Orrick RegFi Podcast | The CFPB's Expanding Supervisory Authority of Fintechs and Other Non-Banks
Listen on Apple
Listen on Spotify

RegFi Episode 29: The CFPB’s Expanding Supervisory Authority of Fintechs and Other Non-Banks
 27 min listen

In our latest look at the CFPB’s expanding supervisory authority of fintechs and other non-bank financial service providers, RegFi cohosts Jerry Buckley and Sasha Leonhardt welcome fellow Orrick partner — and former deputy general counsel for the CFPB — John Coleman. John shares his insights on recent developments, including the Bureau’s public announcement of its intention to assert supervisory authority over individual non-bank financial service providers and the potential implications of this shift in protocol. The conversation also covers the differences between supervision and enforcement, how companies can prepare for regulatory examinations, and the ways in which the CFPB and other regulators might leverage technology to transform the supervisory process.





  • Jerry Buckley: Hello, this is Jerry Buckley and I am here with my RegFi co-host, Sasha Leonhardt. Today we are going to focus on the Consumer Financial Protection Bureau’s supervisory authority over non-bank financial institutions. To explore this question, we are joined by our partner, John Coleman, and our listeners couldn’t have a better guide.

    Before entering private practice, John served as deputy general counsel of the Consumer Financial Protection Bureau. John joined the CFPB as the agency was in its earliest days. As deputy general counsel, he managed the team of attorneys responsible for representing the Bureau in all defensive and appellate litigation as well as responses to congressional oversight bodies. He advised the director and senior staff with respect to supervision and enforcement matters as well as rule makings. 

    John, as you know, on this RegFi podcast series, we have previously explored the CFPB’s proposed larger participant rule to define the market for general use, digital consumer payment applications. This rule has the potential to subject some of the largest tech companies in the country that offer mobile wallets and other payment services to supervision and examination by the CFPB. And in previous episodes, we have outlined what it would mean to be subject to direct supervision and examination by the CFPB as opposed to general regulatory oversight. And clearly supervision is a much more intensive process than most non-banks have experienced before. Today we are going to address another precedent-setting action. The Bureau has publicly announced its intention to assert supervisory authority over individual non-bank financial services providers. 

    John, while the Bureau has had the ability to assert its supervisory authority over individual non-bank financial services providers since its inception over a decade ago and has, on occasion, used this authority, it does seem that recently the agency has become more interested in asserting its power to use supervision as a regulatory tool. Is this perception right, and if so, what do you think is the motivation for this new posture?
    John Coleman: Well, Jerry, first of all, thank you so much for having me on the show. I’m an avid listener and so very happy to be here this afternoon with you and Sasha. The perception that the CFPB is exercising its supervisory authority more aggressively, I think is true insofar as it applies to non-banks, and particularly large non-bank participants in the consumer financial services markets who are not already subject to this CFPB supervision as you well know and as you all have talked about on prior episodes of this podcast. 

    You know, Congress granted the CFPB automatically authority over all large banks and over their affiliates automatically as well as over participants in the mortgage market, payday lenders, private student lenders, and the Bureau in the early days exercised its — what’s called its larger participant rule authority, which I know you all have talked about as well — to bring other market providers in. And I think what is new now is that the Bureau is using this other aspect of its authority to bring in individual firms. And I think this is a response to the market reality that more and more of the market and consumer financial services is shifting to non-banks. 

    This has been true in the mortgage market for a number of years but is increasingly true in other markets as fintechs gain increasing share and the Director Chopra, as well as other key regulators in the administration have sort of been expressing concern about the migration of financial services, generally outside of the bank regulatory perimeter and I see the Bureau’s exercise of its non-bank supervisory authorities is an attempt to at least get the major players under supervisory authority, which of course is a much more, as you said, intensive form of supervision and oversight than is available to the agency through its other tools including its enforcement tool. 
    Jerry: Well, John, as mentioned, we have in the prior podcast episodes explored the larger participant rule to define general use digital consumer payment applications but following issuance of the proposed rule, the Bureau took the unusual step of publicly announcing its use of supervisory authority over an individual non-bank financial services company but it finds reasonable cause to believe that non-banks’ conduct proposes a risk to consumers. 

    We know that this was not the first time the Bureau has used its reasonable cause supervisory authority in this way but it has chosen the context of a contested use of the authority by a non-bank participant to go public. It’s almost as if it’s firing a warning shot that it has the power and plans to use it more assertively. 

