should be made that any or all of the views expressed are held by any individual author. In addition, the views expressed are those of the authors in their personal capacities and not in their official/professional capacities.
To cite this paper: James C. Cooper, et. al., “Consumer Protection at the FTC and the CFPB”, released by the Regulatory Transparency Project of the Federalist Society, November 16, 2017 (https://regproject.org/wp-content/uploads/RTP-Antitrust-Consumer-Protection-Working-Group-Paper-Consumer-Protection.pdf).

Executive Summary

Traditionally, consumer protection was seen as one of the core functions of modern government and one of the foundations of the modern administrative state — that is, broadly speaking, regulatory agencies and their collection of rules, regulations, and pronouncements. This understanding can be traced as far back as the creation of the Federal Trade Commission (FTC) and the legend of the creation of the Food and Drug Administration (FDA) in the wake of Upton Sinclair’s famous novel, The Jungle. According to the received wisdom, the growth of mass-produced, standardized goods and standard-form contracts deprived consumers of the ability to protect themselves through the ability to inspect and bargain for the goods and services that they desired. Led by Ralph Nader the first wave of consumer protection legislation and regulation — which successfully shepherded in myriad new government consumer protection rules across a range of industries — peaked in the 1970s. Before the close of the decade, however, economists and the American public also came to better appreciate the potential costs of poorly-designed consumer protection policies. Many of these regulations and regulatory institutions evolved from devices to promote consumer protection into tools that would dampen pro-consumer competition and innovation.

President Trump’s recent nomination of Joe Simons to serve as Chairman of the FTC — the nation’s premier consumer protection agency — should serve as a reminder of the impact that consumer protection regulation can have on the economy today. It also provides a timely opportunity to reevaluate what we have learned over decades of consumer protection enforcement, to reexamine how we have been handling recent cases, and to reassess the effectiveness of these approaches, particularly as innovative and high technology industries increasingly comprise our economy.

Indeed, as data increasingly suffuses nearly every aspect of our lives, the FTC’s enforcement actions and policy pronouncements concerning privacy and data security leave a growing regulatory footprint. For example, recent cases like LabMD1 and D-Link2 represent attempts by the FTC to impose broad data security requirements on the economy. Further, through a series of workshop reports and a host of consent orders involving data collection and use, the FTC has created de facto privacy guidelines and foisted concepts like “data minimization” and “privacy-by-design” on businesses.

While the FTC’s efforts in privacy and data security are focused on digital flows of personal information to businesses, it also has made important changes to the way it regulates another type of information flow: advertising. Recent FTC advertising decisions have moved away from a focus on the perception of an average consumer to that of a minority. Further, the FTC increasingly has called for companies making health claims to meet a substantiation standard which is akin to the FDA standard for drug approval. Finally, the FTC has begun to seek consumer redress from firms that make claims found to lack substantiation, a practice once reserved for fraudulent behavior. Although privacy and data security are important values, and consumers need truthful information to make informed choices, regulation in these areas has the potential unnecessarily to choke off the supply of valuable information to consumers and firms. As such, it is crucial that policy makers strike the correct balance, and do so using empirical evidence where possible.

Consumer protection regulation of the financial sector has also grown apace in recent years, largely driven by the Consumer Financial Protection Bureau (CFPB). The CFPB was created by the Dodd-Frank Financial Reform legislation in 2010 and was one of the “crown jewels” of that historic legislative initiative. Although CFPB touts itself as a “21st century, data-driven agency,”3 it has functioned much more like a 1970s-style command-and-control regulator, with a focus on product bans, substantive regulation, and a skepticism of innovation and development of new products and systems of information delivery. What’s more, a number of laws and regulations enacted in the post-crisis era have dampened innovation, erected new barriers to financial inclusion, and reduced the competitiveness of the banking sector.

This paper examines these three particularly relevant areas of modern consumer protection policy. Part I analyzes the FTC’s advertising regulation. It explains how recent changes to this enforcement break with the Commission’s traditional enforcement standards — which were based upon decades of experience and evidence — without adequate justification, often to the detriment consumers and legitimate businesses. Part II examines the Commission’s privacy and data security enforcement, with particular attention paid to the need to focus upon consumer harm as informed by economic analysis. Part III evaluates the CFPB’s mandate, goals, and actual enforcement efforts. It elaborates upon how the CFPB’s actions may, in practice, undermine its goals and offers recommendations for aligning actions and outcomes. Throughout its entirety, this paper pays specific attention to policies that might better promote innovation, choice, opportunity, and consumer protection.

