On December 12, 2022, the CFPB released a proposed rule that would require certain “covered nonbanks” to register with and submit information to the CFPB when they become subject to certain orders from local, state, or federal agencies and courts involving violations of certain consumer protection laws. The CFPB has further proposed to make the registration information publicly available, including by publishing it on the Bureau’s website.
According to the Bureau, the registry will allow it to more effectively monitor and reduce the risks to consumers posed by “repeat offenders.” In issuing the proposal, the Bureau relies on its authority under Consumer Financial Protection Act (CFPA) sections 1022(b) and (c) and 1024(b). Comments on the proposal will be due no later than 60 days after the date the proposal is published in the Federal Register.
CFPA section 1022(b) authorizes the Bureau to prescribe rules “as may be necessary or appropriate to enable the Bureau to administer and carry out the purposes and objectives of the Federal consumer financial laws, and to prevent evasions thereof.” CFPA section 1022(c) authorizes the Bureau to prescribe rules to collect information from covered persons for purposes of monitoring for risks to consumers in the offering or provision of consumer financial products or services, including “rules regarding registration requirements applicable to a covered person, other than an insured depository institution, insured credit union, or related person.” Section 1022(c) also authorizes the Bureau to publicly release information obtained pursuant to section 1022, subject to limitations specified therein.
Key aspects of the proposal include the following:
Covered nonbanks. The CFPB’s proposal would define a “covered nonbank” to mean any person that is not one of the following: an insured depository institution (or related person); insured credit union (or related person); a state; a natural person; a motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles except to the extent the dealer engages in certain functions not exempt from CFPB’s rulemaking; or a person that is excluded from the Bureau’s rulemaking authority but engages in activities to which the exclusion does not apply. A “covered nonbank” that is identified by name as a party subject to a “covered order” would be required to register with the CFPB and submit the required information no later than 90 days after the effective date of a “covered order.”
Covered orders. A “covered order” would be defined to mean a final, public order, issued by an agency or court (whether or not issued upon consent), that, among other requirements, was issued at least in part in any action or proceeding brought by any federal, state, or local agency, contains public provisions imposing obligations on the covered nonbank to take certain actions or to refrain from taking certain actions, imposes such obligations on the covered nonbank based on an alleged violation of a “covered law,” and has an effective date on or later than January 1, 2017 and remains in effect as of the date of the Bureau’s rule establishing the registration requirement .
Covered law. A “covered order” must involve an alleged violation of a “covered law.” The proposal would define a “covered law” as any of the following to the extent the alleged violation of law arises out of conduct in connection with the offering or provision of a consumer financial product or service: a Federal consumer financial law or any other law as to which the CFPB has enforcement authority; the FTC Act’s UDAP prohibition; a state law prohibiting unfair, deceptive, or abusive acts or practices (which is identified in Appendix A to the proposal); or a rule or order issued by a state agency for the purpose of implementing a UDAAP prohibition contained in such a state law.
Annual reporting requirement for supervised entities. The proposal would impose an additional annual reporting requirement on a nonbank entity that is subject to the CFPB’s supervisory authority and that is subject to a “covered order,” with certain exceptions. Accordingly, the nonbanks to whom the annual reporting requirement would apply include: mortgage companies, mortgage servicers, payday lenders, and private education lenders; entities considered a “larger participant” under the CFPB’s larger participant rules for consumer reporting, consumer debt collection, student loan servicing, auto financing, and international money transfers; and entities as to whom the CFPB has invoked risk-based supervision. The proposal includes exemptions for a service provider that is subject to CFPB supervision solely in its capacity as a service provider, motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles except to the extent a dealer engages in certain functions not exempt from CFPB’s rulemaking, and an entity with less than $1 million in annual receipts from offering or providing consumer financial products or services.
A supervised entity subject to the annual reporting requirement would be required to annually designate an “attesting executive” for each covered order to which it is subject and for all related submissions to the CFPB. The attesting executive must be the entity’s highest-ranking senior executive officer or an individual charged with managerial or oversight responsibility for the entity whose duties include ensuring the entity’s compliance with Federal consumer financial laws and who has knowledge of the entity’s systems and procedures for complying with the covered order and control over the entity’s compliance efforts. By March 31 of each calendar year, the entity would be required to submit to the registration system a written statement signed by an attesting executive with respect to each covered order with an effective date on or after the date the registration system is implemented. In the statement, the attesting executive must describe the steps that the executive has taken to review and oversee the entity’s activities subject to the covered order for the preceding calendar year and attest whether, to the executive’s knowledge, the entity during the preceding calendar year identified any violations or other instances of noncompliance that were imposed in a public provision of the covered order based on a violation of a covered law.
Industry has raised serious concerns about the Bureau’s proposed registry, including that it seems more like a “name and shame” tactic rather than a useful tool. In our view, the registry bears great similarity to the CFPB’s disclosure of unverified, anecdotal complaint data in its consumer complaint database. Since the creation of the database, a primary concern of industry (and one which we have often noted) has been that because complaints are often invalid, they do not serve as reliable evidence that the complained about conduct occurred. The proposed rule would require registration of consent orders as well as final litigated orders. In most consent orders, the company does not admit any wrongdoing. Indeed, enforcement actions are very often resolved through consent orders not because the company has engaged in the wrongful conduct alleged but because enforcement actions are very costly to defend and can drain a company’s resources.
Given the significant concerns raised by the Bureau’s proposal, the only thing about it that we find praiseworthy is that the CFPB has decided to comply with the Administrative Procedure Act requirements for adopting a regulation rather than attempt to implement this initiative by fiat of the Director.