CFPB Proposes Rule Requiring Nonbank Consumer Financial Services Providers to Submit Their Enforcement Orders to a Public Registry

On December 12, 2022, the Consumer Financial Protection Bureau issued a 211-page rulemaking proposal that would require certain nonbank providers of consumer financial services to register specified information with the agency.[1] The proposal reflects Director Chopra’s concern with companies that are “repeat offenders” and his emphasis on accountability by individual executives.

The first part of the proposal would require nonbanks that are under certain final public enforcement orders by federal, state, or local agencies involving consumer financial products or services to submit such orders to the CFPB. The CFPB would maintain an online public registry, which would include identifying information about each company and a copy of each order. The CFPB believes that this would help it identify and track “corporate recidivism” and would inform CFPB’s rulemaking, supervision, and enforcement activities.

The second part of the proposal applies to the subset of nonbanks that are subject to the CFPB’s supervision/examination authority and have over $1 million in annual revenues derived from consumer financial services. In addition to the information described above, these companies would be required to: 1) name a senior executive officer who is responsible for the company’s efforts to comply with each order, whose name and tile would be made public on CFPB’s registry, and 2) provide CFPB, as confidential supervisory information, annual written statements signed by each executive stating whether, to the executives’ knowledge, the company has engaged in any violations or noncompliance with each order.

Once the rulemaking proposal is published in the Federal Register, the public will have 60 days to submit comments. The proposal states that the registry would not be implemented until at least January 2024.

Below, we provide a high-level overview of the proposal and offer some observations.

Requiring Nonbanks to Register Consent Orders in CFPB’s Public Registry

The first part of the proposal would apply to nonbanks that are “covered persons” under CFPB’s statute. Nonbank covered persons generally include those that are engaged in the following activities for use by or pertaining to consumers (i.e., personal, family, or household use):

• extending credit or servicing loans;
• extending or brokering certain leases of personal or real property;
• providing real estate settlement services;
• engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds;
• selling, providing, or issuing stored value or payment instruments;
• providing check cashing, check collection, or check guaranty services;
• providing payments or other financial data processing products or services to a consumer by any technological means;
• providing financial advisory services;
• collecting, analyzing, maintaining, or providing consumer report information or certain other account information; and
• collecting debt related to any consumer financial product or service.

The CFPB estimates that there are approximately 155,000 covered nonbanks and that between 1% to 5% have covered orders. The proposal does not encompass any bank or credit union, any natural person, or any entity excluded from CFPB’s jurisdiction.

The proposed rule would require such covered persons to register with the CFPB in the event that they have one or more “covered orders,” which refers to public court judgments or agency orders obtained or issued by a federal, state, or local agency. A covered order must have an effective date on or later than January 1, 2017, and must resolve alleged violations of a “covered law” in connection with the offering or provision of a consumer financial product or service. A covered law, in turn, generally includes:

• a Federal consumer financial law (which is the term of art for the approximately 20 laws, such as the Truth in Lending Act and the Electronic Funds Transfer Act, that the CFPB administers);
• any other law that the CFPB may enforce (such as the Military Lending Act);
• the prohibition on unfair or deceptive acts or practices (UDAPs) under section 5 of the FTC Act; and
• a state law prohibiting unfair, deceptive, or abusive acts or practices that is identified in an appendix to the proposed rule.

A covered order must also contain provisions requiring the company to “take certain actions or refrain from taking certain actions”—i.e., it must contain injunctive or remedial provisions. Such covered orders could be issued by a variety of authorities beyond the CFPB, such as the Federal Trade Commission, state attorneys general, and state regulatory agencies.

Under the proposed rule, if a covered nonbank has one or more covered orders that are currently in effect, it must submit them to the CFPB along with identifying information for the company, such as its legal name, its state of incorporation, and its principal place of business. This information must be submitted within 90 days of the “nonbank registration system implementation date” set by the CFPB or within 90 days of the effective date of any new covered order.

In its proposal, the CFPB states that a “centralized, up-to-date repository” of public orders would help the CFPB “identify concerning trends in these markets that it might otherwise miss,” perceive potential gaps in enforcement, and inform the agency on which tool it may use to address relevant risks to consumers. Among other things, the CFPB notes that it could use the information to determine which companies to designate for supervision based on their risks to consumers, pursuant to its 12 U.S.C. 1024(a)(1)(C) authority, which Director Chopra has described as a “dormant” authority that he now wants to utilize. The CFPB also states that, upon learning of an order issued by another agency, it “may consider bringing its own supervisory or enforcement action in connection with the same or related conduct.”

Requiring Nonbanks Subject to CFPB’s Supervision/Examination Authority to Designate an Attesting Executive and Submit Additional Information regarding Compliance with Each Order

The second part of the proposal imposes additional obligations on a subset of covered nonbanks that have one or more covered orders—namely, those that are subject to the CFPB’s supervision and examination authority[2] and have at least $1 million in annual revenues resulting from providing consumer financial products or services. The proposal refers to these entities as “supervised registered entities.” These requirements only apply to covered orders that are effective on or after the implementation date of the CFPB’s nonbank registration system.

