On Monday, the CFPB published a Press release announcing that it will begin using its authority to review non-bank financial services institutions that the CFPB has “reasonable grounds to determine pose risks to consumers”. In addition, the CFPB published a rule of procedure aimed at “increasing the transparency of the risk determination process” by subjecting the results of the CFPB’s surveillance of non-banking entities to publication. This release is another signal that the Bureau intends to take an increasingly aggressive enforcement stance toward more of the financial services industry.
The CFPB currently has both supervisory and review powers. In addition to its supervisory authority over certain depository institutions depending on the type and size of institution, expanded by categories of “covered persons”, the CFPB has statutory authority to supervise non-custodial covered persons that “the Bureau has reasonable grounds to determine, by order, after notice to the person concerned and a reasonable opportunity for that person concerned to respond, based on the complaints. . . or information from other sources, that such Covered Person is engaging or has engaged in conduct that poses risks to consumers with respect to the offering or provision of financial products or services to consumers[.]”
Although this supervisory authority appears to be extremely broad, the CFPB has rarely used it to supervise non-custodial institutions. To the contrary, the CFPB has acted on its review authority in the past using civil investigative requests or other actions to pursue alleged harms. This most recent press release indicates that the Bureau will begin to aggressively use its oversight authority and ability to broadly categorize certain acts and practices as “risky,” such that oversight scrutiny is warranted. According to CFPB director Rohit Chopra, “[t]its authority gives us critical agility to act as quickly as the market, enabling us to conduct reviews of financial companies posing risks to consumers and stop the damage before it spreads. In particular, the press release takes aim at fintechs, citing their “rapid growth” and seeking to “level the playing field between banks and non-banks”.
The CFPB also announced a new rule of procedure designed to “increase the transparency of the risk identification process”. More specifically, the rule modifies a rule of procedure 2013 related to oversight by the Office of Non-Banks, which previously considered documents, records and other items related to an examination to be confidential. Under the new rule, there will be an exception regarding final decisions and orders of the CFPB Director which will allow certain decisions to become public after notice and response from the supervised entity.
Take away food
It is no surprise that the current CFPB is seeking to expand its authority to oversee players in the financial services space. Whether through new interpretations of UDAAP and Fair Lending, or his recent statements regarding third-party service providers, Director Chopra and the Bureau have taken a predictably expansionary approach. However, the recent letter should be of particular concern for fintechs and non-bank service providers in the financial services space. The Bureau now takes the position that it can deem any form of activity “risky”, and can therefore exercise its supervisory authority. Entities that might have believed – quite reasonably – that they were beyond the reach of the CFPB should reconsider and take steps to reduce risk in anticipation of a potential review.
Beryl Newchurch Billings contributed to this article
© 2022 Bradley Arant Boult Cummings LLPNational Law Review, Volume XII, Number 116