CFPB Finalizes Rule Requiring Nonbank Consumer Financial Services Providers to Submit Their Enforcement Orders to a Public Registry

On June 3, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued a novel and expansive rule requiring certain nonbank providers of consumer financial services to register specified information with the agency in a public registry.^[1] 

The 486-page final rule (“Final Rule”), which is scheduled to take effect September 16, requires nonbank companies that have been subject to certain final public enforcement orders by federal, state, or local agencies involving consumer financial products or services to submit such orders to the CFPB for inclusion in a public registry that the Bureau is establishing. As an alternative, the Final Rule provides for a one-time, alternative registration option for covered orders that are published on the Nationwide Multistate Licensing System (“NMLS”) Consumer Access website.^[2]

Second, the rule imposes an additional requirement for nonbanks subject to the CFPB’s supervision or examination authority and have over $1 million in annual revenues derived from consumer financial services. In addition to the requirements described above, these companies will be required to: 1) name a senior executive officer who is responsible for the company’s efforts to comply with each order they are subject to, whose name and title would be made public on the CFPB’s registry, and 2) provide the CFPB with annual written statements signed by each executive stating the steps taken by that executive to review and oversee activity related to each order, and whether, to the executive’s knowledge, the company has engaged in any violations or noncompliance with each order. This requirement would apply to the growing number of companies that is subject to CFPB supervision. For example, the CFPB has a pending proposal to impose supervision on larger participants in the market for wallet and fund transfer applications.^[3]

The CFPB states that this centralized repository of public orders will help the CFPB track “corporate recidivism” and “identify concerning trends in these markets that it might otherwise miss,” perceive potential gaps in enforcement, and inform the agency on which tool it may use to address relevant risks to consumers. To this end, the CFPB has said that, upon learning of an order issued by another agency, it may consider bringing its own supervisory or enforcement action in connection with the same or related conduct. The CFPB also notes that it could use information gathered through the registry to, among other things, determine which companies to designate for supervision based on its “risks to consumers” authority pursuant to its 12 U.S.C. 1024(a)(1)(C), a previously “dormant” authority that the CFPB has recently been utilizing. 

We previously issued a client alert on the CFPB’s rulemaking proposal.^[4] Below, we provide an overview of the Final Rule and highlight some of the key changes the Bureau made during the rulemaking process. 

Requirements of the Final Rule

The central aspect of the Final Rule—the public registry requirement—applies to nonbanks that are “covered persons” under CFPB’s statute. Nonbank covered persons generally include those that are engaged in the following activities for use by or pertaining to consumers (i.e., personal, family, or household use):

• extending credit or servicing loans;
• extending or brokering certain leases of personal or real property;
• providing real estate settlement services;
• engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds;
• selling, providing, or issuing stored value or payment instruments; providing check cashing, check collection, or check guaranty services; providing payments or other financial data processing products or services to a consumer by any technological means;
• providing financial advisory services;
• collecting, analyzing, maintaining, or providing consumer report information or certain other account information; and
• collecting debt related to any consumer financial product or service.

The Final Rule excludes from its definition of “covered persons”:^[5]

• A person who is a covered person solely due to being a “related person,” as provided in the Dodd-Frank Act (such as controlling shareholders, consultants, and independent contractors, if the person is a covered person only because the person is a “related person” and not a covered person for another reason);
• A State, including federally recognized Indian tribes;
• A natural person;
• Certain motor vehicle dealers; and
• A person that qualifies as a covered person under the Dodd-Frank Act only because of conduct excluded from the CFPB’s rulemaking authority, such as certain activities related to charitable contributions.

Registration for covered nonbanks is set to begin as early as October 16, 2024. After the registration requirement takes effect, nonbank companies that are subject to, or become subject to, certain final public enforcement orders by federal, state, or local agencies involving consumer financial products or services will need to register those orders in the CFPB’s registry, or alternatively, use the CFPB’s limited, one-time registration option for covered orders published on the NMLS website. The Final Rule applies to any order that:^[6]

• Is a final, public order issued by an agency or court;
• Identifies a covered nonbank by name as a party subject to the order;
• Was issued at least in part in any action or proceeding brought by any Federal agency, State agency, or local agency;
• Contains public provisions that impose obligations on the covered nonbank to take certain actions or to refrain from taking certain actions;
• Imposes obligations on the covered nonbank based a finding that the covered nonbank engaged in an alleged violation of a covered law, which includes Federal consumer financial laws (a defined term), other laws enforced by the CFPB, and certain Federal and/or State unfair, deceptive, or abusive acts or practices (UDAAP) laws that are identified in an appendix to the new regulation; and
• Has an effective date on or after January 1, 2017. An order is effective on the date specified in the order. If an order does not have an effective date identified, the date of issuance is the effective date. If the issuing agency or a court stays or otherwise suspends an order’s effectiveness, the order’s effective date for purposes of the final rule is delayed until the stay or suspension is lifted.

