Arnold & Porter Discusses Final CFPB Rule Creating Registry to Identify Nonbank Repeat Offenders

As part of its ongoing efforts to reduce what it views as corporate recidivism, the Consumer Financial Protection Bureau (CFPB) issued a final rule on June 3, 2024 that will require certain nonbank financial companies to register with the CFPB when they become subject to final agency orders alleging violations of consumer financial laws (Final Rule).[1] For nonbank financial companies subject to the CFPB’s supervisory authority, a senior executive will also be required to provide a written “attestation” to the CFPB on an annual basis noting whether the executive is aware of any violations or instances of noncompliance with any registered orders. Those same companies will also be required to maintain records sufficient to provide reasonable support for the written attestation for five years after it is submitted. In addition to compliance obligations created by the Final Rule, nonbank financial companies with registered orders should prepare for increased scrutiny from the CFPB’s Repeat Offender Unit (ROU) and increased penalties in any future CFPB settlements.


Covered Companies. The registration requirement applies to non-depository consumer financial services companies under the CFPB’s jurisdiction (Covered Companies)[2] that have entered into final, written, public orders — including consent orders — with an effective date on or after January 1, 2017 that were issued in connection with an action or proceeding brought by a government agency (whether federal, state, or local) alleging a violation of (a) federal consumer financial laws, (b) other laws enforced by the CFPB, or (c) certain federal and state unfair, deceptive, or abusive acts or practices (UDAAP) laws[3] (Covered Orders).

Notably, for existing orders with an effective date on or after January 1, 2017, the Final Rule applies only if the orders are still in effect on September 16, 2024. Any Covered Company that entered into an order on or after January 1, 2017, but whose order expires or is terminated by September 15, 2024, is exempt from the registration requirement.

Additionally, the Final Rule contains a limited, one-time “alternative registration” option for otherwise Covered Orders that are published on the Nationwide Multistate Licensing System & Registry Consumer Access website.[4]

Information Reported. Covered Companies with Covered Orders will be required to register with the CFPB and submit a copy of the Covered Order as well as (1) identity information (e.g., the Covered Company’s legal name and principal place of business); (2) administrative information (e.g., information regarding a Covered Company’s affiliates); and (3) information about the Covered Order (e.g., the effective date, the date of expiration, all covered laws found to have been, or alleged to have been, violated, etc.).[5]Any changes to the information reported must be reported to the CFPB within 90 days of the change.[6]

The Attestation Requirement. For Covered Companies that are also subject to the CFPB’s supervisory authority,[7] a senior executive of the company will need to submit a signed written statement for each Covered Order. The attestation must include (1) a description of the steps that the executive has taken to review and oversee the steps the nonbank took to comply with the Covered Order during the preceding calendar year and (2) whether, to the executive’s knowledge, the Covered Company identified any violations or noncompliance with any obligations imposed in the orders’ public provisions during the prior calendar year.[8] The “attesting executive” for each Covered Order must be the highest-ranking duly appointed senior executive officer (1) whose duties include ensuring the entity’s compliance with federal consumer financial law, (2) who has knowledge of the entity’s systems and procedures for achieving compliance with the Covered Order, and (3) who has control over the entity’s efforts to comply with the Covered Order.[9]

Notably, although the CFPB “may publish” information about the registered entities or covered orders on its website, the written attestations will be treated as confidential supervisory information.[10] The names and titles of the attesting executives will, however, be published in the public registry.[11]

Reporting Timelines

Registration Deadlines. The Final Rule will become effective on September 16, 2024, and registration requirements for Covered Companies begin as early as October 16, 2024.

Initial registration deadlines are governed by the size of the Covered Company and whether the company is supervised by the CFPB. Submissions for “larger participant”[12] Covered Companies are due between October 16, 2024 and January 14, 2025. All other CFPB-supervised Covered Companies must register any Covered Orders between January 14, 2025 and April 14, 2025. Submissions for any remaining Covered Companies are due between April 14, 2025 and July 14, 2025.

After the submission period begins, Covered Companies must report any new orders or modification, termination, or abrogation of existing orders within 90 days.[13] Registration requirements apply to a Covered Order until it expires or is terminated by an agency or court.[14]

Attestation Deadlines. In general, CFPB-supervised institutions will be required to submit their attestations annually on or before March 31 each year. The first written attestations for larger CFPB-supervised institutions will be due by March 31, 2025, but attestations for 2024 will only be required for Covered Orders with effective dates between October 16, 2024 and December 31, 2024. For all other CFPB-supervised nonbanks, the first written attestation is required on March 31, 2026 and will apply to all Covered Orders with an effective date on or after January 14, 2025 through December 31, 2025.[15]

Key Takeaways

  1. Registration will lead to enhanced scrutiny.

The Final Rule is conspicuously silent on the direct consequences, if any, of having to register a Covered Order with the CFPB.[16] However, the CFPB has explicitly stated that registry is part of the CFPB’s efforts to reduce recidivism by corporate offenders,[17] including the individuals behind the corporation.[18] In addition to the reputational damage that may be associated with being labeled as a “repeat offender,” Covered Companies with at least one Covered Order registered with the CFPB should expect enhanced scrutiny from the CFPB’s ROU. As discussed in our May 2024 Advisory, the ROU operates within a broad mandate in conjunction with the CFPB’s Offices of Supervision and Enforcement. As such, ROU scrutiny may result in a variety of adverse consequences for Covered Companies, up to and including increased monetary penalties in any future settlements with the CFPB.