I. Federal Trade Commission Advertising Regulation

The competitive benefits of advertising are by now well known: to quote Nobel Laureate George Stigler, advertising is “an immensely powerful instrument for the elimination of ignorance.”4 Former Director of the FTC’s Bureau of Consumer Protection Professor Beales further explained, “[i]nformed consumers drive the competitive process, benefitting all as sellers compete for the informed minority. Numerous economic studies have shown that restrictions on advertising increase prices to consumers, even when advertising does not mention price.”5 For decades, a bipartisan consensus at the FTC recognized and promoted the central role of advertising in a market economy. In the words of former Chairman Robert Pitofsky, the agency engaged in “a practical enterprise to ensure the existence of reliable data,” rather than “a broad theoretical effort to achieve Truth.”6

The FTC has recently changed course in advertising regulation in at least three notable ways: (1) its approach to interpreting advertising claims; (2) its evidentiary requirements for advertising claims; and (3) its efforts to obtain monetary relief in traditional advertising substantiation cases. These changes dispense with Commission best-practices premised upon decades of learning and experience, without providing any basis for doing so. The Commission’s failure to examine and justify alterations to well-established practices threatens to undermine rational and effective enforcement in the advertising space.

A.  Advertising Interpretation Should Focus on the Ordinary Consumer

Virtually any communication can be misunderstood by a minority, and that minority’s understanding may be completely wrong. This is an inherent problem of all communication, especially marketing messages, which are almost always brief and presented in times and places where most consumers do not usually pay full attention. Academic studies of brief communications show that 20 to 30 percent of the audience misunderstood some aspect of both advertising and editorial content.7 Meaningful protection for commercial speech requires, at the least, respect for the 70 to 80 percent of consumers who understand the message correctly. If regulators insist on communications that the minority cannot misunderstand, the result is likely to be communications that are also uninformative. This is precisely what the FTC is doing.

In its Deception Policy Statement, the FTC stated that an act or practice is deceptive if it is likely to mislead consumers, acting reasonably in the circumstances, to their detriment.8 The Policy Statement evaluates claims from the perspective of the “average listener,” the impression “on the general populace,” or the “expectations and understandings of the typical buyer.”9 A footnote states that “[a]n interpretation may be reasonable even though it is not shared by a majority of consumers in the relevant class, or by particularly sophisticated consumers. A material practice that misleads a significant minority of reasonable consumers is deceptive.”10 At the FTC today, contrary to the previous 25 years of practice under the deception statement, the footnote has swallowed the standard, and cases routinely are pursued because a “significant minority” is likely to be misled.

Moreover, the FTC’s focus on a “significant minority” is particularly troubling because the agency usually decides which ads are deceptive based solely on a majority of its five members’ own reading of the ad — without outside evidence of how real consumers actually interpret the communication. Indeed, deference to the FTC’s “expertise” in interpreting advertising is perplexing. Former Chairman Pitofsky put it thusly:

Why questions of meaning should be submitted to the virtually unreviewable discretion of five Commissioners of the FTC has never been articulated. Unlike other instances of deference to regulators as part of the administrative process, there is no reason to believe that commissioners of the FTC have unusual capacity or experience in coping with questions of meaning, nor any indication that successful regulation of advertising requires a balance of related regulatory considerations that commissioners are in a special position to handle.11

A logical approach to advertising interpretation would be to return to a focus on the average viewer. Outside evidence can help to strike the appropriate balance when, as is often the case, a communication informs some consumers and misinforms others. Crucially, the evidence should be a guide as to whether there is an alternative way to communicate a truthful message in a way that is less likely to be misleading. Prohibiting communications because some consumers will misunderstand would likely leave most consumers in relative ignorance — the opposite of what the FTC should seek to accomplish.

B.  The FTC’s Evidentiary Requirements for Advertising Claims Should Balance the Benefits and Costs of the Statements and Reflect that Different Statements are Substantiated Best with Different Tests

The FTC’s advertising substantiation policy requires that advertisers have a “reasonable basis” for claims before making them. Traditionally, the core principle of substantiation recognized the uncertainty surrounding many claims, and balanced the benefits of truthful claims against the costs of false ones.12 Recently, the FTC moved from balancing to a firm rule that requires clinical trials even if the benefits of the claim, if true, overwhelmingly exceed the costs of the claim, if false. If continued, this approach would prohibit some claims about the relationship between diet and disease that most scientists regard as prudent public health recommendations despite the absence of well controlled clinical trials.

Rather than relying on the traditional balancing test, the FTC’s recent decisions regarding proof of ad claims reflect a more rigid standard, one more closely modeled on the FDA’s stringent standard for drug approval.13 For example, instead of requiring “competent and reliable scientific evidence” for ad claims, the FTC has required claim substantiation about the relationship between nutrients and disease with two randomized, placebo controlled, double blind clinical trials (RCTs).14 This standard is excessive in most cases, and is likely to deprive consumers of valuable, truthful information.

The randomized, double blind, placebo-controlled clinical trial has been dubbed the gold standard of medical research. For some specific questions, it is the only methodology that experts accept as yielding accurate and reliable results. Despite the value of clinical trials, sometimes they are simply not necessary. A systematic review of randomized trials of parachutes, unsurprisingly, would not yield any results. Notwithstanding the lack of randomized trials of parachutes, few would recommend jumping from an airplane without one because of the failure to conduct such studies. Again, sometimes they are simply not necessary.

