CFPB Establishes Registry to Track Nonbank Entities Breaking Consumer Protection Laws
The CFPB adopted a rule that establishes a registry to track nonbank covered persons who repeatedly break consumer protection laws. (See related coverage.)
Under the new rule, nonbank companies hit with enforcement orders from local, state, or federal agencies must register with the CFPB. Additionally, a senior executive from each company must attest annually that the company is no longer violating the law. The registry will publicly disclose information about these enforcement orders.
The rule applies to nonbank entities involved in offering or providing consumer financial products or services, excluding insured depository institutions, credit unions and certain other entities. Orders that must be registered include final, public orders issued by agencies or courts that name the company and impose obligations based on alleged violations of consumer protection laws.
In addition, nonbank companies must submit detailed information about themselves and the enforcement orders, including the legal name, business address, details of the issuing agency or court and the specific violations. The CFPB requires updates to this information within 90 days of any changes. For nonbanks under CFPB supervision with over $5 million in annual receipts, the rule imposes additional requirements. These companies must annually submit a written statement by a senior executive, detailing steps taken to comply with the order and reporting any instances of noncompliance.
The final rule goes into effect on September 16, 2024, with initial registration deadlines starting on October 16, 2024, and varying based on the size and supervision status of the nonbank.
Commentary
This rule issuance is a further demonstration of the CFPB's refreshed and reinvigorated momentum push in the wake of the recent Supreme Court decision affirming the constitutionality of the CFPB's funding structure. Another week, another rule. This rule reflects a commitment made by CFPB Director Rohit Chopra at a December 2022 meeting of the state attorneys general in Washington, DC, at which he promised not only to partner with the states, but to elevate the states' work and do all that he can to ensure that it is neither minimized nor preempted. The rule will likely: (i) federalize compliance with state orders, no matter how insubstantial the underlying matter; (ii) further advance Director Chopra's agenda of individually penalizing senior executives for noncompliance and "reining in" repeat offenders; and (iii) place additional compliance burdens on affected nonbank financial institutions—even smaller market entrants such as FinTechs. Keep in mind that the failure to report would be an independent violation of the CFPB regulation and could lead to significant federal penalties against both the entity and individuals. As the CFPB states, "[t]he new registry is part of the CFPB’s ongoing focus on holding lawbreaking companies accountable and stopping corporate recidivism."
The CFPB stated that it intends to publish this information "on its website and potentially in other forms" (although apparently the written statements "will be treated as confidential supervisory information"). While the CFPB expects that the registry will be used by state attorneys general, state regulators, and other law enforcement agencies, the registry will also be publicly available, which means that investors, creditors, business partners and members of the public can conduct due diligence or research on affected entities.
Further, the CFPB stated that Congress, through the Dodd-Frank Act, provided the CFPB with the authority to register nonbanks. This is the first-ever rule by the CFPB to utilize such authority. While the rule will almost certainly be challenged as exceeding the agency’s authority under Dodd-Frank, affected businesses should presume that these requirements will go into effect for the time being according to the timelines established by the CFPB.