  1. The Final Rule does not apply to court orders approving settlements with private parties.

Although the Final Rule refers to the registration of “court orders,” the rule uses that term to refer to court orders approving or implementing agency actions, not court orders approving settlements with wholly private plaintiffs.[19] This is notable because many consumer financial statutes at both the state and federal level provide for a private right of action. Under the Final Rule, if a Covered Company were to settle a putative class action with private plaintiffs suing under a state UDAAP law (and no agency was involved), the Covered Company would not be required to register; however, if the Covered Company settled the same claim with a state attorney general, the Covered Company would be required to register.

  1. The Consumer Financial Protection Act does not explicitly authorize an attestation requirement.

This is not the only attestation requirement in the financial services space. For example, Section 302 of the Sarbanes-Oxley Act (SOX) of 2002 requires the chief executive officer and chief financial officer of publicly traded companies to personally certify the accuracy and completeness of their company’s financial reports.[20] However, unlike SOX, the Consumer Financial Protection Act (CFPA) does not contain an explicit certification requirement; rather, the CFPB is relying on the general powers Congress granted the CFPB in the CFPA to impose this mandate.[21] And, perhaps in response to a wave of industry challenges to prior CFPB actions, the Final Rule devotes significant energy to justifying the CFPB’s authority to implement the Final Rule. Nevertheless, we anticipate legal challenges to the rule.

  1. The attestation requirement poses particular challenges that can create complications for Covered Companies.

The New York State Department of Financial Services’ Parts 500 and 504 rules are other examples of attestation requirements for financial services companies. Under Parts 500 and 504, the Board of Directors or a senior officer must attest annually to the organization’s cybersecurity or BSA/AML/OFAC compliance controls.[22] As regulated entities and their advisers learned in implementing the New York rules, there is a significant compliance burden associated with preparing to make such attestations, often including numerous sub-certifications from departments throughout the organization. Attestations to the CFPB will become even more complicated for Covered Companies when another regulator, such as a state regulatory agency, issues examination findings to the Covered Company bearing on the company’s compliance with laws and regulations.


[1] CFPB, Final Rule, Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders (June 3, 2024). The Final Rule has not been published in the Federal Register as of the date of publication of this Advisory.

[2] Specifically, the rule applies to nonbank “covered persons” (i.e., “(A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person”), 12 U.S.C. § 5481(6), but expressly excludes “insured depository institutions, insured credit unions, related persons, States, certain other entities, and natural persons.” Final Rule at 2. The Final Rule also excludes certain motor vehicle dealers and “related persons” who would only be covered by virtue of their status as related persons. CFPB, Executive Summary of the Nonbank Registration of Orders Rule (June 3, 2024) [hereinafter “Executive Summary”].

[3] Appendix A of the Final Rule provides an enumerated list of over 300 covered state laws from all 50 states and the District of Columbia.

[4] Executive Summary at 5.

[5] Executive Summary at 3-4.

[6] Executive Summary at 4.

[7] The CFPB has supervisory authority over non-depository mortgage originators and servicers, payday lenders, and private student lenders of all sizes as well as “larger participants” of other consumer financial markets. CFPB, Supervision & Examinations, Institutions subject to CFPB supervisory authority (last visited June 7, 2024).

[8] Executive Summary at 4-5.

[9] Final Rule at 42. If the entity does not have any duly appointed officers, the attesting executive would be “the highest ranking individual charged with managerial or oversight responsibility for the entity.” Id.

[10] Executive Summary at 9.

[11] Final Rule at 42.

[12] So far, the CFPB has only issued rules identifying the criteria for larger participants in the Automobile Financing, Student Loan Servicing, Consumer Reporting, Consumer Debt Collection, and International Money Transfer markets. Executive Summary at 8, n.2.

[13] Executive Summary at 5-8.

[14] Executive Summary at 8.

[15] Executive Summary at 8.

[16] But see Final Rule at 456 (“The Bureau may use the information submitted to the nonbank registry under this part to support its objectives and functions, including in determining when to exercise its authority under 12 U.S.C. 5514 to conduct examinations and when to exercise its enforcement powers under subtitle E of the Consumer Financial Protection Act of 2010.”) (emphasis added).

[17] See, e.g., CFPB, Prepared Remarks of CFPB Director Rohit Chopra on the Final Rule to Detect and Deter Repeat Offenders (June 3, 2024); Rohit Chopra, “Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania Law School (May 28, 2022).

[18] See, e.g., CFPB, CFPB Creates Registry to Detect Corporate Repeat Offenders, Press Release (June 3, 2024) (“The CFPB is taking a number of steps to identify specific individuals responsible for repeat offenses.”).

[19] See Final Rule at 449-450; see also Executive Summary at 3-4 (“[F]or court-issued orders, the covered nonbank must list both the issuing court and the agency(ies) that initiated the action that resulted in the court’s order.”).

[20] 15 U.S.C. § 7241.

[21] See, e.g., Final Rule at 13-21.

[22] New York State Department of Financial Services, Transaction Monitoring Certification (504) (last visited June 12, 2024).

This post comes to us from Arnold & Porter Kaye Scholer LLP. It is based on the firm’s memorandum, “CFPB Issues Final Rule Creating Registry To Identify Nonbank Repeat Offenders,” dated June 18, 2024, and available here. 

Leave a Reply

Your email address will not be published. Required fields are marked *