C.  The FTC Should Focus Monetary Relief on Fraud Cases and Limit Such Relief in Traditional Substantiation Cases

Since 1981, the FTC has systematically targeted fraud by, “in proper cases,” using its authority to freeze companies’ assets and compel the surrender of ill-gotten gains.15 More recently, the FTC has claimed the authority to expand this practice beyond fraud cases, suggesting that it could seek consumer redress even against legitimate companies when they allegedly lack substantiation for claims made as part of national advertising campaigns. This claim of remedial authority is particularly problematic.

Typically, such cases involve a reputable national advertiser making claims about the features or benefits of its products or services.16 Although such claims may highlight something new, the product will often have been on the market for many years based on other claims. Moreover, such cases often involve disputes over scientific details about the proof and the required level of evidence, with well-regarded experts on both sides. The FTC’s ability to find implied claims that the advertiser believes it did not make — and for which it is thus unlikely to have evidence — only exacerbates the problem. What is more, even if the particular claims about the effects of the advertised products arguably lack a reasonable basis, such claims generally are not the sole (or even primary) reason that most consumers purchase the products.

The knowledge that the FTC might seek consumer redress could discourage companies from providing information that they thought consumers would want about the products they use. The risk is particularly acute when, as discussed above, the traditional standard for substantiation is changing. Even with the “right” substantiation standard, however, uncertainty will exist about how it will be applied in a particular case. With monetary penalties, the increased risk, in combination with the uncertainty, will engender greater fear about making truthful claims.

Accordingly, it is clear that ill-considered changes to the FTC’s advertising regulation policy can perversely undermine the Commission’s consumer protection goals — doing consumers more harm than good. To effectively protect consumers and enhance outcomes, the Commission should reconsider these deviations and return to policies that are premised upon decades of experience and empirical evidence.

The FTC has recently changed course in advertising regulation in at least three notable ways: (1) its approach to interpreting advertising claims; (2) its evidentiary requirements for advertising claims; and (3) its efforts to obtain monetary relief in traditional advertising substantiation cases. These changes dispense with Commission best-practices premised upon decades of learning and experience, without providing any basis for doing so. The Commission’s failure to examine and justify alterations to well-established practices threatens to undermine rational and effective enforcement in the advertising space.

II. Federal Trade Commission Privacy Regulation

Although there are a variety of privacy laws aimed at specific industries (e.g., HIPPA, FERPA), the U.S. has no general privacy regulation. The FTC has emerged to fill this vacuum, using its broad mandate under Section 5 of the FTC Act — which prohibits “unfair or deceptive acts or practices”17 — to become the nation’s privacy and data security cop. Data is the lifeblood of today’s economy; by some estimates, the information economy accounts for six percent of GDP.18 Accordingly, the FTC’s actions in this space stand to leave a large footprint. Unfortunately, a policy driven by settlements and reports devoid of economic analysis has failed to provide a coherent analytic framework to identify practices that are actually harmful to consumers.

Below we examine several of the shortcomings of the FTC’s current approach to privacy and data security and offer suggestions. Notably, the FTC needs to focus on practices that are harmful to consumers, rather than relying on ex ante notice and choice requirements. Related to this goal, the FTC needs to engage the vast body of work on the economics of information and privacy, including empirical studies of consumer values of privacy when making policy in this area. The FTC also should be careful to distinguish privacy harms from impacts resulting from different treatment, and also continue to cabin privacy considerations from its competition policy.

A.  The Benefits of a Harms-based Enforcement Regime

Why is a focus on harm so important? If conduct is not harmful, prohibiting it provides no benefits, and at best squanders governmental resources, and at worst deters beneficial conduct. At the outset, it’s important to explain why ex post enforcement focused on harmful data practices is likely to be better for consumers than an ex ante consent-based model found in the Fair Information Practice Principles (FIPPS). A FIPPS regime — like that adopted explicitly in the Federal Communications Commission’s recent broadband ISP privacy rule, and promoted by the FTC through tiered notice-and-consent regimes based on the sensitivity of data, and calls for Internet of Things (IoT) companies to develop workable consumer interfaces — ignores the cost of information processing. Vast research shows that consumers ignore these (and most other) notices, and tend to stick with defaults.19 As a result, relying on notice and choice is likely to discourage beneficial data uses. While obtaining consent for data practices beforehand will alleviate privacy concerns, the converse is not true: lack of ex ante notice-and-choice does not automatically give birth to privacy harm.20 This means that a consent-based regime is likely to end up squandering valuable data uses without providing consumers anything meaningful in return.21 Requiring the FTC precisely to identify — and to quantify, to the extent possible — the privacy harm at stake (e.g., unwanted intrusions, loss of autonomy, affronts to dignity, physical threats, or financial losses) will avoid this pitfall.22

