Davis Polk Discusses CFPB “Dormant” Authority to Examine Wide Range of Companies

The CFPB plans to use its authority to examine any company providing consumer financial products or services that the CFPB has “reasonable cause” to believe poses risks to consumers.

The CFPB has announced its intention to invoke its “dormant” statutory authority to examine any company providing consumer financial products or services that it has “reasonable cause” to believe poses risks to consumers.1 The authority the CFPB is referring to is a catch-all provision in Title X of the Dodd-Frank Act that can capture a wide range of companies that offer consumer financial products or services to individuals as well as affiliates that act as service providers to those companies. In addition, the CFPB is proposing and seeking comment on amendments to a procedural rule to clarify the process by which the CFPB may invoke supervisory authority over such a company or affiliate. The CFPB says that its announcement and rule proposal are a response to the rapid growth of consumer financial services offered by fintechs.

Background

The CFPB’s announcement requires an understanding of the CFPB’s rulemaking, supervision and enforcement authorities under Title X of the Dodd-Frank Act. Under the 19 enumerated consumer financial laws transferred to it under the Dodd-Frank Act, the CFPB has rulemaking authority to pass regulations related to any “consumer financial product or service” provided to an individual customer.2 The CFPB’s supervisory authority is limited to (1) depository institutions with over $10 billion in assets and (2) certain non-depository institutions, including participants in certain enumerated sectors, “larger participants” in other consumer financial markets defined by the CFPB, and institutions the CFPB has “reasonable cause” to believe pose risks to consumers.3 In the absence of a consumer financial product or service, or in the case of a type of financial institution that is excluded from the CFPB’s supervisory authority, the CFPB has no supervisory authority.4  Within the scope of consumer financial products or services and the entities subject to CFPB supervisory authority, the CFPB has enforcement authority to investigate and commence enforcement actions for violations of the consumer financial laws.5

The statutory definition of “consumer financial product or service” sets the limits of the CFPB’s rulemaking authority and allows the CFPB to write rules applying the consumer financial laws to an array of financial services offered to individuals for “personal, family, or household purposes.”6 Financial services within the definition include credit transactions, including extending credit and servicing loans; real estate related services; debt collecting; consumer credit data reporting; deposit-taking activities; and payments activities, including payment processing and online banking activities.7

Additionally, the CFPB has supervisory authority over certain “covered persons,” meaning it can require reports from, examine, and bring enforcement actions against those entities. Covered persons are defined as any person that provides a consumer financial product or service to individuals and any affiliate that acts as a service provider to that covered person.8 Depository “covered persons” subject to CFPB supervision include insured depository institutions, credit unions and affiliates with more than $10 billion in total assets.9

Non-depository “covered persons” subject to CFPB supervision have no asset thresholds and can include any person that (1) provides a consumer financial product or service to individuals and (2) falls into one of several categories of non-depository institutions.10 The CFPB has supervisory authority over non-depository covered persons in certain enumerated sectors, including the mortgage sector, the private student loan sector and the payday lending sector.11 The CFPB also has supervisory authority over non-depository “larger participants” in other consumer financial markets defined by the CFPB.12 Under this authority, the CFPB has passed regulations to clarify its authority over various consumer financial markets and defined the metrics by which a company may be deemed a “larger participant” in that market.13 Finally, the CFPB has catch-all authority to supervise non-depository covered persons (which we will simplify to “covered persons” for the remainder of this Client Update) that the CFPB has “reasonable cause” to determine pose a risk to consumers with respect to the provision of consumer financial products or services.14 In addition, any affiliate that acts as a service provider to one of the above covered persons is itself subject to CFPB supervision.15

The CFPB’s announcement concerns the catch-all supervisory authority over covered persons it has “reasonable cause” to believe pose risks to consumers. Under the statute, this authority can be invoked by order after notice to the covered person and a reasonable opportunity to respond. Pursuant to this authority, in 2013 the CFPB passed a procedural rule to establish the process by which the CFPB would determine that a covered person was engaging in conduct that poses risks to consumers.16 The procedural rule clarifies that after such determination, the CFPB is authorized to compel the covered person to provide reports, examine the covered person if deemed appropriate, and seek enforcement actions to correct violations of the consumer financial laws. The CFPB has not previously invoked its authority to determine that a covered person poses risks to consumers.

Procedural Rule Amendments

At the same time as the CFPB’s announcement, the CFPB issued a request for public comment on amendments to its procedural rule for establishing supervisory authority over a covered person after a risk-based determination.17 The amendments add a mechanism for the CFPB to make public the final decisions and orders resulting from these proceedings. The CFPB’s stated purposes for the amendments are to increase transparency in its risk-based determinations and to make the final decisions or orders available as precedents in future proceedings. The amendments to the procedural rule are effective immediately, but the CFPB requests comment on the amended rule by May 31, 2022.

