The June 2000 consent decree between Providian and the Comptroller of the Currency must have been an unpleasant experience for Providian. Perhaps its corresponding settlements with the California Attorney General and San Francisco District Attorney’s Office were even more unsettling. In a June 28 press release, Providian, representatives, stated, “Under terms of the [OCC] agreement, and without admitting any wrongdoing, Providian agreed to make certain business practice changes and to pay a one-time restitution of approximately $300 million. Providian will also pay a $5.5 million civil fine to the San Francisco District Attorney's office.” Less publicized, perhaps, but possibly more significant because it seemed to stand on its own, was an early June 19 settlement with the Connecticut Attorney Genera. In the settlement, according to the Attorney General’s press release, the lender “agreed to provide ... restitution to consumers ... and change their credit card and marketing practices. Providian also agreed to pay ... $1.6 million [in] costs, attorney's fees, and any civil penalties.” These events are significant enough to get any institution’s attention – as well as the attention of any financial services lawyer.

While the specifics of the allegations and practice changes are significant in the credit card and consumer lending industries, the significance of the Providian settlements to most of us is not in the settlement numbers, nor is it in the specific allegations, or even the business practice changes Providian agreed to make. Rather, the import of the Providian case lies in the legal grounds the enforcement agencies used to justify their actions, and in the types of regulations they were enforcing. We should take notice of these asserted bases for regulatory enforcement because they will soon become more familiar. We also should focus on the fact that agencies are starting to apply to a whole new array of consumer and trade practice regulations to banks and other financial institutions.

Claims Asserted in the Providian Case
The San Francisco District Attorney’s probe of alleged unfair business practices became public in May 1999, with newspaper reports of allegations of unfair business practices. According to a press release issued by the Connecticut Attorney General, its probe of certain business practices commenced in November 1999. While the technical grounds of the state and local actions varied, California alleged violations of state laws prohibiting “false and misleading advertising,” and other state laws prohibiting “unfair or unlawful business acts or practices.” The June 22, 2000 OCC Stipulation signed by Providian (the Stipulation) stated that the OCC intended to charge Providian with violations of the Truth in Lending Act, Regulation Z, the Federal Trade Commission Act (15 U.S.C. Section 41, et seq.) (the FTC Act), and the false advertising and unfair business practices laws of California, including California Business and Professions Code sections 17200 and 17500 (State Law). The resulting June 28, 2000 Consent Order issued by OCC, In the Matter of Providian National Bank, Tilton, New Hampshire, No. 2000-53 (the Consent Order), imposed voluntary injunctive relief, restitution obligations, and a procedure for monitoring Providian’s compliance with consumer payment obligations by an independent certified public accounting firm. In each of the state and federal proceedings, the parties stipulated that Providian did not admit the allegations and it did not admit or that it had violated any laws.

The Stipulation and Consent Order set out the jurisdictional bases on which the OCC based its actions. The Consent Order stated that it was entered into pursuant to OCC authority under 12 U.S.C. §484 (dealing with limitations on the visitorial powers of state and local governmental agencies), the Federal Deposit Insurance Act, as amended, 12 U.S.C. §1818 (dealing with cease-and-desist proceedings), and 12 C.F.R. §7.4000 (dealing with the OCC’s visitorial powers over national banks). The Stipulation recited that, “the Comptroller, pursuant to Federal law, has the authority to enforce State law against national banks....”

Regulatory Issues Raised
Aside from some Truth in Lending allegations, what is interesting about the OCC’s charges is that they appear to have been made primarily under the FTC Act and State Law. It is interesting too that the Stipulation recited the OCC’s power to enforce state law against national banks. It is obvious that the OCC has certain designated powers to enforce the national banking laws against national banks. It is not, however, a foregone conclusion, absent special statutory provision, that the OCC can enforce other laws, such as consumer protection laws and trade regulation laws, that are not directed at the safety and soundness of a national bank.

While pre-emption questions might have played a role in behind-the-scenes discussions among the parties, the Stipulation, Consent Order and related state consent judgments do not appear to raise any questions relating to federal pre-emption of the State Law or the state or local agencies’ enforcement powers. Because the Stipulation stated that the OCC has power to enforce State Law, it would appear that the OCC took the position that State Law applied and was not pre-empted.

The FDIC Act, 12 U.S.C. Section 1818(b)(1), authorizes the OCC, as the “appropriate Federal banking agency” for national banks, to commence cease-and-desist proceedings, “[i]f, in [its] opinion ... [the bank] is engaging or has engaged, or the agency has reasonable cause to believe ... is about to engage, in an unsafe or unsound practice ..., or is violating or has violated, or the agency has reasonable cause to believe ... is about to violate, a law, rule or regulation....” There does not exist a lot of authority on whether or not there are limits on the type of violation or type law, rule or regulation covered by the cease-and-desist authority. It is possible to argue that the cease-and-desist power is limited to violations of bank regulatory laws generally, or even in this case to the national banking statutes specifically (except as may otherwise be specifically provided by statute). It is not the purpose of this article to analyze precedent or conduct a legal analysis of this issue, but simply to note the potential existence of the issue and discuss some of the policy implications. I would note, however, that cease-and-desist authority also can be based upon unsafe or unsound practices, and it would not be too difficult to argue that any systematic violations of law probably also amount to unsafe and unsound practices, in light of a given bank’s resulting exposure to civil and penal liabilities. For these reasons, it is not hard to see why the OCC takes the position that it can enforce state consumer protection laws, as well as certain federal laws like the FTC Act, not directly related to bank regulation.