The problem of establishing consumer harm also has arisen in the data security context. An unfairness claim under Section 5 requires “substantial consumer injury” to be actual or likely. The extent to which the “likely” element is satisfied when a firm employs shoddy security practices has arisen in two recent FTC cases, both of which are being litigated. First, in LabMD the FTC sued a medical testing lab that inadvertently exposed a file containing sensitive patient information to a peer-to-peer (P2P) network.23 The FTC alleged that LabMD’s data security practices were unfair, but at trial the administrative law judge (ALJ) found that the FTC failed to meet its burden of proof; other than expert witness speculation that these types of data breaches can lead to harm, the FTC did not provide any evidence that anyone actually suffered identity theft or dignitary harm. On appeal to the full Commission, the FTC reversed the ALJ’s decision. The Commission found that exposing sensitive information to a P2P network alone satisfied the harm requirement because others may have viewed it. The Commission also held that LabMD’s actions were “likely” to cause substantial harm when the incident occurred in 2009, despite the fact that it provided no evidence that actual harm had occurred six years after the breach.24

The FTC’s recent case against D-Link goes a step further, alleging that failure “to take reasonable steps” to protect its routers and Internet cameras “from widely known and reasonable foreseeable risks of unauthorized access” alone satisfies the harm requirement of an unfairness claim.25 Specifically, the FTC alleges that there is a “significant risk” that hackers will exploit D-Link’s vulnerabilities, and thus “put consumers at significant risk of harm,” for example, by stealing sensitive financial information or through surreptitious monitoring.26 Importantly, the complaint raises only the specter of harm, alleging neither a breach involving D-Link products nor any consumer injury.

LabMD and D-Link, taken together, effectively read the harm requirement for unfairness out of Section 5. If these cases stand, the Commission would become the nation’s de facto data security standard setter, able to proscribe any security practice it deems “unreasonable” based on the assumption that lax security means that “substantial consumer injury” is always likely. Fortunately, to date, the two courts that have had the opportunity to review these cases have failed to embrace the FTC’s theory of harm under Section 5. In D-Link the court dismissed the Commission’s unfairness claim, noting that the FTC’s allegations “make out a mere possibility of injury at best . . . [t]he absence of any concrete facts makes it just as possible that [D-Link’s] devices are not likely to substantially harm consumers.”27 The Eleventh Circuit expressed similar skepticism when it granted LabMD’s request to stay the FTC’s order, explaining that it is unclear whether Congress intended Section 5 to cover intangible harms and further noting that “we do not read the word ‘likely’ to include something that has a low likelihood.”28

B.  Use Economics to Focus on Tradeoffs

FTC privacy reports have at least as much policy impact as enforcement actions.29 Although these reports do not put forth binding rules, they act as de facto guidelines for privacy professionals advising companies.30 What is more, many of these reports make legislative recommendations.

Embedded in these reports are tradeoffs between privacy and other values. Take for example the concepts of “privacy by design” and “data minimization,” which have become core tenants of FTC privacy policy and have formed the basis for enforcement actions.31 Because data collection and use necessarily impact other product or service attributes, these policies are based on an implicit assumption that consumers prefer privacy over other dimensions, such as functionality, price, or customization. The trouble with both these concepts is how they came about: absent any attempt to identify the harms at stake, how harms may vary based across contexts or people, or identifying beneficial uses of data that are impacted with privacy regulation. Instead, they merely rest on notions like the need to live up to “consumer expectations” and fostering “consumer trust” in the Internet ecosystem, which are based on workshop testimony and comments, as well as occasional references to surveys on consumers’ attitudes toward privacy.32

At best, these types of evidence are “stated preference,” and tell us only the trivial fact that privacy, like most other things, has value. They cannot answer the real question for policy makers: how willing are consumers to share personal data in order to receive other things they value?33 Toward this end, the FTC needs to incorporate into its analysis the vast literature on the economics of information, which includes well-developed frameworks for thinking about the economics of privacy.34

The FTC also needs to reconcile two sources of empirical evidence with its privacy policy. First, far from illustrating that consumers are reticent to engage the online ecosystem, observed behavior suggests that consumers are largely comfortable with the tradeoffs they make in their digital lives: there are 1.32 billion daily Facebook users,35 150 million people use Snapchat daily,36 health tracking apps and wearables continue to grow apace,37 and nearly half of US households have an Amazon Prime account.38 Second, a growing body of empirical work suggests that while consumers value control over their personal information, they also are willing to provide that information in return for the type of free goods and services that they receive online.39 If the FTC’s position is that the empirical evidence is not relevant because consumers systematically underestimate privacy harms or otherwise are incapable of making informed tradeoffs between privacy and other values, it should state so clearly and present an empirical basis to support this position. This evidence is not only germane to consumer harm in the context of unfairness, but also is relevant to the FTC’s deception enforcement. The FTC uses its deception authority to hold companies to their promises regarding data collection and use, most often found in privacy policies.40 Deception requires a representation, omission or practice to be “material,” in that it “is likely to affect the consumer’s conduct or decision with regard to a product or service.”41 In privacy, the FTC has relied on a presumption of materiality for express claims.42 This presumption is questionable in light of the empirical evidence that most consumers do not read, or seem to care about, privacy policies, and the fact that privacy policies are not designed to attract consumers, but to comply with state law and self-regulatory regimes.43 The FTC should engage in empirical research to determine the validity of its continuing maintenance. If this research suggests that a larger proportion of consumers do not make decisions based on privacy policies, the FTC should no longer be able to rely on this presumption in its enforcement.

