April 29, 2022

US CFPB Re-Examines Its Supervisory Authority


The upshot, for busy people:

  • On April 25, 2022, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) announced that it has begun using its authority to examine nonbank entities that pose risks to consumers. While the Bureau implemented a procedural rule in 2013 governing supervision of nonbanks based on agency-perceived risk, it is unclear whether and how frequently the CFPB has actually exercised this authority to date. The CFPB’s announcement referred to it as “largely unused” authority, suggesting it has not been used frequently, if at all.
  • With this announcement, the Bureau issued an amendment to the 2013 procedural rule on which it seeks comment. Under the amendment, the CFPB Director’s final decision/order on whether a nonbank’s conduct poses a risk to consumers with regard to the offering or provision of consumer financial products or services—and the nonbank should therefore be subject to the Bureau’s supervisory authority—may be made public on the Bureau’s website. It is unclear whether the CFPB will also publicly list all supervised nonbank entities, as it has with depository institutions.
  • To avoid coming under the CFPB’s supervision, nonbank entities should continue focusing on compliance. But because the statute has never been tested, watch for challenges to CFPB orders requiring examination under this authority.

Background: One of the CFPB’s core authorities is the power to supervise and examine financial institutions outside of the context of an enforcement action. The most well-known examples are depository institutions. But under the Dodd-Frank Act, the Bureau also has authority to supervise three categories of nonbank entities that offer or provide a consumer financial product or service: (i) those in the mortgage and mortgage relief, private student loan, and payday loan markets, regardless of size; (ii) “larger participants” in markets for other consumer financial products and services, which the CFPB can define by rule; and (iii) those that the Bureau has reasonable cause to determine are engaging or have engaged in conduct that poses risks to consumers.1 The CFPB has adopted rules defining larger participants in the consumer reporting, debt collection, student loan servicing, international remittances, and auto loan servicing markets and has subjected those entities to supervision.

Dodd-Frank provides the CFPB with express standards under that third “risk to consumers” prong. To subject a nonbank entity to its supervisory authority under this prong, the CFPB must have “reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond, based on complaints collected through the [CFPB complaint] system … or information from other sources, that such covered person is engaging, or has engaged, in conduct that poses risks to consumer with regard to the offering or provision of consumer financial products or services.”2

What constitutes “risk” to consumers is not defined in Dodd-Frank and, despite urging from commenters, the Bureau declined to define “risk” when it implemented this statutory provision through a procedural rule in 2013. Instead, the Bureau noted simply that in evaluating risks to consumers for purposes of determining whether a nonbank entity should be subject to supervision, it would consider whether the entity engaged in conduct that involves “potentially” unfair, deceptive, or abusive acts or practices or otherwise “potentially” violates federal consumer financial law.

The rule provided a clear explanation for how the process will operate mechanically:

  • A CFPB initiating official may issue a Notice of Reasonable Cause (“Notice”) indicating that the Bureau may have reasonable cause to determine that the respondent is a nonbank covered person engaging in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.3
  • Within 30 days after service of the Notice, the respondent may file a written response including all documents or evidence rebutting the Bureau’s contention.4 The response may include a request for a supplemental oral response. The respondent may also voluntarily consent to the Bureau’s authority. If the respondent does not file a response within the 30-day window, they waive the right to do so and may not raise the argument in any petition for judicial review.5
  • Within 45 days of receiving the response (or within 90 days of issuance of the Notice if a respondent requested to present a supplemental oral response), the Associate Director for Supervision, Enforcement, and Fair Lending is to recommend whether there is reasonable cause for the CFPB to determine that the respondent is engaging or has engaged in conduct that poses risks to consumers that should result in an order subjecting the respondent to the Bureau’s supervisory authority.6
  • The Associate Director submits this recommendation to the Director, who then makes a final determination within 45 days to fully adopt, modify or reject the recommended determination.7 If the Director determines that a respondent is subject to the Bureau’s supervisory authority under this rule, the respondent may petition for termination of this authority no sooner than two years from the date of the order and annually thereafter.8
  • The rule recognizes that the Director’s decision constitutes final agency action subject to judicial review under the Administrative Procedure Act.9

What happened? Despite having issued the rule nearly a decade ago, the CFPB has not publicly subjected an entity to supervision under this administrative process. On April 25, the Bureau announced that it would begin using what it called “this dormant authority,” citing the rise of the fintech industry as among the reasons for the change.

In addition to announcing its intent to use this authority, the CFPB is also seeking public comment on the newly announced amendment to the 2013 procedural rule. While information submitted to the Bureau in connection with the Notice and response process described above is deemed confidential supervisory information under the rule, the amendment provides that the Director may determine to make public on the CFPB website all or part of any order determining a nonbank entity is or is not subject to the Bureau’s risk-based supervisory authority, as well as any orders on petitions for termination of this supervisory authority. The amendment provides that a respondent would have seven days after service of this order to file a submission regarding confidentiality for the Director’s consideration. Interested parties can submit comments on the amendment until May 29, 2022.

What’s notable? While the CFPB’s statutory and regulatory authority to examine nonbank entities based on agency-perceived risk is not new, the Bureau’s intention to start using this authority is. The procedural rule allows the CFPB to issue Notice based on reasonable cause to determine that a respondent is engaging or has engaged in conduct that poses risks to consumers, but the Bureau has not provided further guidance on what activities may rise to this level of risk. Given the statute’s and rule’s reference to consumer complaints, nonbank entities should consider reviewing consumer complaints for identification of potential risks to consumers that might factor into a supervision determination.

Additionally, under the amendment to the procedural rule, the Bureau may publicize its decisions on whether a nonbank entity is subject to supervision based on agency-perceived risk, whereas such decisions would previously have been treated as confidential. Although becoming subject to supervision through this process does not mean that an entity has done anything wrong, the fact that the Bureau perceives consumer risk with the entity’s conduct has the potential to result in some reputational damage. Entities should consider submitting comments on this amendment. Notably, to date, the CFPB has not identified the nonbank entities subject to its larger-participant supervisory authority (or other nonbank supervisory authority). It is not clear why risk-based supervisory determinations should be treated differently.

What does this mean for my business? Nonbank entities that do not fall into the categories the CFPB previously identified for supervision should be prepared for the possibility that the CFPB will seek to invoke its supervisory authority over them based on agency-perceived risks to consumers.

But the strictures of this authority are not at all clear: What does it mean for the Bureau to have “reasonable cause”? How much of a “risk to consumers” does the nonbank entity need to pose? These ambiguities, and others, leave openings for companies to challenge a CFPB decision in this area.

1 15 U.S.C. § 5514.

2 Id.

3 12 C.F.R. § 1091.102(a), (b).

4 Id. § 1091.105(b).

5 Id. § 1091.105(c), (d).

6 Id. § 1091.108(a), (b).

7 Id. § 1091.109(a).

8 Id. § 1091.109(b)(4).

9 Id. § 1091.109(d).

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.