Client Alert

There’s a New Sheriff in Town: CCFPL Empowers California’s Financial Services Regulator

October 23, 2020

By Molly Swartz, Tom Brown & Chris Daniel

On August 28, 2020, California Governor Gavin Newsom signed the California Consumer Financial Protection Law (“CCFPL”) (AB 1864). Effective January 1, 2021, the CCFPL significantly expands the authority of the most populous state’s financial services regulator and reinforces California’s commitment to consumer protection in financial services. Not only does the CCFPL rebrand the Department of Business Oversight (the “DBO”) as the Department of Financial Protection and Innovation (the “DFPI”), it also empowers the DFPI to regulate previously unregulated businesses, impose new registration schemes, require specific consumer complaint responses, and to enforce these requirements with a variety of powerful enforcement tools.

Expansion of “Covered Persons”

Traditionally, the DBO has only had authority over specifically designated industries, such as money transmitters, escrow agents, and finance lenders. The CCFPL, however, extends the DBO’s (DFPI’s) authority to oversee financial services providers that are currently unlicensed and fall outside of traditional financial services.

The CCFPL largely tracks the definition of “covered persons” set forth in the Consumer Financial Protection Act of 2010 (“CFPA”), (Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act).[1] Like the CFPA, the CCFPL provides the DFPI with broad discretion to define and regulate providers of additional financial products or services not specifically enumerated in the statute.[2] This includes loan servicers, payment processors, consumer debt collectors, and other firms and people that offer financial products and services to consumers.

Existing licensees are unlikely to see significant changes in current supervision. With the exception of payday lenders and student loan servicers,[3] the CCFPL explicitly exempts firms and people that hold licensees from coverage.

UDAAP Authority

Mirroring Dodd-Frank, the CCFPL makes it unlawful for a consumer financial institution to engage in unfair, deceptive, or abusive acts or practices.[4] However, the new law plots a somewhat meandering path regarding the agency’s authority to decide what kinds of acts violate the statute.

With regard to abusive acts, the CCFPL points to federal law. The definition of “abusive” in the statute matches the definition in Dodd-Frank.[5] The law also obligates the DFPI to interpret “abusive” in a way that is consistent with the CFPA. In adding a prohibition of “abusive” acts and practices to the customary prohibition on unfair and deceptive acts, California appears to be breaking new ground. Although many states have adopted “mini-UDAP” statutes, California is one of only a few states to adopt an “abusive” prong to this analysis.

The new law takes a slightly different approach with regard to “unfair” and “deceptive” acts and practices. In a way that seems likely to vex future litigants and courts, the CCFPL points to California law as the guide for interpretation. The statute obligates the DFPI to interpret “unfair” and “deceptive” in accordance with California Business & Professions Code section 17200 and cases interpreting that provision.[6]

The law also significantly expands DFPI’s rulemaking authority. The CCFPL authorizes the DFPI to issue rules identifying specific acts or practices as unfair, abusive, or deceptive.[7] However, this power stretches beyond consumer financial services. The law specifically authorizes the DFPI to issue and enforce rules defining unfair, deceptive, and abusive acts and practices as they relate to “commercial financing.”[8] This marks the second time in three years that California has imposed state-specific regulation on commercial financiers—businesses which are often unregulated at the state level.[9]

Further, the CCFPL grants the DFPI broad remedial power. Under the CCCFPL, the DFPI can seek rescission or reformation of contracts, refunds, restitution, disgorgement, or compensation for unjust enrichment, payment of damages, public notification of the violation—including the costs of notice—injunctive relief, and civil money penalties.[10] Authorized relief does not include exemplary or punitive damages.[11] The CCFPL further enables the DFPI to assess large penalties for violations (i.e., up to one million dollars ($1,000,000) per day during which the violation continues). Again, the DFPI’s authority to demand relief and assess high penalties largely mirrors the Consumer Financial Protect Bureau’s (“CFPB’s) authority under the CFPA.

Additional Enforcement Authority

The law also gives the DFPI self-executing investigatory and subpoena powers.[12] In the past, the DBO had to initiate an action in court before seeking discovery from unlicensed providers of financial services. The CCFPL gives the DFPI the authority to demand documents and other information to investigate potential violations of law. This type of authority will be new for a California financial services regulator, but it mirrors the authority possessed by the New York Department of Financial Services.[13]

The CCFPL also attempts to grant the DFPI the authority to enforce relevant federal laws.[14] Although many of these laws do not provide for state enforcement, this expansion of authority would, on its face, give the DFPI the authority to enforce a long list of federal statutes, including the Truth in Lending Act, the Gramm Leach Bliley Act, and the Electronic Funds Transfer Act. This also means that covered persons could face potential enforcement actions from both the CFPB and the DFPI in relation to the same alleged activities. To the extent that violations of these statutes also violate the prohibition on unfair, deceptive, or abusive acts or practices (“UDAAP”) provision in Dodd-Frank, firms would also face enforcement actions by state attorney’s general.

New Registration Regimes

The CCFPL provides the DFPI with the authority to impose new registration regimes.[15] While the DFPI may prescribe registration requirements to any covered persons, the DFPI is also required to promulgate such registration requirements within three years after its initiation of its second enforcement action against persons providing the same or substantially similar consumer financial product or services.[16] Perhaps intending to keep the DFPI’s new power in check, the Legislature provides that any such registration regime would sunset after four years, unless the Legislature takes further action to extend the registration.[17] It will be interesting to see how and whether the Legislature ever decides to let a DFPI-promulgated regulatory scheme lapse.

