Staying Off The CFPB’s Financial Services Offender Registry

Entering into a settlement with a federal or state agency has always carried the burden of enhanced regulatory scrutiny and copycat class actions or investigations. Financial services companies weigh these risks against the benefits of resolving enforcement matters outside of litigation.

These risks may be amplified next year as the Consumer Financial Protection Bureau’s repeat offender registry gets off the ground, causing the scale to tip in favor of litigating rather than settling for some companies.

With the bureau’s publication of the registry filing instructions in August, the issues at stake are more salient than ever. Companies will need to be prepared for the long-term implications of registering, whether or not they are currently subject to an order that qualifies them for the registry.

What is the registry?

The registry will be a central database of nonbank financial services companies that have been the subject of certain federal, state or local enforcement actions that have resulted in public order.[1] The CFPB intends to publish the identity of the companies on the registry, along with information about the covered orders that landed them on the registry, on its website.[2]

Although there are some exclusions, companies on the registry that are subject to the bureau’s supervision and examination authority will also need to designate what is calls an “attesting executive.” This individual will attest in an annual written statement to the bureau the steps taken to review and oversee compliance with the covered orders and any violations of the orders that the company identified during the prior year.

Per the rule, the designee must be the “highest-ranking duly appointed senior executive officer” — or the highest-ranking individual with oversight responsibility, for the entities without duly appointed officers — responsible for ensuring the company’s compliance with federal consumer financial laws and covered orders.[3]

The identities of attesting executives are expected to be made publicly available, although the written statements to which they attest will be treated as confidential supervisory information.

Which companies and orders are subject to registration?

Subject to certain narrow exclusions, any company that is not an insured bank or credit union, offers or provides consumer financial products or services, and is the subject of a covered order will need to register.[4] This includes nonbank mortgage and consumer lenders, payments and money transmission companies, fintech companies, and consumer reporting agencies, among many others.

Covered orders include any final public order issued by a federal, state or local agency, or by a court in a matter brought by such agencies, involving violations of:

•  A federal consumer financial law;

• Any other law within the CFPB's enforcement authority;

• The prohibition against unfair or deceptive acts or practices in Section 5 of the Federal Trade Commission Act; and

• Specific state laws, enumerated in an appendix to the final rule establishing the registry,[5] related to unfair, deceptive or abusive acts or practices.

Orders with an effective date prior to Jan. 1, 2017, or that were no longer in effect as of Sept. 16, 2024, are excluded.[6] The initial registration deadlines vary based on whether a company is subject to one of the CFPB's larger participant rules or is otherwise supervised by the CFPB:

• Larger participants must register by Jan. 14, 2025, with registration opening Oct. 16, 2024.

• CFPB-supervised companies that are not larger participants must register by April 14, 2025, with registration opening Jan. 14, 2025.

• All others must register by July 14, 2025, with registration opening April 14, 2025.[7]

Notably, the registry allows nonbank companies that have a good faith basis to believe that (1) they are not an entity covered by the final rule establishing the registry, (2) they are not subject to an order that qualifies as a covered order, or (3) they are not a CFPB-supervised entity subject to the additional requirements imposed on such entities, to submit a notice to the bureau stating that they are not registering or following the additional requirements due to that good faith belief.

This option is intended to provide a sort of safe harbor where "the Bureau would not bring an enforcement action against that person based on" a failure to comply with the rule "unless the Bureau has first notified the person that the Bureau believes the person does in fact qualify."[8] However, the treatment of those who provide such notices is not affirmatively stated in the rule itself.

What do the filing instructions tell us?

On Aug. 23, the bureau issued its "Nonbank Registration Filing Instructions Guide."[9] The filing instructions primarily provide technical guidance for establishing an account within the nonbank registry portal and submitting required information. As such, it provides a more detailed view of precisely what information will be submitted to the CFPB, as well as what information is subject to publication on the bureau's website.

In general, information considered "administrative" is not subject to publication[10] and is labeled as such throughout the filing instructions. Among those items not subject to publication is the company's point of contact for registration — that is, the person filling out the forms and entering information — so employees tasked with this responsibility can rest easy. It also includes certain information about the company itself, such as its taxpayer identification number, as well as the above-discussed good faith notices.

Specific company information that will be subject to potential publication includes, among other things:

• The company's legal name, any DBAs or fictitious names, and business address;

• Legal Entity Identifier, Company Nationwide Multistate Licensing System ID, RSSD ID, EDGAR Central Index Key and Home Mortgage Disclosure Act ID; and

• Jurisdiction of incorporation or organization.

For each covered order, information the company must provide includes:

• The docket, case, tracking or other identifying number of the order;

• The specific laws alleged to have been violated;

• The effective date and term of the order;

• The court and government agencies involved;

• The full name and title of any attesting executive;

• Any affiliated companies that are also required to be registered; and

• A copy of the order itself.

Certain information must also be submitted when orders that were previously submitted expire.

So, where is this going?

