CFPB to Supervise Fintechs Based on Consumer Risk

SUPERVISORY RISK TO NONBANKS

The CFPB already supervises certain categories of nonbanks, including payday lenders, mortgage lenders and brokers, debt collectors, and credit reporting agencies. However, the CFPB’s April 25th announcement warns that it has now begun to invoke its authority to supervise any nonbank offering a consumer financial product or service, including a nonbank’s service providers, that the CFPB has reasonable cause to determine is engaging, or has engaged, in conduct that poses consumer risk. Such nonbanks could include companies previously unsupervised by the CFPB, such as Buy-Now-Pay-Later (BNPL) providers and earned wage access providers. The CFPB explicitly intends to use its authority to broadly regulate the fintech industry. In identifying consumer risk and selecting nonbanks to supervise, the CFPB can consider any source of information, ranging from complaints that it receives directly to whistleblower complaints, judicial opinions, administrative decisions, news reports, or information from state or federal partners.

Prior to making a determination that a nonbank’s financial product or service poses consumer risk, the CFPB must provide notice to the nonbank and allow the nonbank to respond within 30 days from when notice is served on the nonbank. The CFPB codified this process in a 2013 rule, establishing procedures to implement section 1024(a)(1)(C) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (12 U.S.C. 5514(a)(1)(C)), which empowers the CFPB to, among other things, require reports from, and conduct examinations of, nonbanks and their service providers.

While the CFPB’s 2013 rule still stands, the CFPB has issued a new procedural rule, upon which it is seeking comment, intended to enhance transparency in the CFPB’s risk-determination process and offer both marketplace guidance and future precedent. The new procedural rule, effective April 29, 2022, excludes final decisions and orders by the CFPB Director from the scope of “confidential supervisory information,” enabling the CFPB to publicly disclose such information. If the nonbank is the subject of any documents the CFPB seeks to release, the nonbank would have 7 days from the date it is served the director’s decision or order to submit a request for confidentiality to the CFPB, and explain why such decision or order, in whole or in part, should not be publicly released on the CFPB’s website. For example, a nonbank may seek confidential treatment of the document if it qualifies for an exemption under the Freedom of Information Act, is privileged or confidential information, or contains personnel, medical, or similar files, the disclosure of which would be an unwarranted invasion of personal privacy. However, whether the decision or order is published, in whole or in part, is ultimately at the director’s discretion.

NONBANK RISK MITIGATION

The CFPB’s supervisory authority grants it broad discretion as to whether it finds reasonable cause to determine that a nonbank offering consumer financial products or services is engaging in conduct that poses consumer risk. The scope of factors the CFPB might consider in determining the existence of consumer risk, and whether it should supervise a nonbank, is currently unclear but may be developed to cover all manner of products or services, including BNPL, data, or cryptocurrency. We expect to learn more about the CFPB’s process once the CFPB begins operating under the new procedural rule. In addition, the CFPB’s current process for setting its supervisory agenda and examination schedule, which considers market share for a company’s individual product lines, complaint volume, and other market feedback, may offer some clues about how the CFPB will set its supervisory priorities for fintechs and other nonbanks.

In the meantime, nonbanks could attempt reduce their risk of becoming a target of CFPB supervision by promptly resolving consumer complaints, investigating and fixing the root cause of complaints, and taking other measures to reduce or remove conditions that may lead to negative press, litigation, or the attention of state or federal regulators, particularly with respect to the products for which the entity has a large market share. In the CFPB’s April 25th announcement, Director Rohit Chopra commented that the purpose of the CFPB utilizing this supervisory authority over nonbanks is “to hold nonbanks to the same standards that banks are held to.” For this reason, nonbanks should take stock now of their regulatory risk exposure and compliance controls, document their compliance with applicable law, and be prepared to demonstrate such compliance should CFPB examiners come knocking.

For specific recommendations on how to mitigate your compliance risk in light of the CFPB’s renewed focus on nonbank supervision, for assistance with submitting comments to the CFPB on this rule (due on or before May 31, 2022), or if you would like additional information about any of the issues discussed in this client alert, please contact Josh Burlingham, Anthony Alexis, Kimberly Monty Holzel, Ximeng (Sammy) Tang or the Goodwin lawyer with whom you typically consult.