2013 Procedural Rule

The 2013 procedural rule passed by the CFPB outlines the procedures the CFPB will follow to determine that a covered person poses a risk to consumers.18 Since the CFPB’s authority under this provision has never been invoked to date, the details of the procedural rule provide important insights into how such a determination would work in practice.

The rule clarifies the factors considered in determining “reasonable cause” that a covered person poses “risk to consumers.”19 Reasonable cause behind such a determination of risk can be based on consumer complaints or information from other sources, including judicial opinions, administrative actions by the CFPB or other government enforcement agencies, whistleblowers, or news reports. Risks to consumers include unfair, deceptive, or abusive practices or conduct that otherwise potentially violate consumer financial laws. Evaluation of risk can include factors such as past conduct of the company, asset size, volume of transactions, supervision of the entity by other federal or state regulators, and other factors the CFPB determines to be appropriate.

Additionally, the rule lays out procedures to notify a covered person that it is being considered for supervision.20 The CFPB is required to issue to the covered person a Notice of Reasonable Cause that the covered person may pose risks to consumers. In that Notice, the CFPB only needs to provide the basis for that assertion and a summary of the sources relied upon in making that assertion.

Next, the rule outlines how the CFPB will provide the covered person an opportunity to respond.21 The procedural rule clarifies that there is no statutory requirement for a hearing or a formal adjudication, only notice and an opportunity to respond. The covered person can respond by either challenging the assertion that it poses risks to consumers or voluntarily consenting to CFPB supervision. In its challenge, the covered person must include the basis for its challenge and all sources relied upon in its challenge.

The rule also clarifies that the CFPB’s determination of “reasonable cause” that a covered person poses risks to consumers means that the CFPB has authority to supervise the covered person. Supervisory authority includes the ability to compel the covered person to report requested information, examine the covered person for compliance with the consumer financial laws, and commence enforcement actions against the covered person to correct violations of the consumer financial laws.22

Finally, the rule creates a mechanism for a covered person to file a petition to terminate CFPB supervision.23  A covered person may not file the petition until two years after issuance of the order establishing supervision. If rejected, the covered person can petition again, but only once each year thereafter. The procedural rule clarifies that this mechanism is provided instead of an administrative appeals process to challenge a determination.24 However, the CFPB’s risk-based determination is a “final agency action” under 5 U.S.C. 704 of the Administrative Procedure Act (APA) that a covered person could challenge in court.25 The CFPB’s decision to approve or deny a petition to terminate CFPB supervision is also a “final agency action” subject to challenge in court.26

Amendments to Procedural Rule

The CFPB’s amendments to the procedural rule create a process to publicly release the final decision and order establishing supervisory authority over a covered person for posing risks to consumers.27 Under the prior procedural rule, all documents, records or items between the CFPB and the covered person before, during, or after such a determination are confidential supervisory information (CSI).28 The designation of these materials as CSI establishes protections to prevent the public release of that information. The amendments would create an exemption to allow the CFPB to publish the risk-based determinations, subject to a mechanism permitting a covered person to challenge the decision to make those materials public.

The amendments create a process by which the Director of the CFPB can decide to publicly release the final decision or order, in whole or in part, after a risk-based determination.29 The amendments also provide a mechanism for a covered person to challenge the decision to publish the final decision or order. The amendments specify that the CFPB must provide notice to the covered person of a decision to publish the final decision or order and the covered person will have seven days to file a submission challenging the decision. At that point, the Director would consider the covered person’s challenge and provide a response determining whether to proceed with publishing the final decision or order. The Director’s response determining to make the final decision or order public could also be publicly released if the Director chooses to do so. The amendments clarify that the rule does not automatically trigger public release of final decisions and orders, but rather creates a procedure by which the option can be considered by the Director.30

Implications

The CFPB’s announcement and amendments to the procedural rule should be viewed in the larger context of the CFPB’s expansive enforcement posture under its new Director. The Director has recently made similar announcements signaling that the CFPB is interpreting its authority broadly to expand the CFPB’s ability to pursue violations of the consumer financial laws wherever they may be found. The CFPB’s announcement of its intention to invoke its authority to supervise covered persons that the CFPB has reasonable cause to believe pose risks to consumers has a few key implications.

First, the announcement vastly increases the scope of companies potentially subject to CFPB supervision, examination and enforcement actions. As discussed, the CFPB’s definition of consumer financial products or services is broad and can include a wide range of activities in the financial services sector. The CFPB’s catch-all supervisory authority over covered persons the CFPB has reasonable cause to believe pose risks to consumers can apply to many non-financial companies that offer consumer financial products or services that are incidental to their non-financial businesses and to any affiliate that provides services to the company. To the extent that the company is part of a larger group, it is likely that affiliates are providing those services.

Second, the CFPB’s announcement targeted fintechs, signaling that the CFPB intends to invoke its authority over fintechs that offer consumer financial products or services.