C.  Uncertainty over Standards

The FTC developed its privacy and data security norms largely though settlements and workshop reports. These endeavors, however, leave much to be desired when it comes to establishing a coherent analytic framework to identify harmful practices. Settling FTC charges avoids the social costs of litigation, but it also deprives the public at large of the informational benefits from adjudication when the law is unclear — information that would help identify the extent to which data practices identified by the FTC are harmful to consumers.44 What this has meant is that the FTC law of privacy has been defined by a series of agreements between the FTC and private parties to avoid the direct and collateral consequences of litigation. The resulting set of norms that have developed are quite different than those that would have arisen via a common-law type adjudicatory mechanism.

First, unlike private litigation, in which the closest cases are most likely to be litigated, the FTC tends to select cases that are most likely to settle. For example, it has chosen large tech companies (e.g., Google, Facebook, Twitter, Amazon, Apple) as targets to set norms for the entire industry, realizing that due to reputational costs, these companies are unlikely to litigate absent extraordinary circumstances.45 What’s more, many of its data security cases involve failure to take the most basic precautions to significantly reduce risk, not the type of “close calls” that would generate the type of uncertainty that typically drives the decision to litigate.46 Second, because consent orders involve only cases in which the FTC’s claims are accepted, we never see the set of facts that do not violate Section 5. Thus, these settlements provide little information on where the boundary between legal and illegal behavior lies. Third, and perhaps most importantly, there is no adversarial process to test the FTC’s liability theory. Allegations contained in settled complaints become the legal standard, meaning that the FTC is able unilaterally to determine the reach of Section 5.

That the FTC often includes “fencing in” relief in consent orders — requirements placed on the defendant that go beyond the conduct that was declared illegal in the complaint — to announce new enforcement standards only exacerbates these problems. Although the FTC does not allege that the conduct proscribed in fencing-in provisions violates Section 5, through subsequent reports, speeches, testimony, and consent orders, these fencing-in provisions become de facto Section 5 violations. Take, for example, how the “rule” that merging firms need opt-in consent to combine their consumer data came into being. Settling the Google Buzz case, the FTC required Google to obtain express opt-in consent for changes in privacy policies.47 In the wake of these consents, FTC staff remarked publicly on the FTC’s Twitter feed that although the “terms of the order apply only to Google . . . best practices set forth in the order should serve as a guide to industry.”48 This provision next was included in Facebook’s consent order settling charges related to changes in its privacy interface, and later used by the FTC to impede the ability of WhatsApp to share data with Facebook after their merger.49 Soon thereafter, the FTC made public statements that all merging firms have a duty to obtain opt-in consent when combining data already collected.50 A common sense reform would be to limit the FTC’s use of fencing-in relief to cases that present clear evidence that the settling firm is likely to be a recidivist or otherwise poses a danger to consumers absent the fencing-in provisions.

None of the above should be taken to suggest that litigation is necessary — or even desirable — to provide business with much-needed information about what sort of data practices are likely to violate Section 5. Here, the FTC should take a page from its merger enforcement program, which also relies on a relatively discretionary standard (“may substantially lessen competition”) and has few litigated cases.51 The difference between these two enforcement endeavors is transparency: there have been merger guidelines for nearly four decades, most recently updated in 2010, and staff regularly provides commentary and data to give parties visibility into both the transactions that are likely to be challenged and those the Commission is likely to approve.52 Although there has been some progress in this area with regard to data security practices,53 the Commission could be more transparent about the factors that go into its privacy and data security enforcement decisions, especially with respect to decisions to close investigations.54

D.  Distinguishing Privacy Harms from Harms Due to Differential Treatment

Under the broad rubric of a focus on consumer harm, the FTC also should be careful to distinguish between privacy harms and disparate treatment from data-driven classifications; they are not the same thing. For example, the IOT, Big Data, and Data Broker reports identify as a potential harm the possibility of being treated differently based on accurate inferences — for example, receiving different advertisements, credit offers, or insurance rates based on algorithmic predictions.55 But the FTC needs to distinguish between harms due to the direct utility loss from unwanted observation and harms flowing from worse terms due to a counterparty having more accurate information. Any regulation to prevent accurate classifications based on traits that big data analytics can ferret out should be rooted in antidiscrimination law — which embodies the choices that society has made about which traits are fair game for classification — rather than the FTC Act. 56

E.  Privacy Should Remain Out of Antitrust Considerations

Finally, the FTC would be wise to continue to prevent privacy from entering antitrust discussions. Beginning with the Google-Double Click merger, and continuing to the Google antitrust investigation, and the Facebook-WhatsApp merger, there have been increasing calls to incorporate privacy into antitrust analysis, analogizing increased data collection or use to an increase in price. To date, the FTC prudently has ignored these calls. Antitrust’s sole focus on competition has served consumers well, and integrating subjective notions like privacy into antitrust would be a mistake on a number of grounds.57 First, it ignores the benefits built into new uses of data in the form of richer and more personalized content — collecting data is a cost incurred by firms in order to target ads or increase customization or content. With heterogeneous consumer preferences, these are net benefits to some, and net costs to others. In this manner, data cannot be analogized to an increase in price. Second, restrictions on the collection and use of data that feed into advertising are likely to have First Amendment implications. Finally, given the subjectivity of privacy concerns, inclusion would lead to uncertain legal standards, and concomitant rent-seeking that goes along with greater regulatory discretion.

