CFPB Finalizes Rule to Track Nonbank ‘Repeat Offenders’

Cooley alert
June 6, 2024

On June 3, 2024, the Consumer Financial Protection Bureau (CFPB) published a final rule requiring covered nonbanks – generally nonbanks that are “covered persons” under the Dodd-Frank Act, subject to certain exceptions – to report final agency and court orders to the CFPB. These records will be incorporated into a newly established registry designed to allow the CFPB, other regulators, industry watchdogs, and the public to “identify repeat offenders and recidivism trends.” The registry will contain copies of and information about final agency and court orders and judgements related to alleged violations of federal and state consumer financial protection laws.

In addition to requiring covered nonbanks to report these enforcement actions and court orders to the CFPB, the final rule requires covered nonbanks subject to the CFPB’s supervisory authority – supervised nonbanks – to designate a senior-level employee to annually certify compliance with each order in the registry. The database and the CFPB’s desire to use it to identify “repeat offenders” is consistent with its creation of a Repeat Offender Unit to oversee supervised entities subject to CFPB law enforcement orders. In addition to imposing new administrative and procedural burdens, the final rule’s requirements likely will increase government enforcement and litigation exposure, as the database will provide the CFPB, other agencies and potential litigants with a one-stop shop of alleged historical violations by nonbanks.

Most nonbanks will have filing obligations under the new rule

The final rule requires covered nonbanks to report certain final agency and court orders and judgments to the CFPB.

Covered nonbanks must file final, public orders that impose obligations on the nonbank based on an alleged violation of a covered consumer law. This includes consent and stipulated orders, even if those orders do not admit wrongdoing.

Covered consumer laws include federal consumer financial laws, other laws enforced by the CFPB, and certain unfair, deceptive, or abusive acts or practices (UDAAP) laws at the federal and state levels.

The final rule requires submission of, at least, identifying information about the covered nonbank, administrative information (such as any affiliates registered with respect to the same order), and information about the order. The filing must include a complete copy of the final order (excluding any nonpublic portions), as well as information about any agencies or courts involved in the order, effective and expiration date(s), covered laws found or alleged to have been violated, and docket, case, or similar identifying information. Covered nonbanks must register new orders within 90 days of the order’s effective date, and have ongoing obligations to update their registrations within 90 days of certain updates or changes being made to the identifying or administrative information, or of any amendment, termination, or expiration of the order.

While the final rule is largely consistent with the December 2022 proposed rule, the CFPB did make a modification to allow Nationwide Multistate Licensing System (NMLS) registrants to use a streamlined filing process with respect to orders published on the NMLS Consumer Access website. A covered nonbank choosing this path must submit certain required information, but then has no ongoing obligation to register any changes or file written statements for orders that appear on the NMLS Consumer Access website.

CFPB added attestation requirements for supervised nonbanks

The rule also contains an attestation requirement that likely will require many covered nonbanks to invest in additional compliance processes.

Supervised nonbanks must provide an annual written attestation from an executive that confirms the institution’s compliance with each relevant order. The designated executive must be the nonbank’s “highest-ranking duly appointed senior officer (or, if the entity does not have any duly appointed officers, the highest-ranking individual charged with managerial or oversight responsibility for the entity)” with responsibility, knowledge and control over the entity’s compliance with the relevant order.

As part of this requirement, the designated executive must submit a written statement describing the steps the executive has taken to review and oversee the activities subject to the order during the preceding calendar year, and attesting whether, to the executive’s knowledge, during the previous calendar year the nonbank has identified any violations or noncompliance with applicable obligations imposed in the order’s public provisions. The written statement will be treated as confidential supervisory information (CSI), but the designated executive’s name and title will be published.

Supervised nonbanks with qualifying annual receipts of less than $5 million are exempt from this requirement (up from $1 million in the proposed rule).

How the registry will be used

Information submitted to the registry will be compiled into a publicly accessible database expected to launch in 2025.

The CFPB expects the registry to be used by other law enforcement and regulatory agencies, as well as investors, creditors, business partners, consumer advocacy organizations and researchers. The database also will likely be of interest to members of the media and plaintiffs’ counsel looking for potential targets for class action lawsuits.

The CFPB itself will use the registry to identify areas of purported risk to consumers, reasoning that “entities that have previously been subject to enforcement actions, including those brought by local, [s]tate, and other [f]ederal authorities, present an increased risk of committing violations of laws subject to the Bureau’s jurisdiction.”

The CFPB will consider information in the registry – including past state law violations – in assessing civil monetary penalties, and it may impose higher penalties usually reserved for “repeat offenders” even for a nonbank’s first enforcement action with the CFPB.

Nonbanks that report noncompliance with an order should expect additional scrutiny in the practices covered by the order and by the CFPB generally because, in its words, “failure to comply with a relevant order under a covered law could indicate that the entity more generally lacks the will or ability to comply with its legal obligations under [f]ederal consumer financial law.”

As Cooley noted in December 2022 in connection with the proposed rule, the certification requirement creates new potential avenues of liability in connection with language commonly found in consent orders. This type of language often prohibits violation of a number of consumer protection laws, whether or not they are the basis of the order. Government entities (and private plaintiffs, particularly in the False Claims Act context) may use certification language as a hook to create liability by arguing that those certifications were false.

What’s next?

The final rule takes effect on September 16, 2024, and the CFPB contemplates a phased-in registration process starting with “larger participant” supervised nonbanks on October 16, 2024, moving to other supervised nonbanks on January 14, 2025, and finishing with all other covered nonbanks starting April 14, 2025. The CFPB will publish filing instructions regarding the specific information that must be submitted, as well as formatting requirements.

Companies will need to assess whether they are covered nonbanks and, if they are, begin preparing to make their initial round of reports – and implement processes designed to timely report new orders and changes to already-registered orders in compliance with the rule on an ongoing basis. Supervised nonbanks also will need to designate an executive responsible for certifying compliance with each order on an annual basis, and they will need to implement and document processes that allow the executive to confirm compliance ahead of making the annual certification.

Covered nonbanks also will now need to be mindful, when they are contemplating entering into a consent order that might need to be included in the registry, that all language contained in the order will be covered by the new attestation requirement.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.