In addition to submitting covered orders, each supervised registered entity is required annually to designate, for each covered order, an “attesting executive,” who is its “highest ranking duly appointed senior executive officer (or, if the supervised registered entity does not have any duly appointed officers, the highest-ranking individual charged with managerial or oversight responsibility for the supervised registered entity) [1] whose assigned duties include ensuring the supervised registered entity’s compliance with Federal consumer financial law, [2] who has knowledge of the entity’s systems and procedures for achieving compliance with the covered order, and [3] who has control over the entity’s efforts to comply with the covered order.”

The name and title of each attesting executive will be published by the CFPB in the public registry.

In addition, each attesting executive is required annually to submit to the CFPB—as confidential supervisory information not available on the public registry—a written statement on or before March 31 of each year, which includes the following for the preceding calendar year:

• a general description of the steps that the attesting executive has undertaken to review and oversee the supervised registered entity’s activities subject to the covered order; and
• an attestation as to whether, to the executive’s knowledge, the supervised registered entity “identified any violations or instances of noncompliance with any obligations that were imposed in a public provision of the covered order by the applicable agency or court based on a violation of a covered law.”

The proposal would require each company to maintain documents “sufficient to provide reasonable support” for the written statement for a period of five years, and shall make such documents available to the CFPB upon request.

The attesting executive’s written statement would not be required to be signed under penalty of perjury, but the CFPB notes that “knowing and willfully filing a false attestation or report with the Bureau may be subject to criminal penalties.”

The proposed rule provides a method for companies to communicate their good faith belief to the CFPB that they are not covered persons for purposes of the CFPB’s jurisdiction, that their orders are not covered orders, and/or that they are not supervised registered entities, at which point the CFPB could take action to make a contrary determination.

Observations

This is a novel and expansive rulemaking proposal that would represent the first significant use of the CFPB’s nonbank registration requirement authority. It is likely that nonbank consumer financial services providers and trade groups will raise various objections to the proposal during the comment period.

In particular, we expect that commentators will argue that CFPB’s proposal overreaches in various ways. While one could understand the CFPB’s interest in what sort of compliance program a supervised nonbank is maintaining with respect to a particular type of consumer financial service, and what improvements are underway, commentors may well question what legitimate interest the CFPB has in requiring companies to report on their compliance with orders issued by other federal or state agencies. The agencies that issued such orders will often be monitoring compliance with each order and requiring periodic reporting, and the CFPB’s imposition of additional and different reporting requirements could duplicate or even interfere with these processes.

We expect that there will be particular criticism of the requirement that each supervised registered company designate a senior executive for each order, whose name will be listed in the public registry and who is required to make and sign attestations about compliance with each order. The CFPB has justified this requirement on the ground that it “would create an additional incentive for certain entities to comply with their obligations to consumers.” Commenters, however, might argue that the agency that issued an order will often have imposed its own governance and reporting requirements (and methods for addressing potential violations of the order) that this senior executive requirement could interfere with. More importantly, the requirement will likely be criticized as an unfair “name and shame” measure that builds on the CFPB’s aggressive stance on enforcement against individual executives. The CFPB has explicitly stated that the requirement would “facilitate the Bureau’s ability to identify situations in which individual executives have recklessly disregarded, or have actual knowledge of, the entity’s violations of covered orders.” This is another initiative that could deter qualified personnel from assuming senior compliance roles in the consumer financial space.

If implemented, attesting executives and their companies would be well advised to take great care in drafting their statements regarding whether the company has engaged in any violations or noncompliance with each order and collecting a sufficient documentary basis to support the statements. Not only could such statements give rise to potential enforcement by the issuing agency, but the CFPB may also investigate if it believes that the information is not accurate or complete. In light of this, the CFPB’s statement in its cost/benefit analysis that preparing the written statement would cost “roughly $1200 per firm” appears to be a radical underestimate.

Finally, nonbanks should be attentive to the possibility that if the proposal is implemented, it could pave the way for the CFPB to add additional registration and reporting requirements in the future, whether this involves requiring companies with one or more covered orders to provide additional information (whether publicly or confidentially) or to expand the registry to include nonbanks with other characteristics of interest to the CFPB. For instance, the proposal itself notes that the CPFB has considered whether to require supervised registered entities to obtain an independent third-party audit or review of the attesting executive’s written statement; even if not included in the final rule, it is possible the CFPB could pursue this option in the future.

                                                                                                  *             *             *

[1]        The proposed rule is available here.

[2]        Nonbanks that are subject to the CFPB’s supervision and examination authority are:

• All nonbanks in the mortgage, private student lending, and payday industries.
• Larger participants, as defined by CFPB regulations, in the following industries: consumer reporting, consumer debt collection, student loan servicing, international money transfer, and automobile financing.
• Companies designated for supervision pursuant to 12 U.S.C. 5514(a)(1)(C), which authorizes the CFPB to designate particular companies for supervision based on their risks to consumers (thus far, we are not aware of any such designated companies).

The proposal excludes companies that are subject to CFPB supervision only because they are service providers to supervised nonbanks.