    Could you share your thoughts about what motivated this action and its implications for the vast array of non-bank providers under the agency’s jurisdiction, including consumer reporting agencies, small business lenders and others?
    John: Sure. So, building off of your last question and my response to it, the agency’s obviously interested in expanding its authority and in many different areas it has been apparently sort of turning through each provision of the Dodd-Frank Act or Title 10 of the Dodd-Frank Act, which is its organic authority, to look for authority that it historically hasn’t exercised very significantly and think about ways in which it can do so to meet its market goals or policy goals 

    And this particular authority which is codified in Section 55.12(a)(1)(c) of the U.S. Code, which those of us in the biz call the risk consumers authority, it allows the Bureau to determine that a particular institution poses a risk to consumers and therefor should be subject the CFPB’s jurisdiction. And as you mention, it has been used in the past. I was involved in the procedural rule that governs the use of this authority, but it was principally used in the context of the negotiated resolution of an enforcement action where among the other terms that a firm would agree to resolve an enforcement matter, they would agree to be subject to the CFPB’s supervisory authority usually for some period of time, say five years or thereabouts. 

    Earlier in Director Chopra’s administration of the CFPB, I think a year or year-and-a-half ago, the CFPB amended that procedural rule that I worked on in 2012 or ‘13 in a way that I think is really pretty significant. And what they did was to say, “when we make a determination that a company poses a risk to consumers, we’re going to make that public” and it was — the Bureau’s stated rationale was to let the market know sort of what we’re doing with our authority so that other people can be better prepared. But I think it was perceived by many, including me candidly, to be basically a shot across bow of companies that if they didn’t just consent to the CFPB’s supervisory authority when the CFPB suggested that they might be posing risk to consumers, the CFPB would publicly out them. And we know because the CFPB has said so publicly that a number of firms have consented to the CFPB’s supervisory authority under this particular provision of law but have not chosen to contest it and therefor the public doesn’t know which institutions that is. 

    And so, this is the first time the CFPB has ever made public, a risk to consumers designation that wasn’t in the context of an enforcement action. And I think the implications are that firms are likely going to be reluctant to exercise their statutory right to have a hearing and challenge the Bureau’s determination that it is posing risk to consumers. And I think that’s, in my view, unfortunate and I think a deviation from the generally applicable rule that matters of supervisory authority are done confidentially, but that’s where we are right now. 
    Jerry: Right. Well let’s bring Sasha into this conversation.
    Sasha Leonhardt: Thank you, Jerry, and John thank you for joining us today as a guest and thank you for joining us as a partner a few years ago. I value your experience and Jerry does and our clients are grateful to have you and your understanding of the Bureau’s operations and legal authority in their corner. 

    Traditionally the Bureau, when it has reason to believe that consumers are being harmed by the actions of a particular financial services provider, it will issue a CID, or civil investigative demand. Not all of our listeners though have had the experience of being on both sides of the coin between a CID and dealing with supervision, so could you just, before we get to a little more of what that’s going to mean in the weeds, could you at a broad level explain the difference for covered entities between responding to CIDs and being subject to supervision? It’s obviously no picnic but examination entails much more, right? 
    John: I think that’s a fair characterization, Sasha, and I think the principal distinction, at least in my view, between enforcement and supervision is that enforcement really is pretty — not always, we know too well, but is often targeted around specific conduct that the Bureau thinks may be unlawful. And so, for example, there’s, you know, one provision of Regulation E that the Bureau thinks that a firm may have been violating because of consumer complaints or a whistleblower what have you, and so they’ll issue a CID and it’s very intensive about that issue and it often involves years-long investigation but it’s about a, you know, specific issue. 

    Supervision really is different in kind, and what it’s intended to do really is in theory in a less adversarial posture just come in and look at everything — soup to nuts. So it’s not this specific provision of Regulation E, it is all of Regulation E and literally they will go through every single provision of the reg and determine your compliance by looking at, you know, samples often in policies and procedures and interviewing the relevant people and so — and it can be very comprehensive.