Notably, the FTC needs to focus on practices that are harmful to consumers, rather than relying on ex ante notice and choice requirements. Related to this goal, the FTC needs to engage the vast body of work on the economics of information and privacy, including empirical studies of consumer values of privacy when making policy in this area. The FTC also should be careful to distinguish privacy harms from impacts resulting from different treatment, and also continue to cabin privacy considerations from its competition policy.

III. Financial Regulation and the Consumer Financial Protection Bureau

The CFPB was created by the Dodd-Frank Financial Reform legislation in 2010 and was one of the “crown jewels” of that historic legislative initiative. Below, we discuss how actions taken by the CFPB, as well as other financial regulations, have impacted financial markets, with special attention paid to the competitiveness of the banking sector.58

A.  The CFPB

The CFPB was catalyzed in response to a discrete historic event — the 2008 financial crisis, which was in turn catalyzed by a wave of residential home foreclosures that swept across a handful of cities in the United States. The proximate intellectual cause of the CFPB’s creation was a short article written by then-Professor Elizabeth Warren for an obscure journal called Democracy, where she called for a new Financial Product Safety Commission (FPSC), modeled on the Consumer Products Safety Commission (CPSC) that would regulate consumer credit products, terms, and providers as the CPSC does for consumer products.59 As presented at the time, her article reflected pure command-and-control style central planning by the federal government. In a 2008 article, co-authored with leading behavioral law and economics scholar Orin Bar-Gill, however, Warren and Bar-Gill purported to harness the CFPB to the idea of behavioral law and economics, offering a variety of behavioral economics-based speculations about consumer financial products and their supposed link to the financial crisis.60 According to its own proclamations, the CFPB touts itself as a “21st century, data-driven agency” and purports to be animated by a spirit of innovation and to complement market processes to improve consumer welfare.61

In practice, however, the CFPB has functioned much more like a 1970s-style command-and-control regulatory agency, with a focus on product bans, substantive regulation, and a skepticism of innovation and development of new products and systems of information delivery. This focus is evident in such policies as: the proposed rule-making that would essentially outlaw mandatory arbitration clauses in consumer credit contracts (a proposal likely to benefit only class action lawyers with no discernible benefit for consumers),62 and the small-dollar loan rule that would essentially outlaw the payday loan and auto title loan industries in the United States as well as substantially curtailing access to other products, such as traditional unsecured installment loans.

Although many of the CFPB’s most onerous rules that would restrict access to consumer credit products have not yet become effective, the CFPB has actually promulgated a number of rules that have increased the cost and reduced access to consumer credit products for consumers, while providing little in the way of increased consumer financial protection. Most notably, the CFPB issued “Qualified Mortgages” and “Ability-to-Repay” rules on mortgages that increased the costs and risks of mortgage lending, leading to higher costs and slower closing times for mortgages.63 At the same time, independent analysis of those rules has concluded that despite their costs they would do little to prevent future foreclosures or otherwise protect consumers, thus resulting in new costs with few if any apparent benefits and hampering the recovery of the residential real estate market.64

B.  Post-Crisis Financial Regulation

Innovation and technological development are particularly promising sources to increase financial inclusion for traditionally excluded consumers, such as low-income, minority, and younger consumers. Unfortunately, in addition to the adverse effects of the CFPB, a number of laws and regulations enacted in the post-crisis era have dampened innovation and provided new barriers to financial inclusion. For example, the Durbin Amendment which was included as part of Dodd-Frank, imposed price controls on debit card interchange fees. Faced with a loss of approximately $6-$8 billion per year in revenue, affected banks responded by reducing access to free checking by consumers and imposing new and higher fees on consumers. These actions and new fees fell disproportionately heavily on lower-income consumers who were unable to meet the higher minimum balance and other requirements to preserve access to free checking. This foreseeable result of interchange fee price controls led to many low-income consumers paying more for basic banking services or simply dropping their bank accounts completely, leading to an increase in the number of unbanked and underbanked Americans.65 At the same time, the Credit CARD Act of 2009 and the Federal Reserve regulations that preceded it led to a reduction of access to credit cards, especially among lower-income and higher-risk consumers, by limiting the ability of issuers to adjust contract terms as the borrower’s risk changed and limited their ability to charged behavior-based fees in response to risky behavior by consumers.66 The combination of the Durbin Amendment and the CARD Act (and the regulations that preceded it) have thus had the combined impact of dramatically reducing access to mainstream financial products for millions of Americans, especially low-income, younger, and minority consumers who already faced limited choices for consumer credit products. The overall effect has been to drive those consumers to make increased use of payday loans, pawn shops, prepaid cards, overdraft protection, and other non-mainstream consumer credit products.

