marzo 05 2024

CFPB Issues Order Establishing Supervisory Authority Over Nonbanks


On February 23, 2024, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) published an order establishing supervisory authority over a small-loan consumer finance company, using a Dodd-Frank Act provision that allows the Bureau to supervise certain nonbanks that it has reasonable cause to determine pose risks to consumers (the “Order”). The Order represents the CFPB’s first publicized use of this authority in a contested case.

The Order provides insight into how the Bureau views its authority to designate certain nonbank entities for supervision. In this Legal Update, we summarize relevant aspects of the Bureau’s supervisory authority, and highlight key takeaways from the Order.

CFPB’s Supervisory Authority

In addition to its broad powers to enforce enumerated federal consumer financial laws, one of the CFPB’s core authorities is its power to supervise and examine certain entities. The Bureau has authority under the Dodd-Frank Act to supervise large (i.e., over $10 billion in assets) banks, thrifts and credit unions. The CFPB also has authority under the Dodd-Frank Act to supervise nonbank entities that fall into the following five categories:1

  • Covered persons2 who offer or provide origination, brokerage, or servicing of mortgage loans or loan modification or foreclosure relief services in connection with such loans;
  • Covered persons who offer or provide a consumer a private education loan;
  • Covered persons who offer or provide a consumer a payday loan;
  • Covered persons who are “larger participants” of a market for other consumer financial products or services as defined by rule;3 and
  • Covered persons who the Bureau has reasonable cause to determine are engaging, or have engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.

Supervisory authority allows the CFPB to examine entities to gain information about their activities and processes, and to assess their compliance with federal consumer financial law. Supervisory examinations typically result in a Supervisory Letter drafted by the Bureau detailing its findings and recommendations, primarily in the form of Matters Requiring Attention (“MRAs”). Depending on the Bureau’s findings, an examination could lead to a referral to enforcement or a supervisory Memorandum of Understanding (“MOU”).

Reasonable Cause to Determine an Entity Poses Risks to Consumers

In 2022, after conducting an assessment of its supervision program, the CFPB announced that it planned to invoke its largely unused authority to supervise covered persons it has reasonable cause to determine are engaging, or have engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.4 The Bureau explained that this authority allows the CFPB to be agile and supervise entities that may be outside of its existing supervision program.5

The CFPB has promulgated procedural rules governing the process of deciding that it has cause to determine an entity poses risks to consumers.6 Specifically:

  • A CFPB initiating official may issue a Notice of Reasonable Cause (“Notice”), indicating that the Bureau may have reasonable cause to determine that the respondent is a nonbank covered person engaging in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.7
  • Within 30 days of service of the Notice, the respondent may file a written response rebutting the Bureau’s contention.8 The response may include a request for a supplemental oral response. The respondent may also voluntarily consent to the Bureau’s authority. If the respondent does not file a response within the 30-day window, the rule provides that it waives the right to do so.
  • Within 45 days of receiving the response (or within 90 days of issuance of the Notice, if a respondent requested to present a supplemental oral response), the Associate Director for Supervision, Enforcement, and Fair Lending is to recommend whether there is reasonable cause for the CFPB to determine that the respondent is engaging or has engaged in conduct that poses risks to consumers that should result in an order subjecting the respondent to the Bureau’s supervisory authority.9
  • The Associate Director submits this recommendation to the Director, who then makes a final determination within 45 days to fully adopt, modify, or reject the recommended determination.10 The rule states that the Director’s decision constitutes final agency action subject to judicial review under the Administrative Procedure Act.11
  • If the Director determines that a respondent is subject to the Bureau’s supervisory authority under this rule, the respondent may petition for termination of this authority no sooner than two years from the date of the order and annually thereafter.12
  • The Director will decide whether an order will be publicly released, in whole or in part.13 The rule provides that the Bureau will not disclose information that would be exempt from disclosure under certain provisions of the Freedom of Information Act, or if the Director determines there is other good cause not to release the information.

Takeaways from the Order

In the Order, the Bureau explains why it has reasonable cause to determine that the company at issue, an installment lender, is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services. Below are a few key takeaways from the Order.

  • Reasonable Cause to Determine:” The Order emphasizes the fact that the Bureau only needs to have a “reasonable cause to determine” that the covered person’s conduct poses risks to consumers. According to the Bureau, this standard is a “relatively lenient burden of persuasion,” and stands in contrast to a preponderance of the evidence standard or a clear and convincing standard. This is an important point for entities to keep in mind as they weigh the risks and benefits of contesting a supervisory notice.

The CFPB explains that this lower standard is appropriate, given the “relatively limited impact” of the supervisory determination on an entity. However, given the burden of responding to examination requests—which routinely require the production of voluminous amounts of data, documents, and information, and the fact that examinations can lead to MRAs requiring changes to business practices or to a supervisory MOU or enforcement action—we suspect that many institutions would not agree with the Bureau’s view that being supervised has a “relatively limited impact.”

  • Determination Based Largely on Consumer Complaints: The Order makes clear that the CFPB’s risk determination was largely based on consumer complaints collected through the CFPB’s complaint system. The company at issue argued that unverified complaints were not sufficient to designate it for supervision. The CFPB rejected this argument, noting that the Dodd-Frank Act states that a risk determination may be “based on complaints,” and does not qualify that the complaints must be verified. Further, the CFPB reasons that supervision will allow the CFPB to look more closely at the merits of the complaints.

This underscores the importance of reviewing complaints in the CFPB’s complaint system to identify potential risks that might factor into a supervision determination.

  • Nature of Business Contributed to Determination: While the Order relies heavily on consumer complaints, it also emphasizes that the company at issue routinely refinances its loans, including delinquent loans. The Order states that one of the main concerns when Congress passed the Dodd-Frank Act surrounded products and services that allowed creditors to profit from borrowers who are unable to pay their loans.
  • Reputational and Litigation Risk: Although the CFPB clarifies that the Order does not constitute a finding that the entity has engaged in any wrongdoing, the Order does not come across as innocuous. Instead, it largely reads as a litany of concerns about the company. For example, the CFPB states that it has “reasonable cause to the determine” the entity does not adequately explain to consumers that certain insurance coverage is optional, that it engages in excessive harassing and coercive collection practices, and that it furnishes inaccurate information to consumer reporting agencies, among other concerns. This type of public release could increase litigation and reputational risk, and is another important factor for entities to consider if they receive a Notice and are determining whether to contest it.

The Order serves as an important reminder that nonbank entities— including fintechs—that currently are not supervised by the Bureau may nonetheless come under CFPB supervisory authority through a risk determination. Moreover, it provides key insights into how the CFPB is viewing this largely unused authority.


1 12 U.S.C. §§ 5514, 5515. The CFPB also has the authority to supervise certain service providers to supervised entities. Id.

2 A covered person is defined as “any person that engages in offering or providing a consumer financial product or service.” Id. § 5481(6). Certain affiliates of a covered person are also covered persons.

3 The CFPB has conducted rulemakings to define thresholds for entities subject to supervision in the markets of consumer reporting, debt collection, student loan servicing, remittances, and auto loan servicing.

4 Consumer Financial Protection Bureau, “CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers,” April 25, 2022.

5 Id.

6 See 12 C.F.R. Part 1091.

7 12 C.F.R. § 1091.102.

8 Id. § 1091.105.

9 Id. § 1091.108.

10 Id. § 1091.109.

11 Id. § 1091.109(d).

12 Id. § 1091.109(b)(4).

13 Id. § 1091.115(c)(2).

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.