What the Security Group Consent Order Suggests About the CFPB's Direction

For many months, the Consumer Financial Protection Bureau (Bureau) has hinted it would focus its enforcement efforts on debt collection conduct. The Bureau’s settlement earlier this month with Security Group Inc., Security Finance Corporation of Spartanburg, and Professional Financial Services Corp. (collectively, “Security Group”) is the first sign that the Bureau is sincere about its focus. The consent order, which lacks redress to consumers and features a relatively low civil money penalty, reflects an expected change in direction for the Bureau. But in characterizing consumer harm, the Bureau’s new leadership followed existing guidance, despite promising a change in course.

According to the consent order, the Bureau found that Security Group violated the Consumer Financial Protection Act (CFPA) by making improper in-person collection visits and inappropriate collection calls to consumers regarding installment loans and retail sales installment contracts. Security Group, which operates over 900 stores in 20 states, allegedly made over 12 million in-person collection visits to 1.3 million consumers over a 6-year period.

In the course of attempting to collect debt from consumers in person, the Bureau argued that from 2011 to 2016, Security Group’s employees disclosed or risked disclosing consumers' delinquency to third parties, disrupted consumers' workplaces and jeopardized their employment, and humiliated and harassed consumers. The Bureau cited examples of the company’s employees physically preventing consumers from leaving their homes and visiting and calling consumers’ places of work while knowing that those contacts could endanger the consumers’ employment.

The Security Group consent order begs comparison to the Bureau’s settlement with EZCORP, which remains one of the Bureau’s most significant enforcement actions concerning debt collection practices. In EZCORP, the Bureau similarly alleged unfair practices such as disclosing debts to third parties during EZCORP’s in-person collection visits, visiting consumers’ places of employment when EZCORP knew or should have known that personal visitors were not permitted, and visiting consumers’ place of employment when inconvenient to the consumer. According to the order, EZCORP conducted thousands of in-person collection visits to consumers' homes or places of employment from July 2011 to December 2015. See In re EZCORP, Inc., et al., File No. 2015-CFPB-0031 (ordering the company to pay $7.5 million in restitution to 93,000 consumers and a $3 million penalty; prohibiting the company from conducting future in-person collection visits to consumers' homes and workplaces).

Together with the EZCORP order, the Bureau issued Bulletin 2015-07 regarding In-Person Collection of Consumer Debt. That Bulletin highlighted the risk that first- and third-party debt collectors face in conducting in-person debt collection. It reiterated that the conduct alleged in the EZCORP consent order could amount to unfair conduct that violates the CFPA, as well as the FDCPA.

In September 2016, the Bureau settled with TMX Finance LLC and its subsidiaries, including “TitleMax,” regarding its alleged unfair debt collection practices in conducting in-person visits. The Bureau alleged that "some" TitleMax employees revealed the existence of consumers' past-due debts to third parties, including neighbors, roommates, family members, supervisors, and co-workers while conducting in-person visits. The Bureau did not indicate whether TitleMax’s activity caused actual harm to consumers, or how widespread the company’s illegal in-person collection practice was. Instead, the Bureau emphasized that the mere risk of disclosure was enough to satisfy the “substantial harm” required to find an unfair practice. Additionally, the Bureau alleged that the company made a practice of workplace collection visits, despite knowing that visitors were not permitted at the workplace, which risked causing reputational damage. In that case, which also involved claims of misleading loan terms, the Bureau levied a $9 million dollar penalty. See In re TMX Finance LLC, File No. 2016-CFPB-0022. TMX’s consent order did not require redress to consumers.

Earlier this year, Acting Director Mick Mulvaney proclaimed in an internal memorandum and in a Wall Street Journal Opinion piece that the Bureau would “focus on quantifiable and unavoidable harm to the consumer” in its enforcement actions. Yet, in alleging Security Group’s collection activities were unfair practices under Dodd-Frank, the Bureau cited “humiliation, inconvenience, and reputational damage” as the requisite substantial harm. While these intangible harms are cited in the debt collection Bulletin 2015-07, and are actionable to the extent the Bureau chooses to enforce FDCPA principles under its CFPA UDAAP authority, this is not the type of “quantifiable” harm on which Mulvaney has promised to focus the Bureau’s enforcement.

Notably, the Bureau’s allegations against Security Group are more akin to those against EZCORP than TMX. Security employees discussed debts in the middle of a grocery store, through drive-thru windows at fast food restaurants, in line at a big-box retailer, and in other public locations. During unsuccessful visits, Security employees handed field cards to third parties, including consumers' young children, for delivery to consumers. Finally, the Bureau alleged that Security employees threatened consumers with jail, shoved them, and in at least one case, physically blocked a consumer from leaving. Yet, despite making aggressive visits to 1.3 million people, Security Group will pay $4 million less in civil money penalties than TMX paid when “some” of its employees merely risked reputational harm to consumers. And while EZCORP was permanently restrained from conducting in-person collection, Security Group’s collection visit injunction is subject to the order’s 5-year sunset provision.

While the Security Group consent order evidences the Mulvaney-led Bureau’s interest in debt collection activity, the penalties against the company are inexplicably lighter than those against EZCORP, TMX, and other respondents of years past. Consider that the Bureau also found that the Security Group entities violated the Fair Credit Reporting Act (FCRA) by furnishing inaccurate and incomplete information about consumers to credit reporting agencies, yet it’s CFPA and FCRA violations together yielded no order for monetary redress. While the CFPB has been inconsistent with orders for redress and remediation, it’s notable that the CFPB required EZCORP to provide redress to the 93,000 consumers who made a payment to the company within 90-days of a collection visit, but omitted an order for redress for Security Group, which visited a million consumers.

Under the terms of the consent order, Security Group and its subsidiaries are barred from certain collection practices, and must correct certain inaccurate information about consumers they furnished to credit reporting agencies, and pay a $5 million civil money penalty. This punishment, quietly announced with an understated press release that was not broadcast to email subscribers, seems demure compared to other penalties waged against companies affecting far fewer consumers.

Yet, the second consent order issued under acting director Mulvaney tends to confirm that the Bureau remains interested in debt collection enforcement. Mulvaney previously stated his intention to concentrate enforcement where consumer complaints dictate, and the Bureau’s public (for now) database includes a hundreds of complaints about the entities subject to the Security Group consent order. So it seems that despite falling short on the promise to focus on “quantifiable and unavoidable harm,” Mulvaney has followed through on his commitment to concentrate on debt collection. We will continue to monitor the Bureau for further developments in debt collection.