BY JONAH CRANE AND JOHANNE LAURBERG
On April 25, 2022, the Consumer Financial Protection Bureau (CFPB) announced that it would dust off its “dormant authority” to monitor nonbanks that pose risks to consumers. In signaling its intent to use this authority, the CFPB specifically called out nonbanks who “operate nationally and brand themselves as ‘fintechs’ as a likely area of focus. If the CFPB follows through in flexing this particular authority, it could have far-reaching implications for nonbanks offering consumer financial products, as well as for the agency itself.
Following the 2008 financial crisis, the Dodd-Frank Wall Street Reform and Consumer Protection Act established the CFPB and granted the agency broad authority to write consumer protection rules for financial services. The CFPB also has broad powers to enforce those rules by bringing lawsuits and/or administrative actions.
However, the CFPB’s authority to supervise firms offering financial products and services to consumers—that is, to examine their books and records - is limited to several specific categories of regulated entities. The CFPB was granted explicit supervisory authority over banks with more than $10 billion in assets and nonbanks engaged in mortgage, private student loans, and payday loans. The CFPB was also given authority to supervise “larger participants” in certain markets, and has exercised that authority with respect to consumer reporting, debt collection, student loan servicers, international remittance providers, and auto loan servicers.
The dormant authority now being invoked by the CFPB is a bit of a catchall. It allows the CFPB to exercise supervisory powers over any nonbank that the CFPB determines poses risks to consumers. Neither the statute nor the CFPB’s procedural rule (originally adopted in 2013, but heretofore not exercised) identifies the assessment criteria to be applied, allowing the CFPB enormous flexibility in making determinations regarding whether and how to exercise this authority.
KEY TAKEAWAYS FOR FINTECH, BIG TECH, AND THE CFPB
Unlike most supervisory agencies, the CFPB can exercise this authority one entity at a time, rather than focusing generally on a product, sector, or activity. Moreover, the CFPB’s announcement coincided with a proposal to disclose the CFPB Director’s final decision and order concerning any determination that a company poses risk to consumers. As originally adopted in 2013, all such information was to be treated as confidential supervisory information. This raises the specter of the CFPB using its authority to “name and shame” companies by releasing certain details of its supervision, or using the threat of doing so, to encourage cooperation with the Bureau’s demands. However, the prospect of being singled out may cause firms to treat the process more like an adversarial litigation than a typical supervisory exercise, ostensibly undermining one of the benefits of supervision as compared to enforcement.
The standard for the Director to exert supervisory authority over a particular company is not high. The Director need only find “reasonable cause” to determine a company “poses” risks to consumers, not evidence of actual harm. However, the CFPB has limited resources. As of September 30, 2021, the CFPB had 1,591 total employees, and only 700 in the division of Supervision, Enforcement, and Fair Lending, with only a subset of those employees dedicated to supervisory programs. As of December 31, 2021, there were approximately 200 large banks subject to CFPB supervision, in addition to numerous nonbanks scoped into CFPB supervision under the larger participant rule. As a result, the CFPB will have to prioritize when and where to utilize this previously unused authority.
The CFPB’s announcement provides some clues as to how the Bureau will likely determine its priorities. As usual, the CFPB will consider consumer complaints as a key risk indicator of potential consumer harm. The release also cited information from judicial opinions and administrative cases, as well as other regulators (both federal and state). Under CFPB Director Rohit Chopra, the CFPB has expanded coordination with state regulators and attorneys general, so companies under scrutiny at the state level may also find themselves in the CFPB’s crosshairs.
Time will tell which companies are targeted for supervision, but based on Chopra’s public statements and actions to date, we believe the following categories and sectors are likely candidates:
Big Tech companies offering consumer financial services
Large fintechs with nonbank consumer offerings, such as PayPal and Block
High-cost lenders or large neobanks working with bank partners
Consumer-facing cryptocurrency applications
In March 2022, the CFPB proposed sweeping changes to its examination manual for “unfair, deceptive and abusive acts and practices” (UDAAP). Under the revised guidance, evidence of discriminatory impact, even absent discriminatory intent, could be the basis for a UDAAP finding even outside of products covered by the fair lending laws. Nonbanks now facing potential CFPB examinations will also have to consider how the CFPB’s expanded approach to UDAAP might impact their business, as discussed in this post by our Klaros colleagues.
The CFPB is required to provide companies notice and an opportunity to respond prior to invoking this authority. However, once invoked, the CFPB will be able to bypass formal discovery and other aspects of due process typically afforded respondents in formal legal proceedings, gathering information while potentially preventing companies under examination from asserting privileges or limiting the scope of inquiry. However, supervisory processes are generally more resource-intensive than enforcement actions, so the CFPB will have to consider the opportunity costs of pursuing supervision.
Finally, the CFPB has historically been an enforcement-focused agency with a comparatively limited emphasis on supervision. The staff and culture required to exercise these two authorities are distinct—supervision is typically ongoing, highly confidential and more cooperative, whereas enforcement is more adversarial and discrete. The CFPB’s proposal suggests a blurring of these lines, and it will be important to monitor how the Bureau exercises this supervisory authority in the coming months.
Photo by Samuel John via Flickr.