Third, the CFPB’s announcement signals an alternative to the CFPB’s more established authorities to establish supervisory authority over new consumer financial markets. The CFPB has frequently relied on its authority to supervise “larger participants” of consumer financial markets defined by the CFPB.31 Under this provision, the CFPB is required to define “by rule” the consumer financial market it is going to supervise and include the metrics by which a covered person is a “larger participant” in that market. The process requires the CFPB to follow the time consuming notice-and-comment rulemaking procedures under the APA before supervising a target covered person.

The mechanism of determining supervisory authority based on risks to consumers provides a much more streamlined and discretionary tool for the CFPB to supervise a given company. Rather than requiring notice-and-comment rulemakings, these determinations require only notice and an opportunity to be heard before supervising a covered person. Instead of identifying and analyzing an entire market, the CFPB only needs to identify a covered person that poses risks to consumers. The notice and information required to be provided to the covered person are minor. The procedures for contesting supervision are minimal and give the Director broad discretion to consider the challenge before asserting supervisory authority. Furthermore, the supervisory authority determination can be made unilaterally without need for a formal adjudication in an administrative proceeding through an administrative law judge or court. After such a determination is made, the CFPB does not provide for an administrative appeals process and the covered person may only file a petition to terminate supervision after two years. As a result, the CFPB is able to invoke this provision to rapidly assert supervisory authority over a covered person that it deems risky and the covered person will have little recourse other than challenging the determination in court.

ENDNOTES

1 Press Release, CFPB, CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers (April 25, 2022), https://www.consumerfinance.gov/about-us/newsroom/cfpb-invokes-dormant-authority-to-examine-nonbank-companies-posing-risks-to-consumers/ (CFPB Press Release).

2 See Cheryl Cooper and David Carpenter, Cong. Research Serv., IF10031, Introduction to Financial Services: The Consumer Financial Protection Bureau (CFPB) 1 (2022) (describing the CFPB’s various rulemaking authorities) (CRS Report).

3 See 12 U.S.C. §§ 5514, 5515 (defining the CFPB’s supervisory authorities).

4 Excluded entities include depository institutions under $10 billion in assets and certain exempt entities, such as insurance companies, broker-dealers, and investment advisers. See CRS Report.

5 See 12 U.S.C. § 5514(c) (enforcement authority over non-depository covered persons); 12 U.S.C. § 5515(c) (enforcement authority over depository covered persons).

6 12 U.S.C. § 5481(5)(A).

7 12 U.S.C. § 5481(15).

8  12 U.S.C. § 5481(6).

9 12 U.S.C. § 5515.

10 12 U.S.C. § 5514 (defining types of non-depository covered persons subject to CFPB supervision).

11 12 U.S.C. § 5514(a)(1)(A), (D), and (E).

12 12 U.S.C. § 5514(a)(1)(B).

13 Examples include the consumer credit reporting markets, debt collection, student loan servicing, auto loan servicing and the international remittance market. See CFPB Press Release.

14 12 U.S.C. § 5514(a)(1)(C).

15 12 U.S.C. § 5481(6) (“covered person” includes any affiliate “if such affiliate acts as a service provider to such person).

16 CFPB Procedural Rule To Establish Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination, 12 C.F.R. § 1091 (2013), https://www.govinfo.gov/content/pkg/FR-2013-07-03/pdf/2013-15485.pdf (Procedural Rule).

17 Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination; Public Release of Decisions and Orders, 87 Fed. Reg. 25397 (proposed April 25, 2022), https://www.govinfo.gov/content/pkg/FR-2022-04-29/pdf/2022-09107.pdf (Amendments).

18 See Procedural Rule.

19 See Procedural Rule, Supplementary Information, 40,357.

20 See Procedural Rule, 12 C.F.R. § 1091.102.

21 See Procedural Rule, 12 C.F.R. § 1091.105.

22 12 U.S.C. § 5514.

23 See Procedural Rule, 12 C.F.R. § 1091.113.

24 See Procedural Rule, Supplementary Information, 40,372 (explaining that an administrative appeals process “is not necessary and would significantly add to the complexity and length of the process”).

25 See Procedural Rule, 12 C.F.R. § 1091.109(d).

26 See Procedural Rule, 12 C.F.R. § 1091.113(e)(3).

27 See Amendments.

28 See Procedural Rule, 12 C.F.R. § 1091.115(c).

29 See Amendments (creating new section under § 1091.115(c)(2)).

30 The CFPB expects to apply the trade secrets and personal data exemptions under the Freedom of Information Act (FOIA) to prevent materials gathered during a risk-based determination from being made public. See 5 U.S.C. § 552(b)(4) (trade secrets exemption to FOIA); 5 U.S.C. § 552(b)(4)(6) (personal data exemption to FOIA).

31 See 12 U.S.C. § 5514(a)(1)(B).

This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s recent memorandum, “CFPB invokes ‘dormant’ authority to examine wide range of companies that pose risks to consumers,” dated May 10, 2022, and available here.

Leave a Reply

Your email address will not be published.