    And the other thing is they’re on a very tight time frame. These exams are scheduled out and so they don’t often have the, in their view, luxury of, you know, granting extensions to document or information requests and so our experience, particularly for non-banks who aren’t used to examinations, is that it is an all hands on deck intensive sprint for that period of time between the first day letter that kicks off an exam and when the agency is sort of done with its examination work. 
    Sasha: Thank you, John. And I’d like to come back to something earlier which was the trigger for the exercise of supervisory authority over a particular provider. The Bureau does have to make the finding of potential harm but you referred earlier to the ability to challenge it, so what are the criteria the Bureau uses to make such a finding? How would a challenge work if a financial institution were to do it as opposed to just concede to it earlier as you noted? And just how does this work from the Bureau’s side when they’re evaluating this and if there were a challenge, how would the Bureau be likely to respond? 
    John: So, let me — I think maybe the most efficient way to think about this is just to walk through the process chronologically. So, the first thing to understand is that the statute is worded incredibly broadly and vaguely, which effectively provides the agency with a tremendous amount of discretion over, you know, which individual firm to pick out of, you know, this enormous marketplace that they theoretically, you know, regulate. Or, not theoretically regulate, actually regulate, and potentially supervise to determine, you know, who poses risks to consumers. 

    Risks to consumers is not a defined term. It is not necessarily limited to unlawful conduct, for example, and it is — and this is something that the Bureau pointed out in its publicly issued order — it doesn’t even have to make a determination by a preponderance of the evidence or some other, you know, standard of proof that we would be familiar with in civil litigation. It has to have reasonable cause to determine that a company may be posing risks to consumers. And I think the Bureau really made a lot of that in this publicly issued order and suggested like, it’s something less than having actually made a determination that a firm poses risk to consumers. 

    So, it could be a consumer complaint, or several consumer complaints as was the case in the publicly issued order, but in my view, they might well make this determination just based on the market share of a firm in an important market to consumers that is, I think, consistent with how it does a risk prioritization process, and supervision generally. And we’ll see over time if there are more public orders whether its sort of a body of precedent is developed over how the Bureau is going to exercise its authority. But, all we know now based on this one is that it’s broad and in the Bureau’s view, very broad. 

    So, the way the process works is, the Bureau notifies a firm, “We think we have reasonable cause to determine that you’re engaging in conduct that poses a risk to consumers. We want to examine you. Will you consent?” And you can either say “Yes,” or you can say, “No. We don’t think we are. We want to — we don’t think you actually have reasonable cause to determine that we’re posing risks to consumers.” In which case, there is an opportunity to present a written submission to a more senior official within the agency than the one who issued the initial determination. There is an opportunity for an oral submission and we understand from the published order that that happened in this case. In this case the director himself actually asked for served replies, supplemental briefing on issues. We don’t know exactly which issues. And then the director made a decision in the whole process in the published order. And this is the only time process have ever been utilized. I think it took about less than a year. But maybe nine months or something along those lines. Maybe six months. And then there was a little delay before it was actually made public. 

    In theory, this is final agency action and a non-bank who believes that the Bureau’s determination was wrong, could go to district court and ask the district court to overrule the Bureau’s determination and enjoin the Bureau from examining the institution on that basis. That is a very high bar to, in my view, to suggest that the Bureau acted arbitrarily or capriciously, it would be under the APA’s arbitrary and capricious standard. On such a broad grant of authority, the Bureau would really have to have some basic facts wrong or really be, you know, capricious in its determination to prevail. And this company, for whatever reason, chose to challenge the Bureau’s initial determination. It has not gone to court, and I think given their lapse in time, you should probably assume that it is not going to do so. 

    So, anyway, the deck is very much weighted in the Bureau’s favor, and I think that’s an important thing to know if you’re a non-bank and get one of these letters suggesting that someone wants to bring you under the supervisory authority. You know, you can fight it, but you’re probably going to lose, unless the Bureau is like, truly mistaken in its views. And, the other consequence is, you’re going to be outed publicly as “posing risk to consumers” — I used scare-quotes there that the audience can’t see. And that has real market implications. The company who was the subject of the published order their stock dropped 10% the day after it became public, and so, I think a lot of rational firms, for good or ill, are going to just make the determination that it’s better to go along with the Bureau on this.
    Sasha: So, I’ve heard you say that the Bureau has broad authority to designate institutions under this rule, and the exam process itself is also resource intensive. On the other side, the Bureau, like any other agency, has limited resources. But, because these are so resource-intensive, I could potentially see this drawing down the Bureau’s resources significantly. 
    We’ve spoken before on RegFi, particularly with Raj Date, about how new technology may make the exam process more efficient. But, I’m curious of your thoughts about how the Bureau would address its allocation of resources, and how they’d be affected if it decides to use the supervisory authority more extensively? 
    John: So, I think there’s two ways to think about this issue which is truly a real one for the agency. They are resource constrained in their supervision, particularly on the non-bank side, but also on the bank side. And, you know, there’s sort of two ways to think about it. 

