Much has been written about Mick Mulvaney’s statements about how the Consumer Financial Protection Bureau (CFPB) will no longer “push the envelope” when it comes to enforcement and no longer engage in “regulation by enforcement.” But a little-noticed filing by the CFPB in the Ninth Circuit last month suggests that the CFPB is not necessarily scaling back its enforcement efforts with respect to novel claims under its authority to prevent unfair, deceptive, and abusive acts and practices (UDAAP).

The cases at issue were brought by the CFPB against a lead aggregator—D&D Marketing, Inc. (“D&D”)—and its founder, president, and vice president. CFPB v. D&D Marketing, Inc., Nos. 17-55709, 17-55710 (9th Cir.). The CFPB’s claims in the cases, which were filed under former Director Richard Cordray, were rather novel UDAAP claims. In sum, the CFPB alleged that D&D had purchased payday and short-term loan leads from online lead generators and sold those leads to payday lenders. The CFPB alleged that the lead generators from whom D&D bought leads made representations on their websites that they link consumers to lenders that obey all federal and state laws. But D&D, the CFPB alleged, actually sold the leads—“so as to maximize its own profit”—to “tribal” and “offshore” lenders that do not comply with state usury laws. Rather than going after the lead generators for making allegedly deceptive representations on their websites or after the lenders for failing to comply with state usury laws (which the CFPB has previously alleged constitutes a federal UDAAP violation in some cases), the CFPB instead chose to go after the middle man—the lead aggregator.

Here, however, the CFPB had a problem. A lead aggregator is not a “covered person” subject to the Dodd-Frank Act’s UDAAP prohibition. The CFPB attempted to get around this hurdle by asserting that D&D was a “service provider” to the lenders to whom it sold loans. Because the UDAAP prohibition applies to “service providers” this would enable the CFPB to assert its claims. Going a step further, the CFPB alleged that the individual defendants—who founded and ran D&D—provided “substantial assistance” to D&D and thus could be held liable as well.

The CFPB’s theory, therefore, rested on three not-straightforward interpretations of its authority: (1) that a lead aggregator can be held liable for a UDAAP violation based on the representations made by third parties (the lead generators); (2) that serving in such a middle-man role qualifies one as a “service provider” under the Dodd-Frank Act; and (3) that individual owner-operators of companies can be held liable for providing “substantial assistance” to the companies they founded or manage. (In this case, because D&D is not a “covered person,” the CFPB could not rely on its authority to go after “related persons,” which is arguably the mechanism that Congress intended for such individual liability.) While such claims were not surprising when the lawsuit was filed under former Director Cordray’s leadership, Acting Director Mulvaney’s repeated pronouncements suggested that the CFPB might choose to not pursue this case.

But rather than retreat, the CFPB recently doubled down on these claims. The Ninth Circuit is considering an interlocutory appeal from the district court’s denial of a motion to dismiss the CFPB’s case. In its brief filed last month, the CFPB forcefully defended its claims against the defendants’ arguments that (a) the Dodd-Frank Act does not provide fair notice that the practice of buying and selling leads under the facts alleged constitutes an unfair and abusive practice and (b) the company is not a “service provider” subject to the UDAAP prohibition.

With respect to the UDAAP claims, the CFPB argued that prior unfairness caselaw was sufficient to put the company on notice that where “deception was the ‘predictable consequence’” of a company’s actions, those actions are unfair. More surprisingly, the CFPB also argued that the statutory description of abusiveness—“tak[ing] unreasonable advantage of … a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service”—was, by itself, sufficient to constitute fair notice that “selling loan applications to lenders whose loans do not comply with representations made to consumers [by third parties]” is abusive. For an agency headed by an Acting Director who has repeatedly complained about “regulation by enforcement” and who has noted that “the people we regulate should have the right to know what the rules are before being charged with breaking them,” this is a rather surprising position to take, considering the dearth of case law or guidance regarding what is “abusive” and the relative novelty of the CFPB’s claims in this case.

Similarly surprising was the CFPB’s argument that it has jurisdiction over D&D as a service provider. One would have expected a different approach based on Mr. Mulvaney’s prior statements about the CFPB doing no more than following the letter of the law. The Dodd-Frank Act defines a “service provider” as a person who “provides a material service to a covered person” in connection with offering a consumer financial product or service, including (i) “participat[ing] in the designing, operating, or maintaining the consumer financial product or service” or (ii) “process[ing] transactions” related to such a service. D&D’s activities certainly do not fall in the enumerated examples, and D&D argued it did not meet the statutory definition. Faced with the choice between embracing an expansive or more constrained view of its jurisdiction, the CFPB somewhat surprisingly chose the former and defended the district court finding that by selling loan leads D&D is a service provider to the lenders.

And if those weren’t sufficient surprises for one brief, the CFPB also defended the constitutionality of the agency’s structure against defendants’ argument that having a single director removable only for cause is unconstitutional.

One can only guess whether Mick Mulvaney would have authorized this lawsuit in the first place had it been proposed on his watch. It may well be that the CFPB’s position was dictated, in part, by the posture of the case, as it is easier (politically) to decide not to proceed in the first instance than to walk away in the face of a pending legal challenge. But the CFPB’s filing does suggest that for all of Mick Mulvaney’s rhetoric, the CFPB may not abandon aggressive UDAAP enforcement entirely. That would mean that CFPB enforcement might continue to be of more concern to industry than the past six months would otherwise have suggested.