May 5, 2022
On April 25, 2022, the Consumer Financial Protection Bureau announced that it will begin relying upon a âlargely unused legal provisionâ of the Dodd-Frank Act to supervise nonbank financial companies that purportedly pose risks to consumers. To facilitate that process, the CFPB simultaneously promulgated a procedural rule that authorizes it to publish its decisions about whether certain nonbank entities present such a risk. The CFPB has stated that it intends for these decisions to provide nonbank entities with guidance about the circumstances in which they may be subject to regulation. Left unstated is the reality that the threat to publicly designate an entity as posing risks to consumers will provide the CFPB with additional leverage over such entities.
The CFPBâs announcement marks a significant expansion of its supervisory reach.  The CFPB said that it intends to âconduct examinationsâ of âfintechâ companies and âto hold nonbanks to the same standards that banks are held to.â And it is expected that the CFPB will assert the same authority over crypto firms.  The CFPBâs announcement comes at a time of increasingly intense competition among regulators to assert jurisdiction over fintech and digital assets firms.  Gibson Dunn represents many clients at the forefront of crypto and fintech innovation, and has deep experience challenging over-extension of agenciesâ regulatory authority, including by financial regulators. We stand ready to help guide industry players as the CFPB moves forward with its ambitious plans.
I. The CFPBâs Authority to Regulate Nonbank Entities
Historically, only banks and credit unions were subject to federal financial supervision. That changed when Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010).
Under Dodd-Frank, the CFPB has supervisory authority over several categories of nonbank entities, including entities that provide mortgage, private student loan, or payday loan services. 12 U.S.C. § 5514(a)(1)(A), (D)â(E). In addition, and most relevant here, the CFPB may regulate nonbank entities when it âhas reasonable cause to determineââafter providing notice and an opportunity to respondâthat the entity âposes risks to consumersâ regarding the provision of consumer financial products or services. Id. § 5514(a)(1)(C).
The CFPB issued a procedural rule in 2013 delineating the risk-determination process, but it has never before used this authority to supervise a nonbank. As the CFPBâs April 25, 2022 announcement explains, however, that is about to change. In the announcement, the CFPB said that it will begin exercising its âdormant authorityâ under Dodd-Frank to supervise nonbank entitiesâincluding âfintechâ firmsâthat it has determined pose a risk to consumers.
The Dodd-Frank Act and the CFPBâs implementing regulations detail the risk-determination process and the consequences of being subject to regulation.
- The Risk-Determination Process. The CFPB promulgated detailed procedures for the process it uses to determine whether nonbank entities are a risk to consumers, and thus subject to regulation under Dodd-Frank. See 12 C.F.R. §§ 1091.100â.115. Those procedures give the CFPB discretion to initiate the risk-determination process through issuing a âNotice of Reasonable Cause,â id. § 1091.102, or through bringing charges in an adjudicatory proceeding, id. § 1091.111. Whichever path the CFPB chooses, it must provide notice of the basis for the apparent risk and an opportunity for the nonbank entity to respond. The CFPB has stated that it may base its risk determinations on âcomplaints collected by the CFPB, or on information from other sources, such as judicial opinions and administrative decisions,â as well as âwhistleblower complaints, state partners, federal partners, or news reports.â  After considering the available evidence and any responses from the nonbank entity, the Director will decide whether it has âreasonable causeâ to find a risk to consumers. The Directorâs decision to subject an entity to regulation under Dodd-Frank is subject to review under the Administrative Procedure Act.
- Regulation under Dodd-Frank. If the CFPB determines that a nonbank entity is subject to regulation based on a risk determination, then it faces the same level of regulation as banks. Among other things, the CFPB can conduct examinations to ensure compliance with consumer financial laws, 12 U.S.C. §  5514(b)(1), require entities to comply with recordkeeping requirements, id. § 5514(b)(7), and is generally vested with exclusive enforcement authority over federal consumer financial laws, id. § 5514(c).  Notwithstanding the formal processes for making risk determinations, entities may also voluntarily consent to regulation under Dodd-Frank. 12 C.F.R. §§ 1091.110(a), 1091.111(a).
- Petition for Termination. In the event the CFPB determines after the Issuance of a Notice of Reasonable Cause that a nonbank entity poses a risk to consumers and is thus subject to regulation under Dodd-Frank, that entity may file a petition before the Director to terminate the decision and escape regulation under the Act. 12 C.F.R. § 1091.113(a). That petition may be filed âno sooner than two years afterâ the decision, and only one petition may be filed per year. Id. The Directorâs decision on a petition qualifies as âfinal agency actionâ that may be subject to review under the Administrative Procedure Act. Id. § 1091.113(e)(3).
II. New Rule Allowing Publication of Risk-Determination Decisions
Accompanying its announcement to begin supervising fintech nonbanks, the CFPB issued a procedural rule amending the risk-determinations procedures. Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination; Public Release of Decisions and Orders, 87 Fed. Reg. 25397 (proposed Apr. 29, 2022).
