In addition to rescinding seven policy statements providing flexibility to companies in meeting certain compliance obligations during the pandemic, the CFPB has also rescinded its 2018 bulletin (2018-01) that announced changes to supervisory communications. The Bureau has replaced the 2018 bulletin with a new bulletin (2021-01).
In the 2018 bulletin, the Bureau announced that it was adding a new category of findings that convey supervisory expectations to the existing category of matters requiring attention (MRAs). The Bureau planned to use the new category, Supervisory Recommendations (SRs), to recommend actions for management to consider taking when the Bureau had not identified a violation of a federal consumer financial law but had observed weaknesses in an institution’s compliance management system (CMS). Unlike MRAs, SRs would not include periodic reporting requirements or expected implementation timelines. The bulletin indicated that the Bureau would continue to use MRAs to communicate to management specific goals to be accomplished to correct violations of federal consumer financial laws. It also indicated that although neither MRAs nor SRs were legally enforceable, the Bureau would consider an institution’s response in addressing violations or CMS weaknesses when assessing an institution’s compliance rating or otherwise considering the risks that an institution poses to consumers and markets. Such risk considerations could be used by the Bureau to prioritize future supervisory work or in assessing the need for an enforcement action.
The new bulletin eliminates the category of SRs and expands how the Bureau intends to use MRAs (which the Bureau “believes…will more effectively convey our supervisory expectations”). Bureau examiners are permitted to issue MRAs “with or without a related supervisory finding that a supervised entity has violated a Federal consumer financial law.” The Bureau will not only use MRAs to communicate to management specific goals to be accomplished to correct violations of federal consumer financial laws but will also use MRAs to communicate specific goals to address violations of “other laws enforced by the Bureau,” risk of violations of federal consumer financial laws and such other laws, and CMS deficiencies. Whether or not addressing a violation of a federal consumer financial law, an MRA will include timeframes for reporting an entity’s efforts to address matters identified, including, as appropriate, periodic reporting and expected implementation timeframes. Like the rescinded bulletin, the new bulletin states that MRAs are not legally enforceable but that the Bureau will consider a supervised entity’s response to MRAs when assessing its compliance rating or otherwise evaluating the risks that its activities pose to consumers and markets and may use such risk considerations to prioritize future supervisory work or in assessing the need for an enforcement action.
Our impression of the new bulletin, and the elimination of SRs, is that it further underscores the theme that the CFPB plans to be more forceful with supervised entities, and wants to eliminate anything giving the appearance that the Bureau is willing to take a lighter or more permissive touch. Now, anything the CFPB wishes to communicate at the conclusion of an examination, short of referring a matter to enforcement, will be done through an MRA, together with an MRA’s deadlines and reporting requirements, whether it concerns a violation of law or an improvement to the institution’s CMS. In other words, the Bureau won’t be recommending improvements in the future – it will require them, and then expect proof that they have been implemented. It remains to be seen how the CFPB will handle perceived failures to satisfy MRAs that are not based on alleged violations.