C.  The CFPB’s Actual Impact on Competition and Consumers67

While the CFPB and various regulations have interfered with consumer choice and raised prices for consumers, they have also had a detrimental impact on competition in consumer credit markets by reducing competition and erecting new barriers to entry for banks. For example, JP Morgan Chase CEO Jamie Dimon observed that the aggregate costs of complying with all of the rules, regulations, and capital costs associated with Dodd-Frank has built a “bigger moat” to protect his bank from competition from smaller rivals.68 Similarly, Goldman Sachs CEO Lloyd Blankfein announced in 2010 that the bank would be “among the biggest beneficiaries” of Dodd-Frank as its regulatory costs and regulatory-created profit opportunities would be particularly advantageous to large banks that could bear those costs more easily than smaller competitors.69

As a result of the regulations imposed by Dodd-Frank and the CFPB, many smaller banks have simply chosen to exit the market rather than to bear the regulatory cost and risk. According to a survey of small banks conducted by the Mercatus Center at George Mason University, 64 percent of small banks reported that they were making changes to their mortgage offerings because of Dodd-Frank and 15 percent said that they had either exited or were considering exiting residential mortgage markets entirely.70 Nearly 60 percent of small banks reported that the CFPB or the qualified mortgage rule had a “significant negative impact” on their mortgage operations. Nearly 60 percent said that the CFPB has had a significant negative effect on bank earnings and more than 60 percent said that changes in mortgage regulations had had a significant negative effect on bank earnings.71 A recent analysis by economists at the Philadelphia Federal Reserve echoed this effect: “To sum up, the qualified mortgage rule affects a significant share of mortgage lending by small banks, and by some measures, the effect appears to be greatest for the smallest banks.”72

Moreover, by imposing a one-size-fits-all mechanical underwriting system for mortgages, the Qualified Mortgage rule has deprived community banks of a significant competitive advantage over megabanks: their intimate familiarity with their customers and their ability to engage in relationship lending with their customers. One illustration of the value of the traditional relationship-lending model for residential mortgages is that the default rate for residential mortgages made by community banks (with less than $1 billion in assets) was 3.47 percent in 2013 compared to a default rate of 10.42 percent for banks with more than $1 billion in assets.73 Thus, this regulatory-induced decline in the market share of small banks is not only hurting consumers, it is making the banking system less stable and less effective. Consumers face a market with fewer choices, less innovation, and less competition than before.

As many banks have exited the mortgage market, non-bank lenders (typically less-regulated than banks) have filled the market demand, increasing their share of mortgage lending from 10 percent in 2009 to 43 percent in 2015.74 Ironically, one consequence of Dodd-Frank and the CFPB’s aggressive regulation and litigation against banks has been to drive consumers toward a variety of lenders with less regulatory scrutiny, whether non-bank mortgage lenders or pawnbrokers and payday loan shops.75

As a result of the heavier relative costs of complying with Dodd-Frank’s regulations as well as these other factors that make it increasingly difficult for smaller banks to compete, community banks are facing difficulty competing with larger banks. For example, a recent study by scholars at the Kennedy School of Government found that in the period since Dodd-Frank was enacted, the asset bases of smaller banks have shrunk twice as fast after Dodd-Frank’s enactment compared to before, a result that they attribute to the high regulatory costs imposed by Dodd-Frank.76 In addition, the Mercatus Center study of the impact of Dodd-Frank on smaller banks found that the law has imposed huge compliance costs on small banks and that they have been less able to bear those costs than large banks.77 Overall, according to the Mercatus Center study, 71 percent of small banks stated that the CFPB has affected their business activities.78

The ripple effects of the displacement of smaller banks by large banks are not limited to the direct impact on the consumer banking system but carry over to other markets as well, including agricultural and small business loans. Community banks traditionally have provided a disproportionate share of small-business lending in the economy.79 According to the summary of one report by Goldman Sachs:

While there is some added subtlety to the results of our analysis, we find in general that low-income consumers and small businesses – which generally have fewer or less effective alternatives to bank credit – have paid the largest price for increased bank regulation. For example, for a near-minimum wage worker who has maintained some access to bank credit (and it is important to note that many have not in the wake of the financial crisis), the added annual interest expenses associated with a typical level of debt would be roughly equivalent to one week’s wages. For small and mid-sized businesses the damage from increased bank regulation is even greater: their funding costs have increased 175 basis points (bp) more than those of their larger peers, when measured against the pre-crisis period. That funding cost differential is enough to seriously damage the ability of smaller firms to compete with their larger competitors. This fact has become all too evident in the economic statistics and is already changing the shape of American business, as small and mid-sized firms, the historic engines of US job creation, shrink and sometimes disappear, displaced by large corporations.80

As community banks have been driven out of the market by regulatory costs, small business credit has contracted as well, dampening entrepreneurship and economic growth. As noted by one analysis, large firms have performed well since the financial crisis and subsequent recovery, but small firms have suffered low rates of formation, employment growth, and wage growth.81 Indeed, the number of small firms in the economy actually declined over the period since the crisis, as more small firms disappeared than were created, the first time that this has happened since data became available in the 1970s.82

