On Monday, the CFPB issued a press release announcing that it will start using its authority to examine non-bank financial services institutions that the CFPB has “reasonable cause to determine pose risks to consumers.” In addition, the CFPB has released a procedural rule designed to “increase transparency of the risk-determination process” by subjecting the results of CFPB supervision of non-bank entities to public release. This release constitutes yet another signal that the Bureau intends to take an increasingly aggressive enforcement posture over a broader slice of the financial services industry.
The CFPB currently has both supervisory and examination authority. In addition to its authority to supervise certain depository institutions based on the type and size of the institution, as expanded by categories of “covered persons,” the CFPB has statutory authority to supervise non-depository covered persons who “the Bureau has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond, based on complaints . . . or information from other sources, that such covered person is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services[.]”
Although this supervisory authority appears to be extremely broad, the CFPB has rarely used it to examine non-depository institutions. Rather, the CFPB has acted on its examination authority in the past through the use of civil investigative demands or other actions to go after alleged harms. This newest press release indicates that the Bureau will start aggressively utilizing its supervisory authority and the ability to broadly categorize certain acts and practices as “risky” such that a supervisory exam is merited. According to CFPB Director Rohit Chopra, “[t]his authority gives us critical agility to move as quickly as the market, allowing us to conduct examinations of financial companies posing risks to consumers and stop harm before it spreads.” In particular, the press release paints a target on fintechs, citing their “rapid growth” and seeking to “level the playing field between banks and nonbanks.”
The CFPB also announced a new procedural rule designed to “increase the transparency of the risk-determination process.” Specifically, the rule amends a 2013 procedural rule related to the Bureau’s supervision of non-banks, which previously deemed documents, records, and other items connected to an exam to be confidential. Under the new rule, there will be an exception regarding final decisions and orders by the CFPB director that will allow some decisions to become public after a notice and response by the supervised entity.
It should come as no surprise that the current CFPB is seeking to expand its authority to supervise players in the financial services space. Be it through new interpretations of UDAAP and Fair Lending, or its recent statements regarding third-party service providers, Director Chopra and the Bureau have taken a predictably expansionist approach. However, the recent letter should be of special concern to fintechs and non-bank service providers in the financial services space. The Bureau is now taking the position that it can deem all manner of activity “risky,” and can therefore exercise its supervisory authority. Entities that may have believed – quite reasonably – that they were outside the reach of the CFPB should reconsider and should take steps to reduce risk in anticipation of a potential exam.