May 5, 2022
On April 25, 2022, the Consumer Financial Protection Bureau announced that it will begin relying upon a “largely unused legal provision” of the Dodd-Frank Act to supervise nonbank financial companies that purportedly pose risks to consumers. To facilitate that process, the CFPB simultaneously promulgated a procedural rule that authorizes it to publish its decisions about whether certain nonbank entities present such a risk. The CFPB has stated that it intends for these decisions to provide nonbank entities with guidance about the circumstances in which they may be subject to regulation. Left unstated is the reality that the threat to publicly designate an entity as posing risks to consumers will provide the CFPB with additional leverage over such entities.
The CFPB’s announcement marks a significant expansion of its supervisory reach. The CFPB said that it intends to “conduct examinations” of “fintech” companies and “to hold nonbanks to the same standards that banks are held to.” And it is expected that the CFPB will assert the same authority over crypto firms. The CFPB’s announcement comes at a time of increasingly intense competition among regulators to assert jurisdiction over fintech and digital assets firms. Gibson Dunn represents many clients at the forefront of crypto and fintech innovation, and has deep experience challenging over-extension of agencies’ regulatory authority, including by financial regulators. We stand ready to help guide industry players as the CFPB moves forward with its ambitious plans.
I. The CFPB’s Authority to Regulate Nonbank Entities
Historically, only banks and credit unions were subject to federal financial supervision. That changed when Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010).
Under Dodd-Frank, the CFPB has supervisory authority over several categories of nonbank entities, including entities that provide mortgage, private student loan, or payday loan services. 12 U.S.C. § 5514(a)(1)(A), (D)–(E). In addition, and most relevant here, the CFPB may regulate nonbank entities when it “has reasonable cause to determine”—after providing notice and an opportunity to respond—that the entity “poses risks to consumers” regarding the provision of consumer financial products or services. Id. § 5514(a)(1)(C).
The CFPB issued a procedural rule in 2013 delineating the risk-determination process, but it has never before used this authority to supervise a nonbank. As the CFPB’s April 25, 2022 announcement explains, however, that is about to change. In the announcement, the CFPB said that it will begin exercising its “dormant authority” under Dodd-Frank to supervise nonbank entities—including “fintech” firms—that it has determined pose a risk to consumers.
The Dodd-Frank Act and the CFPB’s implementing regulations detail the risk-determination process and the consequences of being subject to regulation.
- The Risk-Determination Process. The CFPB promulgated detailed procedures for the process it uses to determine whether nonbank entities are a risk to consumers, and thus subject to regulation under Dodd-Frank. See 12 C.F.R. §§ 1091.100–.115. Those procedures give the CFPB discretion to initiate the risk-determination process through issuing a “Notice of Reasonable Cause,” id. § 1091.102, or through bringing charges in an adjudicatory proceeding, id. § 1091.111. Whichever path the CFPB chooses, it must provide notice of the basis for the apparent risk and an opportunity for the nonbank entity to respond. The CFPB has stated that it may base its risk determinations on “complaints collected by the CFPB, or on information from other sources, such as judicial opinions and administrative decisions,” as well as “whistleblower complaints, state partners, federal partners, or news reports.” After considering the available evidence and any responses from the nonbank entity, the Director will decide whether it has “reasonable cause” to find a risk to consumers. The Director’s decision to subject an entity to regulation under Dodd-Frank is subject to review under the Administrative Procedure Act.
- Regulation under Dodd-Frank. If the CFPB determines that a nonbank entity is subject to regulation based on a risk determination, then it faces the same level of regulation as banks. Among other things, the CFPB can conduct examinations to ensure compliance with consumer financial laws, 12 U.S.C. § 5514(b)(1), require entities to comply with recordkeeping requirements, id. § 5514(b)(7), and is generally vested with exclusive enforcement authority over federal consumer financial laws, id. § 5514(c). Notwithstanding the formal processes for making risk determinations, entities may also voluntarily consent to regulation under Dodd-Frank. 12 C.F.R. §§ 1091.110(a), 1091.111(a).
