We have outlined the three trends to follow as the CFPB continues to aggressively pursue its consumer protection enforcement agenda against a wider range of nonbank actors.
The Dodd-Frank Act, set the CFPB apart from other federal regulators by providing it with enforcement authority over very large banks as well as nonbanks regardless of size. The CFPB can also conduct supervisory examinations to review the books and records of banks with over $10 billion in assets as well as a limited subset of nonbank financial entities in certain markets regardless of size, including the mortgage, private student and pay day loan industries. The CFPB also conducted rulemakings to define nonbank “Larger Participants” subject to supervision in the consumer reporting, debt collection, student loan servicing, remittances and auto loan servicing markets.
In April 2022, the CFPB announced that it would invoke a previously unused legal provision of Dodd-Frank to examine nonbank financial companies that “pose a risk to consumers.” This authority to examine nonbank entities, such as financial technology companies (Fintechs), was invoked by the CFPB to “help protect consumers and level the playing field between banks and nonbanks.” Importantly, this new process for exerting examination power over nonbanks is not specific to any consumer financial product or service.
The process of asserting examination authority is planned to involve a notice process which affords the potential subject with a right to respond before the CFPB makes its determination. However, unlike most supervisory examinations, the CFPB also announced its intention to release information at its discretion regarding its risk determination process. This fundamental change to the norm of confidentiality is a significant step toward making examinations function more like enforcement investigations. This adds significant authority to the CFPB’s supervision tools over nonbanks and is designed to allow the CFPB to be agile in supervising fintech markets.
In 2017, the CFPB reported that more than 75% of its enforcement actions related to nonbanks. In 2021, close to 90% of the enforcement actions brought by the CFPB were related to nonbanks. One recent example of the CFPB’s exercise of its authority over nonbanks can be found in the CFPB’s enforcement action against Hello Digit, a nonbank Fintech that offers consumers an automated-savings tool. In the Consent Order, the CFPB alleged that Hello Digit engaged in deceptive acts or practices by not always reimbursing consumers for overdraft fees caused by Hello Digit’s automated-savings tool, despite representing to consumers that it would do so. The CFPB enjoined Hello Digit from making any such alleged misrepresentations related to its automated-savings tool and required Hello Digit to provide at least $68,145 in redress to consumers and to pay a $2.7 million penalty.
The CFPB has also been naming individual defendants in enforcement actions. In 2022 alone, roughly 30% of the enforcement actions brought by the CFPB have been against or included individual defendants.
On August 4, 2022, Director Chopra, speaking at the Philadelphia Federal Reserve Bank’s Sixth Annual Fintech Conference, maintained that enforcement actions by the CFPB, rather than financial literacy efforts, were necessary to prevent consumer abuse in financial products.
Director Chopra stated that, “[d]isclosures are not going to be what's fixing it….What is often going to fix it is to eradicate unlawful actors who really prey on people.” In response, Chopra noted that the CFPB plans to shift its approach on education "to be more oriented toward reducing the shame, knowing how to spot risks, knowing where to go [for] unbiased information."
These statements by Director Chopra alongside the CFPB’s recent actions to expand its oversight of nonbanks show the CFPB’s priorities to protect consumers against bad actors across the financial industry. Additionally, the CFPB’s extensive enforcement and examination powers emphasize the importance of building compliance into consumer financial products and organizational policies alike.
The American Bankers Association, Consumer Bankers Association, and Credit Union National Association lobbied for a new “Larger Participant Rule” to correct a “supervisory imbalance” between banks and nonbanks when it comes to consumer financial data in their August 2, 2022, letter to the CFPB. The CFPB’s recent statements extending its jurisdictional reach over nonbanks and moving into privacy and data security law might obviate the need for that rulemaking. Instead, the CFPB is poised to take action against a wide range of nonbank entities including data aggregators.
For more information about the CFPB’s recent efforts to expand beyond its traditional jurisdiction over consumer financial products and services to protect consumer data, see Orrick’s latest Insights, The CFPB Leans Into Privacy With FCRA Advisory Opinion and What Fintech and Digital Marketing Companies Need to Know Now About the CFPB’s Expanding Jurisdiction.
The CFPB’s recent statements and actions concerning banks and nonbanks alike are strong indications of the CFPB’s enforcement priorities. We recommend that all companies that might be subject to the CFPB’s enforcement powers review their products, policies, and public statements to ensure compliance.
Contact Heather Egan Sussman, Melissa Baal Guidorizzi, Daniel Forester, Ryan McKenney, and Tori Downey if you have any questions regarding recent regulatory trends and best practices for building compliance programs if your company is subject to the CFPB’s enforcement and examination powers.
 This number is based upon publicly available disclosures at https://www.consumerfinance.gov/enforcement/actions/.