Registration Requirements

The CFPB has yet to finalize the filing instructions for covered nonbanks, but the Bureau has noted that the following information will be required of all covered persons subject to a covered order:

• Identity Information: such as the covered person’s legal name and the address of its principal place of business.
• Administrative Information: such as information regarding a registered entity’s affiliates that are registered with respect to the same order.[7]
• Covered Order Information: such as a copy of the original order, the court or agency that issued it, the expiration and effective date for the order, the covered laws alleged or found to be violated by the covered person, and docket or tracking information.

The rule will “apply to covered orders that remain in effect on September 16, 2024, or have an effective date on or after that date.”[8] There is an ongoing obligation for all covered persons to update their registration with the CFPB—within 90 days—any time “a covered order is terminated, modified, or abrogated (whether by its own terms, by action of the applicable agency, or by a court), or if an order ceases to be a covered order.”[9]

Alternative to CFPB Registration for Certain Orders

Instead of filing its covered order with the CFPB, a covered nonbank can instead file a special one-time registration for NMLS-published covered orders, so long as the orders were not issued or obtained, even in part, by the CFPB. The NMLS is operated by the Conference of State Bank Supervisors.

The nonbank electing to use this alternative mechanism must still submit certain required information to the Bureau, but no further obligations apply to, for example, register any changes to or the expiration of the order or to file written statements with respect to that order, if applicable.^[10] The CFPB notes that “[t]his alternative option for one-time registration of NMLS-published covered orders is not available for any order issued or obtained at least in part by the CFPB, regardless of whether it is published on the NMLS Consumer Access website.”^[11]

Additional Requirements for Nonbanks Subject to CFPB’s Supervision/Examination Authority to Designate an Attesting Executive and Submit Additional Information regarding Compliance with Each Order

The Final Rule goes substantially further for a subset of covered nonbanks that have one or more covered orders—namely, those that are subject to the CFPB’s supervision and examination authority and have at least $1 million in annual revenues resulting from providing consumer financial products or services. The Final Rule refers to these entities as “supervised registered entities.” In addition to submitting covered orders, each supervised registered entity is required annually to designate, for each covered order, an “attesting executive,” who is “its highest-ranking duly appointed senior executive officer (or, if the entity does not have any duly appointed officers, the highest-ranking individual charged with managerial or oversight responsibility for the entity) whose assigned duties include ensuring the entity’s compliance with Federal consumer financial law, who has knowledge of the entity’s systems and procedures for achieving compliance with the covered order, and who has control over the entity’s efforts to comply with the covered order.”^[12] 

The name and title of each attesting executive will be published by the CFPB in the public registry.

In addition, each attesting executive is required annually to submit to the CFPB—as confidential supervisory information not available on the public registry—a written statement, which includes the following for the preceding calendar year:

• The steps taken by the executive to review and oversee activity related to the order;^[13]
• An attestation as to whether, to the executive’s knowledge, the supervised registered entity “identified any violations or other instances of noncompliance with any of the obligations that were imposed in a public provision of the covered order by the applicable agency or court based on a violation of a covered law.”^[14]

The CFPB remarked that, although the Bureau expects attesting executives to submit truthful statements under the Final Rule, the Bureau does “not purport to interpret provisions of criminal law . . . or to identify particular circumstances under which an attesting executive would become criminally liable for false statements.”^[15] The information submitted with the attesting executive will be treated as confidential supervisory information.

Takeaways

As stated in our prior client alert, this is a novel and expansive rulemaking, which, as Director Chopra noted, represents the first significant use of the CFPB’s nonbank registration authority.

The Final Rule reflects a sharp divide in opinion across stakeholders. Proponents of the Final Rule commented that the registry would help to compile and track violations and provide a basis from which to initiate risk-based supervision of nonbanks and that the proposed registry would appropriately respond to a dearth of information about nonbank financial companies, including their number, type, and the practices they engage in.^[16] 

Other commenters objected to the Bureau’s proposal on various grounds, including that the proposed registry would be duplicative of the NMLS and overly burdensome for registered entities. Specifically, commenters flagged that mortgage lenders and servicers were already subject to existing NMLS requirements to disclose—in the public NMLS database—the same agency and court orders the CFPB seeks to register in its public database.^[17] Given the concerns of commenters that requiring mortgage lenders and servicers to register orders that are already available on the public NMLS Consumer Access website would be duplicative and burdensome, the CFPB created the one-time registration option for NMLS-published covered orders discussed above.^[18] 

By contrast, most other concerns raised by commenters did not result in the CFPB deviating from its proposed rule. For example, some commenters asked that the Bureau narrow its definition of covered orders to encompass only orders that involve direct consumer harm, instead of those that involve only clerical or administrative errors.^[19] Rejecting that suggestion, the CFPB wrote that it was “concerned that adopting the types of distinctions” that the commenters proposed “would not be administrable” and could add undue complexity.^[20] The CFPB also rejected the suggestion to add a dollar-denominated floor for reportable orders.^[21] 