As a general matter, materials submitted in connection with a risk determination are considered confidential. 12 C.F.R. § 1091.115(c). But with this new rule, which took effect on April 29, 2022, the CFPB may in the Directorâs discretion publish decisions and orders made during the risk-determination process on the CFPBâs website. According to the CFPB, this is designed to âincrease the transparency of the risk-determination processâ and give nonbank entities guidance about how the CFPB will enforce the Dodd-Frank Act moving forward. Of course, the measure also affords the CFPB an opportunity to make headlines regarding its efforts to bring large, innovative, and/or well-known entities under its supervisory control. The rule gives the nonbank entity subject to the order or decision an opportunity to file a submission with the CFPB regarding publication of the CFPBâs determination. The Director also decides whether to publish on the CFPBâs website the decision about whether the risk determination will be publicly released.
The CFPB has requested public comments on the rule, which must be received by May 31, 2022. Interested parties should consider commenting on the proposal to express any concerns, propose improvements, and to preserve their ability to bring a legal challenge to the rule. For regulated entities, a challenge to the rule may be preferable to raising objections only after the CFPB has identified the entity by name in a published risk determination.
III. Implications for Fintech and Crypto Companies
The CFPBâs announcement of its intent to begin supervising fintech firmsâwhich is believed to include crypto firms as wellârepresents a muscular expansion of the agencyâs regulatory purview. It is yet another aggressive action in the young tenure of Director Rohit Chopraâone that has been controversial and generally perceived as hostile to industry. The consequences for fintech and crypto firms could be significant. Although much will depend on the vigor with which the CFPB pursues its rediscovered supervisory authority, the CFPB stated that it intends to âconduct examinationsâ of fintech companies and to hold them to âthe same standards that banks are held to.â  Further, the CFPBâs new procedural rule allows the agency to publicize its findings about the risks that a fintech or crypto company poses to consumers before the agency completes an examination of the company, contrary to the confidentiality principles encouraging full and frank communications between an entity and its regulator, which principles lie at the heart of the supervisory process.
The CFPBâs new assertion of jurisdiction is in keeping with the surge of interest among federal regulators in the fintech and crypto industries over the past year. The SEC, CFTC, FinCEN, Treasury, and other agencies have been jockeying for position to regulate this fast-growing and innovative space. Absent legislation from Congress clearly defining regulatory roles within the industry, that jockeying is likely to continue. In March 2022, President Biden issued an executive order directing numerous agencies to evaluate the risks and benefits of digital assets. The reports resulting from that executive order may only heighten scrutiny of the crypto industry and increase the number of regulators asserting jurisdiction over it.
*Â Â Â *Â Â Â *
As the CFPB decides which entities it will seek to regulate under Dodd-Frank, companies can take steps now to begin assessing their compliance with the laws administered by the CFPB. Gibson Dunn represents many clients at the forefront of fintech, crypto, and blockchain innovation and stands ready to help guide industry players through this new era of CFPB regulation and the growing patchwork of federal regulation. The Gibson Dunn team has the expertise to provide guidance and develop innovative arguments challenging the CFPBâs authority. E.g., PHH Corp. v. CFPB, 839 F.3d 1 (D.C. Cir. 2016) (holding that the CFPB was unconstitutionally structured in violation of Article II and that the CFPB violated the APA), on rehâg en banc, 881 F.3d 75, 83 (D.C. Cir. 2018) (en banc) (vacating a $109 million penalty because the CFPB misinterpreted the statute and violated due process by retroactively applying its new interpretation); Bus. Roundtable v. SEC, 647 F.3d 1144 (D.C. Cir. 2011) (defeat of SEC âproxy accessâ rule).
Gibson Dunnâs lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact Gibson Dunnâs Crypto Taskforce (cryptotaskforce@gibsondunn.com), or any member of its Financial Institutions, Global Financial Regulatory, Privacy, Cybersecurity and Data Innovation, Public Policy, or Administrative Law teams, including the following authors:
Ryan T. Bergsieker â Partner, Privacy, Cybersecurity & Data Innovation Group, Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Ashlie Beringer â Co-Chair, Privacy, Cybersecurity & Data Innovation Group, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Matthew L. Biben â Co-Chair, Financial Institutions Group, New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp â Co-Chair, Public Policy Group, Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie L. Brooker â Co-Chair, Financial Institutions Group and White Collar Defense & Investigations Group, Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day â Co-Chair, Financial Institutions Group, Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Roscoe Jones, Jr. â Co-Chair, Public Policy Group, Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)
Eugene Scalia â Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C. (+1 202-955-8543, escalia@gibsondunn.com)
Helgi C. Walker â Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C. (+1 202-887-3599, hwalker@gibsondunn.com)
Associates Nick Harper and Philip Hammersley also contributed to this client alert.
Š 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising:Â The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
