The Consumer Financial Protection Bureau (“CFPB”) announced that it will conduct exams of nonbank covered entities who otherwise would not be subject to supervision if it believes they pose “risks to consumers.” In addition, the CFPB outlined a process to publicly release the orders and opinions that come out of these supervision determinations. This assertion of authority continues the CFPB’s aggressive pursuit of its mandate, and is expressly focused on keeping the “fintech” space in check.
A New Category of Supervision
This announcement forecasts that the Bureau will seek to examine and supervise companies that previously have not been subject to CFPB supervision. This power can reach companies that are not federally registered banks or that are not already under the CFPB’s examination authority. While the Press Release expressly calls out the fintech industry, the Bureau’s authority could be used on other industries, like payment processors or cryptocurrency companies. On the one hand, the Bureau’s authority to conduct exams of certain covered entities — such as “larger participants” in the market for consumer financial products and services, and home mortgage lenders and servicers — is well established. To date, the CFPB has exerted its supervisory authority to conduct exams of “nonbank entities in the mortgage, private student loan, and payday loan industries, regardless of size,” and certain companies involved in “consumer reporting, debt collection, student loan servicing, international remittances, and auto loan servicing,” depending on their size.
Here, the CFPB relies on its authority under the Dodd-Frank Act to supervise any “nonbank covered person” that “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” The CFPB anticipates examining entities “that may be fast-growing or are in markets outside the existing nonbank supervision program.” In doing so, the CFPB aims “to hold nonbanks to the same standards that banks are held to.” The Bureau previously implemented a policy statement about its risk-based authority in 2013 but has rarely made public reference to it since. While this provision comes along with certain procedural safeguards like notice and a hearing, it is likely the Bureau will interpret “risks to consumers” very broadly, as it seeks to leverage its authority “to move as quickly as the market.”
This development continues the CFPB’s proactive stance under Director Chopra’s leadership. The prior administration criticized the first Director’s approach as “regulation by enforcement” that “pushed the envelope” on the Bureau’s jurisdiction. Practitioners expected the Biden administration would push the envelope anew. The current administration quickly rescinded a policy statement that limited the “abusive” practices the Bureau would pursue, committing to use the full extent of its statutory authority. Here, the Bureau plans to tap a “dormant” power to maximize its jurisdiction, subjecting more entities to supervisory examinations.
CFPB exams are demanding and fast-paced. Exam staff request a large volume of material under very tight timelines with little indication of what the staff may be looking for. These exams can be wide ranging because the Bureau enforces roughly 20 separate federal statutes that cover almost every type of lending, servicing and collection for personal, family and household use in the United States. These statutes reach the covered entities that offer or provide consumer financial services, as well as those entities’ service providers.
The CFPB also has broad authority under the Dodd-Frank Act to pursue any unfair, abusive or deceptive act or practice in connection with the offering or provision of any consumer financial product or service. The Press Release highlights that the very conduct that “poses risks to consumers” may also qualify as “unfair, deceptive, or abusive acts or practices, or other acts or practices that potentially violate federal consumer financial law.” Exams may identify “Matters Requiring Attention” that deserve prompt corrective action, and may result in enforcement. For example, the enforcement action the CFPB and the New York Attorney General recently filed against MoneyGram arose out of remittance rule compliance issues first flagged in a CFPB exam.
The Press Release indicates that fintech companies, payment processors and cryptocurrency companies will increasingly have to respond to exams even where there would be no other basis to expect the CFPB’s supervision.
Public Determinations and Orders
Together with the Press Release, the CFPB issued rule amendments that provide the procedure the Bureau will use to make public its decisions about which nonbank covered persons are subject to this new form of supervision. The Bureau asserts that publication is important to promote “transparency” about how the CFPB uses this power.
In the course of exerting this type of nonbank supervision, the Director issues rulings (1) that an entity qualifies as a nonbank posing risks to consumers, (2) setting the duration of exam supervision, which will typically be for two years and (3) responding to any request to terminate supervision thereafter. The new amendments generally allow entities seven days to respond to the proposed publication, after which, the CFPB will decide whether to release the order publicly on its website.
Previously, exams that did not lead to enforcement always remained private. The CFPB provides strict protections for “confidential supervisory information.” Thus, the notion that opinions and orders from the Director in the course of supervisory exams might become public is a significant change. While the Bureau is committing to redact commercially sensitive and personal information from the public versions of the orders, it remains to be seen whether the identities of the entities undergoing exams would be protected. However, the entity would not generally be permitted to make its own public statements about the exam. As a result, the reputational harm an entity would suffer from the perception that it is posing serious “risks to consumers” would remain even if the exam confirms the entity is in compliance.
Although the rule amendments go into effect immediately, the CFPB is accepting public comments until at least May 25, 2022.
These rule amendments show the CFPB is committed to asserting its maximum authority under the law to bring fintech companies and other emerging players under its regulatory supervision to ensure their compliance with federal consumer financial protection law. Fintech companies should carefully examine their policies and procedures and confirm that they are in compliance with applicable consumer laws.
Schulte Roth & Zabel’s lawyers are available to assist you in preparing a public comment or addressing any questions you may have regarding these developments. Please contact the Schulte Roth & Zabel lawyer with whom you usually work, or any of the following attorneys:
 CFPB, Policy Statement, Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination; Public Release of Decisions and Orders (April 25, 2022), available here (“Public Release Rule”).
 Press Release at 1.
 12 U.S.C. § 5514(a)(1)(A)-(B); 12 C.F.R. part 1090.
 Press Release at 2.
 12 U.S.C. § 5514(a)(1)(C). Dodd-Frank defined “covered person” to include anyone “that engages in offering or providing a consumer financial product or service” and their affiliate service providers. Id. § 5481(6).
 Press Release at 2.
 Id. at 1.
 See CFPB, Final Rule, Procedural Rule to Establish Supervisory Authority over Certain Nonbank Covered Persons Based on Risk Determination, 78 Fed. Reg. 40,351 (July 3, 2013) (codified at 12 C.F.R. part 1091).
 Press Release at 1.
 Mick Mulvaney, Opinion, The CFPB Has Pushed Its Last Envelope, Wall St. J. (Jan. 23, 2018), available here; see also Neil Haggerty, ‘I am very excited to be here’: Kraninger signals new tone atop CFPB, Am. Banker (Dec. 11, 2018), available here.
 12 U.S.C. § 5531.
 Press Release at 2.
 Press Release at 2.
 12 C.F.R. §§ 1091.103(b)(2); .109(a); .113(e).
 See generally Public Release Rule.
 12 C.F.R. § 1070.2(i)(1).
 See Public Release Rule at 4.
 Specifically, the CFPB will accept comments for 30 days after the Public Release Rule is published in the Federal Register. Anyone can submit a comment by email or on regulations.gov by following the instructions in the Public Release Rule. Comments by mail are accepted but discouraged. Note that comments are public records and will be posted online without any revisions.
This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2022 Schulte Roth & Zabel LLP.
All rights reserved. SCHULTE ROTH & ZABEL is the registered trademark of Schulte Roth & Zabel LLP.