Perhaps even more interesting is the reason why the OCC is stepping in to enforce these laws in this case. Perhaps one reason is to protect its enforcement authority and mandate. State authorities have become more active recently in attempting to enforce consumer protection laws against banks, including federally chartered institutions. As discussed more fully below, it is possible the OCC felt compelled to participate in enforcement proceedings against a national bank, partly because no clear precedent has been established regarding how certain new consumer protection and trade regulation law might be enforced against federally chartered institutions. Perhaps the OCC also was motivated to hedge the risk of multiple and inconsistent state enforcement actions against its chartered banks while at the same time assuring that its institutions comply with appropriate laws and regulations.

It appears that the OCC’s enforcement authority under the FTC Act is clearer than its enforcement authority with respect to state laws. Section 5(a)(2) of the FTC Act, 15 U.S.C. Section 45(a)(2), precludes the Federal Trade Commission (“FTC”) from enforcing the FTC Act against banks, savings institutions and federal credit unions. Instead, Section 18(f)(1) of the Act, 15 U.S.C. Section 57a(f)(1), gives rulemaking authority over banks (including national banks) to the Board of Governors of the Federal Reserve System (“FRB”). The FRB is required (with limited exceptions) to promulgate rules corresponding to FTC rules within 60 days after each FTC rule is adopted under the FTC Act.

Under Section 18(f)(2), 15 U.S.C. 57a(f)(2), however, OCC has the actual authority to enforce the rules is given to the OCC for national banks. This authority is to be exercised pursuant to the OCC’s powers under the FDIC Act, 12 U.S.C. Section 1818. Furthermore, Section 18(f)(5), 15 U.S.C. 57a(f)(5), states that any violation of the FRB regulations “shall be deemed a violation of a requirement imposed under” 12 U.S.C. Section 1818, perhaps effectively precluding any question about whether, for these purposes, the cease-and-desist authority can be exercised to enforce the FTC Act. As an aside, observers have noted that, for the most part, the FRB has not adopted regulations corresponding to various FTC regulations under the FTC Act. They question whether or not the OCC’s enforcement powers can be exercised prior to the adoption of the necessary regulations. Again, while that question poses interesting legal arguments, it is not very relevant to the policy issues that are the central focus of this article.

It is hard to detect from the public documents whether any disputes over state versus federal enforcement authority occurred. While it is possible that the OCC stepped in to protect its own enforcement prerogatives (and, certainly, the OCC may have indirectly signaled its position by referring to 12 U.S.C. Section 484 in the Consent Order), in this case the OCC’s Consent Order and Stipulation were coordinated with the California settlements. Thus, for the present, it appears that state authorities have parallel enforcement authority as to trade practices, or at least that they may have won a standoff on this issue in this particular case. Whichever may be true, there is no doubt that state agencies followed through an separate initiatives against Providian to establish their authority over a national bank as a practical matter.

Whatever the legal arguments might be regarding the relative enforcement authorities of the OCC, on the one hand, and state and local prosecutors or other agencies, on the other hand, it is clear that federally chartered institutions are vulnerable to enforcement action by state and local agencies over alleged violations of state and local consumer protection laws. For discussion purposes here, a similar statement might be made about state and local trade regulation intended to protect competition. But the pre-emption analysis may be different under Section 114 of the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994, 12 U.S.C. Section 43, because non-consumer trade regulation statutes are not within the four categories of state statutes given special, explicit protection against OCC pre-emption rulings. Assuming, therefore, that state and local consumer protection and trade regulation rules might not be pre-empted, I would like to turn the focus to other trends, from an economic and political perspective, may expose banks to greater enforcement activity at the state and local levels.

Trends
The banking industry is facing some of the most dramatic changes it has ever faced. Among many other forces at play, banks see a radical breaking down of barriers between historically separate financial services industries; the most dramatic recent example of this trend is the Gramm-Leach-Bliley Act of 1999 (“Gramm-Leach-Bliley”). In addition, many of the special prerogatives associated with a banking charter are being eroded. Within the banking industry, this can be seen in the successful efforts of insurance, securities, commercial and other firms to exploit the federal thrift charter to exercise powers traditionally reserved to banking institutions, as well as in the expanded banking activities of traditionally limited credit unions.