    One is, to your point and to Raj’s excellent insights, I think technology can be used to exercise the authority in a way that is more effective than the traditional bank examination model that the Bureau basically adopted from the banking agencies and that has its roots, you know, in 19th century bank supervisory exams where you would go in and look at the actual books and records and interview the personnel. And I think the Bureau has started thinking about using technology and sort of large data pools, and I wouldn’t be surprised if eventually they do adopt alternative intelligence to just hoover up information from providers, and then make an even more nuanced risk phase determination as to where to spend our resources, and also conduct exams in a more efficient manner than they do. So, that’s one tool that’s, you know, I think they haven’t fully plumbed the depths of that potential opportunity. 

    The other thing that they will do is shift those resources around, and I think what we’ve seen in the Chopra administration is, you know, the largest banks that control a huge portion of the market in certain very important consumer financial services markets, deposits et cetera, are always going to be a major focus of the CFPB’s exam authority. I think what we’ve seen is a shift to non-bank players from, you know, small to mid-size banks that are over the 10 billion dollar threshold, but not quite big enough to really get the Bureau’s attention, and I think one of the reasons for that is the Bureau has a lot of comfort that even if they’re not in there doing exams, they know that the OCC or the FDIC or the Fed and the state banking regulators, for state-chartered institutions, are doing some level of examination of the banks, and that’s just not the case often on the non-bank side, or certainly not to the same degree. So, I think we’ll continue to see a shift to non-bank providers as long as that’s the way the market goes.
    Jerry: John, as a practical matter, only larger participants and some individual non-bank providers are likely to experience an examination in any one year. But if it happens, and it is likely to happen to the larger participants, then they better be ready, because being ready is important. To use a crude analogy, not every home will experience a break-in, but the prudent homeowner buys insurance and invests in an alarm system. Are there any basic steps that you would recommend that companies take to be ready for examination process?
    John: That’s a great question, Jerry, and we’re working with a lot of institutions right now who are acting like the prudent homeowner and anticipating their first CFPB examination. I think the smartest step is to actually prepare for the examination by engaging in a mock examination, and so, our advice to institutions is to print out the CFPB supervisory examination manual, and literally go through it.
    Jerry: It is about a thousand pages, isn’t it?
    John: It is not short. And depending on the institution, not all of it may be applicable, right? If you don’t loan money, you’re not subject to TILA or ECOA, et cetera. But the way the Bureau does this is very routinized and they will go through the examination manual line by line, and so we advise companies to go though that exercise themselves. 

    The first thing that the Bureau will look at will look at any firm in its first examination is your compliance management system. So, board and management oversight, what are your three lines of defense? What do you do with consumer complaints? Do you respond to them? Do you collect them? Do you address systemic issues? Do you properly exercise oversight over your service providers? How is that embedded into your contracts with them? These are the sort of things that are table stakes for the Bureau and if you don’t do a good job on your CMS, it is not necessarily a violation of law, but it is going to make the rest of the process much harder because the Bureau’s suspicion will be that there will be violations of law that they will uncover. 

    You know, I think I would start with the CMS and then I would go through the rest of the examination manual and just look for the places that are applicable to you and literally go line through line and that’s what CFPB examiners would do: there are checklists within the manual. And so, say, for one particular provision of Regulation E, do we give this disclosure? Do we resolve these disputes in this time frame? What are the exceptions to that, et cetera et cetera. And, go through that. 

    And we often will do mock examinations for firms and basically play CFPB examiners from the first day letter that going to seek all of your policies and procedures through interviews, through an assessment. And I think it’s so critically important not just to avoid new potential referral to enforcement, but to get this relationship off on a good start because you want the CFPB to think that compliance is something you take very seriously. It’ll make it less likely in the future for the CFPB to come back and do another examination. So, I think it’s an exercise well worth the time and resources that need to be invested.
    Jerry: And, you know, the consequences of not being on the right side of the Bureau can range from private “matters requiring attention” right up to a public order and demands for restitution and fines — so it’s a big risk and it’s certainly worth getting ready for. And the fact that the agency is exercising this authority more frequently as a way that they think they can enhance compliance, is a reality now. And so, I think we all have to really accept that and get ready for it. 

    John, our time is up, but thank you so much for joining us. It’s been great to have you and to have your insights — insights that were gained on the inside.
    John: Well, thank you very much for having me, Jerry. Sasha. It’s always a pleasure to be with you, and really enjoyed it.