A primary explanation for this drop in small business formation and growth is Dodd-Frank and increased financial regulation since the financial crisis, which has fallen especially hard on smaller banks relative to larger banks.83 Overall, a recent analysis of FDIC data found that while bank loans to small businesses had declined by 16 percent since 2008, loans to large businesses had increased by 37 percent over that same period.84 As one commenter described the situation, large banks “have effectively abandoned the small business market.”85 Another analysis concluded that small business loans are down about 20 percent since the financial crisis while loans to larger businesses have increased by about four percent over the same period.86 It appears that some of the unmet demand from the reduction in community bank lending is being served by non-bank lenders that charge higher rates than traditional small business bank loans and which, ironically, are much less-regulated that the traditional banks that they have replaced.87

According to Wells Fargo Quarterly survey of small business owners in July 2016, in the 3rd Quarter of 2016, just 36 percent of small business owners surveyed stated that it would be “somewhat easy” or “very easy” to obtain credit if they needed it and 20 percent said that it would be “somewhat difficult” or “very difficult.”88 These low rates of confidence in access to credit have been consistent for several years and differ considerably from the pre-crisis and pre-Dodd-Frank era. For example, during the period from the 1Q2004-4Q2007, an average 51 percent of small business owners said that it was “very easy” or “somewhat easy” to obtain credit if they needed it, and about 12 percent said it would be difficult.89 In addition, among those who said that it was easy to obtain credit in the 2004-07 period, two thirds of those reported it was “very easy” compared to “somewhat easy,” whereas only about half of those who said that it would be easy in the 2015 pool reported that it would be “very easy.”90

D.  Recommendations to Enhance CFPB Enforcement

A consumer financial protection policy that is friendlier toward innovation, consumers, competition and economic growth would be animated by the following policies:

  • Provide systems of democratic accountability and effective oversight of the CFPB’s mission, operations, and budgeting decisions: This would include bringing the structure of the CFPB into alignment with traditional constitutional systems of democratic accountability, such as providing Congress with appropriations authority and formally structuring CFPB as an Executive agency or multi-member independent agency.
  • Promote consumer protection, welfare, choice, innovation, and financial inclusion by providing benefit-cost analysis of proposed regulations and formally charging the CFPB with a dual mission of consumer protection and the promotion of competition in consumer financial products. Legislation and regulation should be particularly focused on promoting financial inclusion for all Americans and the promotion of online lending and banking platforms that can reduce costs and promote innovation and consumer choice.
  • Create a level playing field for all providers of consumer financial products to treat American consumers as responsible adults, to respect consumer sovereignty, and to aid American families to find and select the products that best meet the needs of their families. Current regulatory policies have resuscitated traditional command-and-control paternalistic approaches to consumer financial protection. These policies have raised costs and reduced choices for consumers. A robust modern consumer protection policy should recognize that consumers and the financial services providers that they choose, not Washington bureaucrats, typically know better which products are best suited to meet the needs of their families. Regulatory policy should recognize this truth.
  • Promote economic prosperity and financial stability by relieving the excessive regulatory burden on small banks that has resulted in reduced choice for consumers and reduced access to necessary capital for small businesses.
  • To promote economic prosperity by preserving access to needed credit for small businesses, including those small businesses that rely on personal credit products to start and grow their businesses.

As community banks have been driven out of the market by regulatory costs, small business credit has contracted as well, dampening entrepreneurship and economic growth. As noted by one analysis, large firms have performed well since the financial crisis and subsequent recovery, but small firms have suffered low rates of formation, employment growth, and wage growth.81 Indeed, the number of small firms in the economy actually declined over the period since the crisis, as more small firms disappeared than were created, the first time that this has happened since data became available in the 1970s.82

IV. Conclusion

Both the FTC and the CFPB play important roles in consumer protection policy. Unfortunately, both agencies have tended to overreach in certain areas. The FTC has expanded its authority to prevent deceptive advertising in a manner that threatens to impede consumer access to useful information. The FTC’s use of its Section 5 authority to become the nation’s primary privacy and data security enforcer also has been problematic, as it has done so without any reliance on economic analysis or empirical evidence. As a result, privacy policy has drifted from one originally focused on consumer harm — a focus that facilitated better consumer outcomes — to one increasingly centered on notice and choice and regulation of certain practices — a focus that largely fails to account for the costs of agency intervention and unintended consequences. Similarly, the CFPB has functioned like a command-and-control regulatory agency, with a focus on product bans, substantive regulation, and skepticism of innovation and development of new products and systems of information delivery. This misguided approach, along with other financial regulation such as Dodd-Frank, not only has reduced consumer choice but also negatively impacted competition in the banking sector.

Although each of these regulatory shortcomings have different roots, and suggest discrete solutions, they all could be ameliorated by greater attention to the costs and benefits of market intervention. Limiting regulation — especially with respect to information flows and financial markets — to shown instances of market failures will inure to the benefit of consumers in the form of greater choice, lower prices, and increased innovation.

Read footnotes