Beyond the forces unique to the banking industry, we are also facing economic and technological changes that are revolutionizing all sectors of our society. The Internet and new technology effectively have effectively torn down interstate and international barriers to commerce, and are in the process of throwing doubt on traditional notions of geographic jurisdiction. Issues that previously might have previously been raised and dealt with on a local basis, albeit in many different places, now are being raised and wrestled with in “one world.” Local issues can have universal impact.

Two consumer-oriented examples of the worldwide experience of new controversies are issues surrounding privacy and predatory lending. Electronic crimes, money laundering, securities fraud and many other enforcement issues similarly are exhibiting new, “universal” dimensions. Of these, the issue of consumer information privacy has been something of a lightning rod; the legislative compromises struck in the enactment of Gramm-Leach-Bliley have set the stage for what might be an extended “debate” over the respective roles of state, federal, local and international governments in protecting personal privacy. We have already seen, in the last 6 months, evidence of strong forces pushing for state regulation and enforcement to fill a vacuum left in federal law. This is not just a popular push for legislation. It is also a determined effort by state attorneys general, as the protectors of their publics, to protect certain rights they view as not sufficiently protected.

The recent tug-and-pull between the U.S. and European Union (“EU”) involving the appropriate level of consumer information privacy also demonstrates that these issues are not fundamentally a “state’s rights” issue. The EU happens to have established a culture of strong protection of nonpublic consumer information. Recent attempts to negotiate a compromise between the U.S. “voluntary self-enforcement” approach and the EU “mandated” approach to privacy protection fell apart. The European Commission’s March 2000 formal decision that a compromise "safe harbor" arrangement with the U. S. offers "adequate protection" for personal data transferred from the European Union to the United States, met rejection by the European Parliament’s July 5, 2000 resolution. The rejection forced the European Commission now to attempt either to renegotiate the “safe harbor” principles with the U.S. or go to the European States for ratification of the U.S. safe harbor principles.

Key to this article is that the historic primacy of the federal government – and hence the federal banking regulators – in enforcing banks’ consumer regulatory and trade regulation compliance is under heavy assault, not only by state and local governments, but also by foreign governments.

Some Policy Questions
These forces raise numerous public policy issues, and also require that we, as banking lawyers, think strategically on behalf of our clients. Can any bank with a web page now assume that it is immune to enforcement action by any state or foreign governmental authority? Can a federally chartered institution assume that its regulator always will step in to make its compliance life orderly? Or, even if its regulator is willing to step in, can a bank assume that a federal regulator will succeed in establishing uniform and predictable standards for federally chartered or insured entities? If the answer is “no – and I believe it is, from the Providian case and other situations – we must begin to counsel our banking clients about all sorts of issues we never had to consider seriously before. We must, for example, consider the following:

• What state and foreign consumer protection laws will apply to our financial services client in every state and country in which a customer is located. For example, are our banking clients’ phone calls to customers across the country subject to state telemarketing statutes?
• What is our clients’ amenability to suit for civil litigation and enforcement proceedings in each of these jurisdictions?
• Will our clients’ privacy notice and privacy protection procedures comply with every applicable privacy rule in every jurisdiction in which a customer is located?
• Must we now become Federal Trade Commission attorneys as well, in order to predict how the FTC Act’s trade practices rules will apply to our banking clients’ Internet, telephone, telemarketing and other activities?
• Where is the line of federal pre-emption these days?
• Will traditional trade regulation rules intervene to regulate the forces of competition and restraint of trade across financial services industry lines, and if so, on what bases and through enforcement actions by what agencies?
• Is it possible to devise a “safest common denominator” strategy intended to avoid the common pitfalls in this new environment? Is such a strategy consistent with the new competitive financial services environment?
• How can we, as attorneys and advisers, master this new, multi-dimensional compliance matrix?
• As we identify interpretive questions under various laws, what agencies will have the interpretive authority necessary to help us determine our clients’ responsibilities?

More than ever, business situations are going to have multiple and potentially inconsistent compliance schemes. More than ever, legal risks will be unavoidable, and our efforts as legal advisers may be primarily to help our clients pick the poison most suitable to its competitive situation. More than ever we are going to become our clients’ partners in the effort to manage compliance risks.

As a final thought, I would like to mention that the July 21 Wall Street Journal reported that the FTC staff and 39 state attorneys general challenged a proposed sale of a customer list by bankrupt Toysmart.com Inc. on the ground that its sale violated federal and state consumer-protection laws, because the company had pledged on its web site that such details would never be disclosed to third parties? How many banks are preparing privacy notices stating that they do not sell their customer lists or provide customer information to third parties? How many banks might change their policies in the future? How many banks will merge with partners that have inconsistent policies and practices? How many banks might then have to wrestle not only with the traditional issues of contract modification, customer notice, and the like, but also with the FTC Act and state consumer protection laws and how to effectively avoid enforcement liability as they later change their policies?

You don’t need to beware the “coming” trade practices regulation.

It is already here.