The Consumer Financial Protection Bureau (CFPB) made a series of aggressive and unprecedented moves to expand its regulatory purview in 2022. These ranged from announcing the intention to exercise "dormant" authority to conduct regulatory examinations of nonbank financial companies to announcing the intention to force financial institutions to share consumer data with competitors upon consumer request (which CFPB Director Rohit Chopra also described as based on "dormant" authority).
The CFPB closed out 2022 with a deceptively innocuous-sounding proposal to require nonbank financial companies to report certain public orders and judgments relating to consumer protection violations. At first glance, this might appear merely to be a more efficient way for the CFPB to track orders and judgments entered against nonbanks by other regulators. When placed within the full context of the CFPB's recent actions, however, it is clear that this proposal is a powerful one-way ratchet the CFPB can use to expand regulatory control over fintechs and other nonbank financial companies.
The Proposed Registry
There are three central features of the CFPB's proposal. First, it would require certain nonbank covered entities that are subject to final public orders obtained or issued by a federal, state, or local agency in connection with the offering or provision of a consumer financial product or service to report the orders to the CFPB. This would include all final public written orders and judgments (including consent and stipulated orders and judgments) obtained or issued by any government agency for violation of consumer protection laws. Second, the CFPB would maintain a registry of these orders and publish this registry information on its website. Third, the CFPB would require nonbanks who report these orders and judgments to submit annual written statements regarding compliance with each underlying order signed by an attesting executive who has knowledge of the entity's relevant systems and procedures for achieving compliance and control over the entity's compliance efforts.
How the Registry Enhances the CFPB's Power Over Fintechs
To understand the implications of this proposal, it is first necessary to understand which institutions will be directly impacted. When you exclude banks, how many entities are there that offer financial services and products to consumers? A lot. The CFPB itself estimates that there are roughly 155,043 nonbanks that would be covered. While most of these covered nonbanks are not currently subject to orders that would be reportable under the proposed rule, even these nonbanks would be impacted because they would need to institute procedures to ensure that they comply with the new reporting requirement. At present, there is no reason it would even occur to the management of a small fintech company signing a consent order with a local government agency that it might need to file a copy of the order with the CFPB. Ensuring compliance with this rule therefore would require all covered nonbanks (even those not currently subject to an order) to adopt procedures to avoid inadvertently violating this reporting rule if they ever do become subject to a covered order.
The potential impacts on the thousands of nonbanks that are subject to covered orders is much greater. First, and perhaps most dangerous, is the risk that the CFPB will use these reports to justify regulatory examinations of nonbanks. Earlier this year, the CFPB announced that it intended to start conducting regulatory examinations of certain nonbank financial companies that it previously had not examined. The CFPB conceded that it does not have authority to conduct such an examination until it first establishes that a nonbank poses a risk to consumers. The reports that the CFPB wants to force nonbanks to submit concerning orders relating to violations of consumer protection laws and their efforts to comply with those orders may be used by the CFPB to justify a finding that the nonbank poses a risk to consumers and therefore is subject to ongoing examination by the CFPB.
Second, it increases the risk that the CFPB will use the required certifications to bring enforcement actions against nonbanks who file them. As a general matter, the CFPB has very limited visibility into the activity of most nonbank providers of financial products and services because it does not examine them. The proposed mandatory reports would provide the CFPB with targeted information about efforts by nonbanks to correct violations of consumer protection laws. The CFPB would then likely seek to leverage this reporting requirement to obtain supplemental disclosures that it otherwise would have difficulty forcing nonbanks to provide. The CFPB is likely to review all of this information with an eye toward building a case for an enforcement action. In addition, the CFPB may seek to "federalize" violations of state consumer protection laws by bringing actions alleging that a nonbank filed a false certification of compliance with a state order even when the CFPB would not have been able to successfully bring an action based on the conduct that led to the underlying state order against the nonbank.
Third, it substantially increases the risk that the CFPB will seek to bring an enforcement action against the senior executives who sign the certifications. Indeed, the CFPB acknowledges that the CFPB could use information it receives in the certification "in assessing whether an enforcement action should be brought not only against the nonbank covered person, but also against the individual executive."
Fourth, publishing the order and information about the certifying parties could expose the nonbank to litigation risk independent of the CFPB's own investigation. For example, the CFPB notes that the registry will be helpful to employee whistleblowers and "may also facilitate private enforcement of the Federal consumer financial laws by consumers." In other words, the CFPB's proposed system will be a boon to plaintiffs class action attorneys, even when they are pursuing claims that the CFPB has concluded are lacking in merit.
Fifth, it reinforces the CFPB's other efforts to create the perception that it is the prudential regulator of fintechs and other nonbank financial service companies. Before the CFPB announced in 2022 that it had "dormant" powers to regulate nonbanks that provide financial products and services involving, for example, digital assets, "buy now, pay later" (BNPL), and peer-to-peer payments, companies providing these products generally did not view the CFPB as their regulator. For many of these companies, creating procedures to ensure that orders entered into with state regulators are filed with the CFPB would be their first policy or procedure created specifically to comply with a CFPB rule that requires submitting information to the CFPB.
Unintended Consequences
Any time a new regulation becomes effective, there is a risk that it will have consequences other than those intended by the regulator. These risks are heightened where, as here, the regulation is imposed on entities that previously have not even been subject to regulation by the agency. It is impossible to predict what all of these consequences will be, but one relatively direct result is that it will increase the costs to fintechs of entering into consent orders with state and local agencies. A company that is willing to settle with a state or local agency by paying a fine of $100,000 may be much less willing to enter into a settlement that results in a fine of $100,000 plus annual reporting obligations to the CFPB, plus heightened risk of a CFPB enforcement action against the nonbank and its executives, plus heightened risk of CFPB examinations, plus heightened risk of attracting plaintiffs' class action attorneys.
Will these unintended impacts on state and local consumer compliance regulations harm consumers? It is too early to say. Regardless of whether the proposed rule ultimately helps or harms consumers, however, it definitely will further the CFPB's efforts to increase its power over nonbanks that offer financial products and services.
Originally published by New York Law Journal
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
