On April 25, 2022, the Consumer Financial Protection Bureau announced that it will invoke its authority under the Dodd-Frank Act to supervise “nonbanks whose activities the CFPB has reasonable cause to determine pose risks to consumers.”
As we explained in a March 2022 alert, the CFPB continues to expand its focus and reach, including through its commitments to use its unfair, deceptive, and abusive acts or practices (UDAAP) authority to address unfair discrimination in activities not tied to traditional lending. In keeping with its recent “law enforcement” and “fair competition” themes, the CFPB references in this latest announcement its authority to investigate conduct involving the entities it now seeks to supervise, but suggests that including such companies in the supervisory process will allow it to monitor fast-moving markets in a less adversarial way. At the same time, the CFPB claims that the initiative is intended to “level the playing field” to hold such new market entrants to the same standards as bank entities.
CFPB authority over nonbanks
The Dodd-Frank Act gives the CFPB the authority to supervise and enforce federal consumer financial laws against certain nonbank entities, including:
- Nonbanks engaged in mortgage, private student loan and payday loan activities, regardless of the size of the entity.
- Larger participants in other nonbank markets for consumer financial services and products.
- Nonbanks whose activities the CFPB has reasonable cause to determine pose risks to consumers.1
The CFPB implemented its authority over this third category of nonbanks through a 2013 procedural rule. However, the CFPB noted that only now has it begun to invoke its authority under this rule.
In issuing the 2013 rule, the CFPB declined to adopt definitions of what the CFPB considers to be “a reasonable cause to determine” that a nonbank posed a risk to consumers, and further declined to adopt a definition or standard of what is considered a “risk to consumers.” The latest announcement provides insight into how a nonbank may end up in the CFPB’s supervisory crosshairs and what conduct the CFPB may consider a “risk to consumers.” The CFPB indicates that it will base “reasonable cause” determinations on a number of inputs, including, among others, complaints, judicial opinions and administrative decisions, as well as through whistleblower complaints, state and federal partners, and news reports. The CFPB’s recent focus on repeat offenders also suggests that these considerations will include resolutions with other government agencies. And, given the pronouncements by the CFPB in the press releases accompanying its two recently filed lawsuits, we know that the CFPB is already working to expand coordination between federal and state agencies; those efforts will no doubt align with this latest initiative.
The announcement made particular reference to focusing on conduct that may pose a risk to consumers, which includes UDAAPs, or other acts or practices that potentially violate federal consumer financial law. In light of recent activity, fintechs and other potential targets should be mindful of potential unfair discrimination claims, but should not lose sight of strict regulatory compliance issues. For example, CFPB Director Rohit Chopra recently stated that he believes there are “broader problems in payments and international money transfer markets” and “significant noncompliance of the Remittance Rule by nonbanks” in particular. Entities engaged in these markets, but not traditionally subject to supervision by the CFPB, should take note.
Amendment to 2013 procedural rule
The CFPB also amended its 2013 procedural rule that facilitates its supervisory authority over nonbanks, and the amendment permits the CFPB to publicize final orders and decisions involving nonbanks deemed to be engaged in conduct that poses risks to consumers.
Under the 2013 rule,2 when the CFPB determines that it has “reasonable cause” to investigate nonbank entities that pose a risk to consumers with regard to the offering of consumer financial products or services, the CFPB must provide notice to the nonbank regulated entity, including a description of the basis for the bureau’s determination to investigate the entity. As originally adopted, the procedural rule made all aspects of a proceeding confidential, including materials submitted by a nonbank, documents prepared by, or on behalf of, or for the CFPB’s use, and any communications between the CFPB and the nonbank.3
The CFPB’s amendment to the procedural rule creates an exception to the confidentiality of such materials, and establishes a procedural mechanism to determine whether part or all of a decision should be released to the public on the CFPB’s website. The bureau’s amended procedural rule allows entities to petition the CFPB not to release a final order within seven days, leaving the final determination regarding whether the order will be released, in whole or in part, to the bureau’s director, whose decisions on those requests also may be released to the public. The amendment notice cites two Freedom of Information Act exemptions that the CFPB expects to apply – those applicable to trade secrets and confidential financial information (exemption 4), and those applicable to personnel and medical files whose publication would be an invasion of privacy (exemption 6) – but states that the CFPB will consider others. The notice does not, however, address potential industry concerns around the publication of a report premised on potentially unsubstantiated complaints or in-progress litigation, for example, noting only that costs to companies will be minimal and only if they choose to prepare requests that such reports not be published. Rather, it notes that the publication of orders will benefit consumers and the public by making risk issues known and providing greater insight into the bureau’s decision-making.
What does this mean for you?
This latest development is just another example of the CFPB’s continued expansion of its authority. Fintechs and nonbank entities affected by this supervisory development should be thoughtful about:
- How they can avoid becoming a target for supervisory oversight.
- How they can be prepared for an examination if they are chosen.
To the first, ensuring that entities have a robust complaint management process to detect, prevent and correct compliance issues will be critical. If the CFPB is going to be looking at complaints, after all, managing complaint volume is extremely helpful. To the second, the bureau indicates that it intends to use this process to “level the playing field” and “hold nonbanks to the same standard that banks are held to.” However, banks have had decades to develop and refine enterprise and compliance risk management frameworks, and it remains to be seen just how the CFPB intends to compare the two.
In the meantime, nonbanks should take a hard look at their existing compliance management systems – policies and procedures, training, compliance programs, and management oversight – to ensure that they are appropriately managing risk associated with their product or offering. Entities also should ensure they have an appropriate escalation process to consider any potential order within the seven-day appeal period cited by the bureau. It can take seven days just for things to bounce around a mailroom, and the last thing a company wants is to find itself identified as high risk on the CFPB’s website.
1: 12 US Code § 5514(a)(1)(C).
2: 12 Code of Federal Regulations § 1091 et seq.
3: 12 Code of Federal Regulations § 1091.115(c).