The CFPB's stated reasons for establishing the registry, as outlined in June remarks by CFPB Director Rohit Chopra, are to "rein in repeat offenders" and "better identify and act on enforcement trends."[11]

While less explicit but no less clear, the registry is also designed to increase scrutiny of companies previously subject to enforcement actions, and to enlist the help of other federal and state agencies, private litigants, investors and the public at large in those efforts. As both the bureau and Chopra have emphasized, the registry is not only intended to identify repeat offenders, but to deter targets of enforcement actions from becoming repeat offenders.[12]

In other words, increasing the pressure applied from all sides to companies subject to orders, including those who are not actually repeat offenders, is the point.

Increasing the pressure is also part of a policy trend that has been building since 2022, when the CFPB announced the creation of its Repeat Offender Unit within the Office of Supervision Examinations. This unit is tasked with "monitoring the activities of repeat offenders" and reducing "the occurrence of repeat offenders",[13] as well as handling the bureau's recent use of enhanced enforcement remedies against recurring violations, such as prohibiting continued participation in certain otherwise lawful business activities or imposing requirements on executive compensation.[14]

The executive attestation requirement for CFPB-supervised companies also likely signals increased use of an enforcement tool once rarely used by the bureau: imposing personal liability on individual high-ranking officers, a trend that also began to take shape in 2022.[15] Indeed, Chopra mentioned "a close examination of the individuals involved in calling the shots" in his remarks concerning the registry.[16]

How can companies prepare?

Of course, the obvious and least helpful suggestion is to avoid becoming the target of an enforcement action.

This is not always possible, even for companies with strong compliance controls, a good culture of compliance and the best of intentions. However, there are some things companies that find themselves on the registry can do to potentially lessen further harm. There may also be things that companies subject to an investigation can consider to avoid triggering registration.

The goal for those who find themselves on the registry for a past order should be to avoid becoming a repeat offender. Unfortunately, the registry itself increases the risk of that occurring due to the enhanced scrutiny. This means that companies should take compliance with orders very seriously and err on the side of caution when trying to interpret compliance requirements.

It also means assigning sufficient resources to order compliance and keeping detailed documentation concerning the efforts taken, as well as being quick with corrective action and remediation when an issue is identified after an order. Encouraging these general actions after an order is, not ironically, the intended effect of the registry on companies. And while it may seem obvious to many, there is often a temptation to take the foot off the gas once an enforcement action is concluded, given the intense and exhausting nature of investigations or litigation.

For those who are at the end of an enforcement investigation, whether or not already on the registry, the prospect of being on the registry or needing to file another order should be added to the checklist of considerations when attempting to negotiate a resolution with the applicable agency. For example, companies facing weaker claims might reconsider whether fast resolution through an early push toward a negotiated settlement is worthwhile if avoiding an order entirely seems like a possibility.

Where a state agency is involved, companies may also wish to make the particular state law an order is based on a point of negotiation where possible — only those state laws enumerated in the regulation are within the scope of the registry. Alternatively, companies may consider pushing harder for a consensual resolution that does not meet the definition of a covered order, which requires that the resolution impose obligations on the company, such as a memorandum of understanding.

Or maybe it's just better to stay off the list.

This article is for general information purposes and is not intended to be and should not be taken as legal advice.

 [1]   Consumer Financial Protection Bureau, CFPB Creates Registry to Detect Corporate Repeat Offenders (June 3, 2024), available at https://www.consumerfinance.gov/about- us/newsroom/cfpb-creates-registry-to-detect-corporate-repeat-offenders/.

[2]   12 C.F.R. § 1092.205(a).

[3]   12 C.F.R. § 1092.204(b).

[4]   12 C.F.R. §1092.201(d). Notable exclusions include natural persons and certain motor vehicle dealers.

[5]   12 C.F.R. § 1092, app. A.

[6]   Consumer Financial Protection Bureau, Executive Summary of the Nonbank Registration of Orders Rule 6-7 (June 3, 2024).

[7]   Id. at 6.

[8]   Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, 89 Fed. Reg. 56028, 56094 (July 8, 2024).

[9]   Consumer Financial Protection Bureau, Nonbank Registration Filing Instructions Guide (FIG) (Aug. 23, 2024).

[10]  12 C.F.R. § 1092.205(a)(2).

[11]  CFPB, Prepared Remarks of CFPB Director Rohit Chopra on the Final Rule to Detect and Deter Repeat Offenders (June 3, 2024), available at https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb- director-rohit-chopra-on-the-final-rule-to-detect-and-deter-repeat-offenders/.

[12]  Consumer Financial Protection Bureau, supra, note 1.

[13]  Consumer Financial Protection Bureau, Supervisory Highlights, Issue 28, at 2-3 (Nov. 2022).

[14]  See Consent Order, In re Enova International Inc., No. 2023-CFPB-0014 (Nov. 15, 2023).

[15]  See, e.g., Compl., Consumer Fin. Prot. Bureau v. Nexus Servs. et al., Civil Action No. 5:21-cv-00016 (W.D. Va. 2021); Compl., CFPB v. TransUnion LLC et al., No.1:22-cv-01880 (N.D. Ill. 2022).

[16]  Consumer Financial Protection Bureau, supra, note 9.

Learn more about our banking Regulatory practice group.

About The Author

SIGN UP FOR UPDATES

Never miss our news, insights or events.

FEATURED NEWS