According to a February Legislative Analyst’s Office Report on AB 1864[18], the DBO anticipated that it would likely impose registration requirements for franchise brokers and non-merchant providers of retail sales financing, though these categories are not specifically addressed in the CCFPL. While debt collectors were also suggested to be a target of future DFPI registration requirements, the passage of SB 908 (Wieckowski) appears to have obviated that need. SB 908 requires licensure of debt collectors—a standard of oversight generally considered higher than registration.

Financial Technology Innovation Office

To encourage additional fintech innovation in California, a state that has already proven to be the center of fintech development, the CCFPL establishes a “Financial Technology Innovation Office” within the DFPI. While the exact mandate of such office remains to be seen, the statute suggest that the Office will engage in market research, outreach, and education and promote innovation, competition, and consumer access within financial services.[19]

Consumer Complaint Response

As consumer complaints are often the first window into potential violations of law, the CCFPL also empowers the DFPI to, by rule, impose required response procedures upon covered persons, including remediation, follow-up, and recordkeeping.[20] Consumer reporting agencies, as defined by the Fair Credit Reporting Act (the “FCRA”) remain exempt from this requirement—an understandable carve-out, since such entities are already required to maintain specific consumer complaint and inquiry response systems under the FCRA. Notably, the DFPI is obligated to promulgate implementing regulations before commencing an enforcement action related to complaint response. This buys covered persons some amount of time to get their complaint management systems in order, and provides an opportunity for applicable industries to provide input once such rulemaking is underway.


The CCFPL is, in many ways, the California’s Legislature’s attempt to fill a gap in federal enforcement that some claim has emerged under the current administration. Whether such a gap exists or will exist in the future, of course, remains to be seen.

Since most financial service providers are already subject to CFPB enforcement authority, compliance with the DFPI’s regime is unlikely to require material changes. However, to the extent DBO interprets its authority differently from the CFPB (e.g., interprets UDAAP differently), that could create need for additional compliance review and engender more conservative approaches to new products.

In general, the provision of new authority to DFPI will require a more comprehensive review of financial service providers’ existing and future products and services. To the extent such products could constitute “consumer financial products or services” under the bill, there should likely be an effort to house these products to regulated subsidiaries to protect unregulated parent companies from regulatory exposure.

Perhaps the biggest change lies on the commercial side. The new law gives the renamed agency authority to enforce and issue rules eliminating unfair, deceptive, and abusive practices in the commercial financing industry. This includes not only commercial lenders, but also factors and other providers of accounts receivable financing. For companies operating on a nationwide basis, this will likely necessitate review of existing marketing materials and customer flows to ensure that all statements are accurate and truthful and that business customers are unlikely to be misled or confused.

[1]   12 U.S.C. § 5481.

[2]   Cal Fin. Code § 90005(k)(12); 12 U.S.C. § 5481(15).

[3]  See Cal. Fin. Code § 90002(b). This includes exempted from the CCFPL are persons acting under the authority of one of the following licenses, certificates, or charters issued by the DFPI: (1) Escrow agents licensed under Division 6 of the Financial Code; Finance lenders, brokers, program administrators, and mortgage loan originators licensed under Division 9 of the Financial Code; Broker-dealers and investment advisers licensed under Division 1 of Title 4 of the Corporations Code; Residential mortgage lenders, mortgage servicers, and mortgage loan originators licensed under Division 20 of the Financial Code; Check sellers, bill payers, and prorates licensed under Division 3 of the Financial Code; Capital access companies licensed under Division 3 of Title 4 of the Corporations Code; Any person licensed, chartered, or who have been issued a certificate under the Financial Institutions Law and banks, bank holding companies, trust company, savings and loan association, savings and loan holding company, credit union, or an organization subject to oversight of the Farm Credit Administration.

[4]  Id. at § 90003(a).

[5]   Id. at § 90009(c)(3); 12 U.S.C. § 5331(d).

[6]  Cal Fin. Code § 90009(c)(1).

[7]  Id. at § 90009(c).

[8] Id. at § 90009(e).

[9]  See SB 1235 (2018), codified at Cal. Fin. Code §§ 22800 et seq.

[10]   Cal. Fin. Code § 90012(b).

[11]  Id. at § 90013(d).

[12]  Id. at § 90011.

[13] N.Y. Fin. Servs. L. §§ 301(b), 306(a); N.Y. Banking L. § 38; see also N.Y. State Dep’t of Fin. Servs. v. Vision Prop. Mgmt., LLC, 2018 N.Y. Slip Op. 31609 (N.Y. Sup. Ct. 2018) (describing the investigation and subpoena powers of the New York Department of Financial Services).

[14] Cal. Fin. Code § 90006(a).

[15]  Id. at § 90009(a)(1).

[16] Id. at § 90009.5(a).

[17] Id. at § 90009.5(b).

[18] Reinventing the Department of Business Oversight, LAO Report, Feb. 26, 2020, https://lao.ca.gov/Publications/Report/4181.

[19] Cal. Fin. Code § 90006(d).

[20]  Id. at § 90008.

Click here for a PDF of the full text

Practice Areas

Fintech and Payments


Antitrust and Competition


Data Privacy and Cybersecurity

For More Information

Image: Molly E. Swartz
Molly E. Swartz

Partner, Fintech and Payments

Image: Chris Daniel
Chris Daniel

Partner, Corporate Department

Image: Thomas P. Brown
Thomas P. Brown

Special External Advisor, Corporate

Get In Touch With Us

Contact Us