CFPB Issues Final Rule on Registry for Nonbank Public Enforcement Actions

The CFPB on June 3, 2024 issued a final rule requiring nonbank consumer financial services companies to register court or government agency orders in a new CFPB registry (“Rule”).  The CFPB will make this registry publicly accessible.  The CFPB states in the final rule that it believes a public registry will enable other Federal, State, and local regulators to “realize many of the same market-monitoring benefits that the Bureau anticipates obtaining from this rule,” will “facilitate the ability of consumers to identify the covered persons that are registered with the Bureau,” and also “enhance the ability of investors, research organizations, firms conducting due diligence, and the media to locate, review, and monitor orders enforcing the law.”  The rule will be effective on September 16, 2024, but has later implementation dates that depend on the type of entity.  I provide a brief summary of the Rule below. 

I.  Who Does the Rule Apply to?

The Rule applies to “covered nonbanks,” which is generally defined as a “covered person” (which the Dodd-Frank Act generally defines as a person that offers or provides a consumer financial product or service), but specifically excludes the following persons:

1.     Insured depository institutions and credit unions (hence, the term “nonbank” – which perhaps more accurately should have been “nondepository”)

2.     Related persons (also, as defined under the Dodd-Frank Act, which is generally defined to include directors, officers, managers, and owners of nonbanks), if that’s the only reason they’re a covered person

3.     States

4.     Natural persons

5.     Motor vehicle dealers that are exempt from the CFPB’s jurisdiction under the Dodd-Frank Act, except to the extent they engage in functions that expressly are outside of the exemption, and

6.     Persons exempted from the CFPB’s rulemaking authority under the Dodd-Frank Act.

II.  What is Required?

Covered nonbanks that are identified by name as a party subject to a “covered order” must register and file information about the order, as well as update that information if the order is amended.  “Covered order” is defined generally as a final public order with an effective date on or after January 1, 2017 that was issued by an agency or court in a Federal agency, State agency, or local agency action based on a violation of a “covered law,” which contains public provisions that impose obligations.  A “covered law” includes a federal consumer financial law or any other law the CFPB can enforce, Section 5 of the FTC Act (UDAP), state UDAAP laws, and specific state laws identified by the CFPB in the Rule.

Nonbanks must submit certain information to the registry, which includes:

1.     A fully executed, accurate, and complete copy of the covered order, in a format specified by the CFPB, except for nonpublic portions

2.     The agency and court that issued the covered order

3.     The effective date

4.     The date of expiration

5.     All covered laws found or alleged to have been violated, and

6.     Any docket, case, tracking, or other similar identifying numbers

The CFPB will publish filing instructions to provide details on the information that must be submitted, including the specific types of information and formats required.

There is a separate annual attestation requirement for “supervised registered entities,” which is generally defined as a nonbank that is “subject to supervision and examination by the Bureau pursuant to 12 U.S.C. 5514(a)” (this includes mortgage lenders, brokers, and servicers) and generally that has $5 million or more “in annual receipts” from all consumer financial products and services.  This attestation requirement only applies to orders with effective dates on or after the implementation date below, i.e., a new order.  Supervised registered entities must annually submit a written statement from an “attesting executive,” with certain information and an attestation as to whether the entity “identified any violations or other instances of noncompliance” with the order.  The “attesting executive” must be the “highest-ranking duly appointed senior executive officer [or individual if the company does not have officers]…whose assigned duties include ensuring the supervised registered entity’s compliance with Federal consumer financial law, who has knowledge of the entity’s systems and procedures for achieving compliance with the covered order, and who has control over the entity’s efforts to comply with the covered order.”  

Regarding public comments that the attestation requirement imposes significant liability on the attesting executive, the CFPB stated that it disagreed.  The CFPB stated that the Rule “does not establish any new standards, or alter any existing standards, regarding individuals’ liability for supervised registered entities’ violations of covered orders or other legal obligations.  Also, while the CFPB stated that it will not publish the annual written statement, it “does intend to publish the name and title of the attesting executive(s) submitted by the supervised registered entity.” The CFPB stated that publishing the name and title “will help ensure accountability at the entity for noncompliance,” “will provide an incentive to pay more attention to covered orders,” “will increase the likelihood of compliance,” and “will identify for other regulators (and the general public) the highest-ranking executive at the supervised registered entity who has control over the entity’s efforts to comply with the covered order and otherwise satisfies the rule’s designation requirements.”  The CFPB added that “just as the possibility of Bureau scrutiny of the attesting executive’s conduct is likely to motivate the executive to devote greater attention to compliance efforts, the additional scrutiny from others outside the Bureau will further promote compliance.”

The Rule also allows a different “one-time registration” option for “NMLS-published covered orders,” which would not be subject to the annual attestation requirement described above.  For this option, the nonbank must provide such information that the CFPB “determines is appropriate for the purpose of identifying the covered nonbank and the NMLS-published covered order.”  The Rule defines “NMLS-published covered order” as a “covered order that is published on the NMLS Consumer Access website, www.NMLSConsumerAccess.org,” but excludes orders issued by the CFPB from the definition.

III.  Implementation Dates?

The Rule provides different implementation dates for different types of entities, which the CFPB’s preamble states is based on their status as of the effective date of the rule.  Generally, nonbanks must submit public orders to the CFPB registry by the later of 90 days after the applicable implementation date (described below) or 90 days after the effective date of any covered order. 

For nonbanks that are larger participants in markets as defined under the CFPB’s larger participant rulemakings, the implementation date is 30 days after the effective date, which is October 16, 2024.  This means that such nonbanks must submit their existing orders by 90 days after this date, which is January 14, 2025.  For nonbanks that are specifically subject to CFPB supervision under 12 USC 5514(a)(1) (such as mortgage lenders, brokers, and services), the implementation date is 120 days after the effective date (which results in a deadline of April 14, 2025).  And for other nonbanks, the implementation date is 210 days after the effective date (which results in a deadline of July 14, 2025, because the 13th is a Sunday).

IV.  Some Thoughts

This new requirement may take many nonbank companies by surprise.  In addition, this new compliance requirement creates new liability for entities under the CFPB’s enforcement and civil money penalty authority.  This could result in a treasure trove of enforcement actions for the CFPB.  Also, the registry could be a treasure trove for plaintiffs’ lawyers looking for the next big class action lawsuit. 

Even for entities subject to CFPB supervision and well aware of the Rule, compliance could be quite burdensome depending on the details in the CFPB’s filing guide.  In addition, the requirement to identify an executive to attest to the written statement could result in liability for that executive should any information in the written statement turn out to be inaccurate.  Entities that are subject to being listed in the NMLS will have to consider the optional one-time registration, to avoid the annual written statement and attestation requirements, though unintended pitfalls might lurk there also.  

It will also be interesting to see if there is a legal challenge to this rule.  The CFPB relies on certain authority in the Dodd-Frank Act that allows for the CFPB to “prescribe rules regarding registration requirements applicable to a covered person” and conduct other market monitoring activities.  Is this authority sufficient to require registration of already public orders?  Is there legal support for the other requirements in the Rule?  Will there be avenues for a legal challenge on other bases, such as the CFPB’s cost-benefit analysis? 

You can find the CFPB’s press release here.

I will certainly have more thoughts (and criticisms) as I dig into this rule further.

Please email me at rich@garrishorn.com if you would like to discuss any of the information in this post.