Commenters also argued that the requirement to designate an attesting executive and to make annual written statements would harm consumer protection by discouraging qualified individuals from positions of responsibility at nonbanks.^[22] Commentators expressed concern that this requirement would serve only as a shaming tool.^[23] The CFPB also rejected this view, concluding that this requirement will “impose only modest costs on entities beyond the costs entities are already incurring to ensure compliance with covered orders.”^[24] The CFPB “acknowledge[d] that, among entities subject to covered orders that lack adequate compliance systems, employees could indeed be reluctant to act as attesting executives under these provisions and might require a salary premium to do so,” but the Bureau did not quantify these costs and ultimately concluded “that most entities will already have in place some manner of systems and procedures to help achieve such compliance. As a result, attesting executives for most entities should not require a salary premium in order to comply with the written-statement requirements.”^[25]

As previewed in our prior client alert, the Final Rule’s requirement that individual executives attest to their companies’ compliance efforts will likely have a substantial impact on compliance programs. Supervised entities subject to this requirement should carefully consider which individual executives—and which types of executives—are best suited to serve as signatories for the attestations. Beyond deciding on signatories, companies will also need to consider establishing a system of controls and reporting (including potentially a sub-certification system) to prepare the attestations. This could potentially impose substantial compliance costs, a fact the CFPB failed to recognize by only modestly increasing its expected compliance cost for these requirements from $1,200 in the proposed rule to “roughly $1,400 per firm” in the Final Rule. This remains a substantial underestimate: We expect that compliance costs are likely to be much greater given the potential penalties applicable to companies and their executives should their statements be considered deficient or incomplete by the Bureau. 

Moreover, as we previewed in our prior client alert, commentors argued that imposing these attestation requirements might “usurp[] the role of . . . State or local agenc[ies]”—who themselves are likely to have ongoing compliance monitoring mechanisms related to their original orders—especially when the requirements of the originating agency or court conflict or interfere with the CFPB’s attestation requirements. To this, the Bureau responded—perhaps optimistically—that the Final Rule’s requirements “will promote interagency coordination and cooperation among the various Federal, State, and local agencies that have an interest in financial consumer protection because the Bureau intends to establish under the rule a public, up-to-date, easily accessible, and searchable registry that contains relevant and useful information about covered orders and the covered nonbanks that are subject to them.”^[26] The Bureau’s new set of requirements will also necessarily increase the costs and complexities for supervised entities in deciding to resolve orders with federal, state, and local agencies in the first place.

The Final Rule also comes at a time when the CFPB is exercising its once dormant authority to designate nonbanks for supervision based on “risks to consumers,” and the Final Rule increases the stakes of such designations. The CFPB has reported that a number of companies (“fewer than a dozen covered entities” in any given year) have consented to such risk-based supervision^[27] and it recently published its first decision to designate a nonbank company (installment lender World Acceptance) under this authority in a nonconsensual proceeding.^[28] There is a probability that the CFPB will rely on the registry as a data point in support of any expansion of its supervisory authority under its “risks to consumers” jurisdiction.

Finally, nonbanks should be attentive to the possibility that this registry could pave the way for the CFPB to add additional registration and reporting requirements in the future, whether this involves requiring companies with one or more covered orders to provide additional information (whether publicly or confidentially) or to expand the registry to include nonbanks with other characteristics of interest to the CFPB. For instance, though the proposal noted that the CFPB considered whether to require supervised registered entities to obtain an independent third-party audit or review of the attesting executive’s written statement, the Final Rule does not categorically reject such possibility, noting only that imposing such a requirement at this juncture “would not have provided the Bureau with the information regarding the entity” that it needs.[29]

*       *       *

[1]        See CFPB, Final Rule, Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, available here.

[2]        See CFPB, Executive Summary of the Nonbank Registration of Orders Rule at 5 (Jun. 3, 2024), available here.

[3]        See CFPB, Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications, Proposed Rule at 4 (Nov. 7, 2023), available here.

[4]        That previous client alert is available here.

[5]        Executive Summary, supra note 2, at 2.

[6]        Id. at 2–3.

[7]        The Final Rule omitted a provision in the proposed rule that would have required a nonbank entity that is registering an order to provide—for publication in the registry—information about its corporate affiliates. See Final Rule, supra note 1, at 81, 170–71. Instead, as noted above, the Final Rule provides that the Bureau will collect information on the registered entity’s affiliates as “administrative information,” which will not be published in the registry. Id.

[8]        See Final Rule, supra note 1, at 1.

[9]        Id. at 465.

[10]       Id. at 5.

[11]       Id.

[12]       Final Rule, supra note 1, at 302.

[13]       Id. at 41–42.

[14]       Id.

[15]       Id. at 328.

[16]       Id. at 24.

[17]       Id. at 120.

[18]       Id. at 132.

[19]       Id. at 163.

[20]       Id. at 164.

[21]       Id.

[22]       Id. at 308.

[23]       Id. at 308–09.

[24]       Id. at 310.

[25]       Id. at 446.

[26]       Id. at 105.

[27]       See CFPB, Final Rule; Request for Public Comment, “Procedures for Supervisory Designation Proceedings, at 17 (Apr. 16, 2024),” available here.

[28]       See CFPB, CFPB Orders Federal Supervision for Installment Lender Following Contested Designation (Feb. 24, 2024), available here.

[29]       See Final Rule, supra note 1, at 306.