- Petition for Termination. In the event the CFPB determines after the Issuance of a Notice of Reasonable Cause that a nonbank entity poses a risk to consumers and is thus subject to regulation under Dodd-Frank, that entity may file a petition before the Director to terminate the decision and escape regulation under the Act. 12 C.F.R. § 1091.113(a). That petition may be filed “no sooner than two years after” the decision, and only one petition may be filed per year. Id. The Director’s decision on a petition qualifies as “final agency action” that may be subject to review under the Administrative Procedure Act. Id. § 1091.113(e)(3).
II. New Rule Allowing Publication of Risk-Determination Decisions
Accompanying its announcement to begin supervising fintech nonbanks, the CFPB issued a procedural rule amending the risk-determinations procedures. Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination; Public Release of Decisions and Orders, 87 Fed. Reg. 25397 (proposed Apr. 29, 2022).
As a general matter, materials submitted in connection with a risk determination are considered confidential. 12 C.F.R. § 1091.115(c). But with this new rule, which took effect on April 29, 2022, the CFPB may in the Director’s discretion publish decisions and orders made during the risk-determination process on the CFPB’s website. According to the CFPB, this is designed to “increase the transparency of the risk-determination process” and give nonbank entities guidance about how the CFPB will enforce the Dodd-Frank Act moving forward. Of course, the measure also affords the CFPB an opportunity to make headlines regarding its efforts to bring large, innovative, and/or well-known entities under its supervisory control. The rule gives the nonbank entity subject to the order or decision an opportunity to file a submission with the CFPB regarding publication of the CFPB’s determination. The Director also decides whether to publish on the CFPB’s website the decision about whether the risk determination will be publicly released.
The CFPB has requested public comments on the rule, which must be received by May 31, 2022. Interested parties should consider commenting on the proposal to express any concerns, propose improvements, and to preserve their ability to bring a legal challenge to the rule. For regulated entities, a challenge to the rule may be preferable to raising objections only after the CFPB has identified the entity by name in a published risk determination.
III. Implications for Fintech and Crypto Companies
The CFPB’s announcement of its intent to begin supervising fintech firms—which is believed to include crypto firms as well—represents a muscular expansion of the agency’s regulatory purview. It is yet another aggressive action in the young tenure of Director Rohit Chopra—one that has been controversial and generally perceived as hostile to industry. The consequences for fintech and crypto firms could be significant. Although much will depend on the vigor with which the CFPB pursues its rediscovered supervisory authority, the CFPB stated that it intends to “conduct examinations” of fintech companies and to hold them to “the same standards that banks are held to.” Further, the CFPB’s new procedural rule allows the agency to publicize its findings about the risks that a fintech or crypto company poses to consumers before the agency completes an examination of the company, contrary to the confidentiality principles encouraging full and frank communications between an entity and its regulator, which principles lie at the heart of the supervisory process.
The CFPB’s new assertion of jurisdiction is in keeping with the surge of interest among federal regulators in the fintech and crypto industries over the past year. The SEC, CFTC, FinCEN, Treasury, and other agencies have been jockeying for position to regulate this fast-growing and innovative space. Absent legislation from Congress clearly defining regulatory roles within the industry, that jockeying is likely to continue. In March 2022, President Biden issued an executive order directing numerous agencies to evaluate the risks and benefits of digital assets. The reports resulting from that executive order may only heighten scrutiny of the crypto industry and increase the number of regulators asserting jurisdiction over it.
* * *
As the CFPB decides which entities it will seek to regulate under Dodd-Frank, companies can take steps now to begin assessing their compliance with the laws administered by the CFPB. Gibson Dunn represents many clients at the forefront of fintech, crypto, and blockchain innovation and stands ready to help guide industry players through this new era of CFPB regulation and the growing patchwork of federal regulation. The Gibson Dunn team has the expertise to provide guidance and develop innovative arguments challenging the CFPB’s authority. E.g., PHH Corp. v. CFPB, 839 F.3d 1 (D.C. Cir. 2016) (holding that the CFPB was unconstitutionally structured in violation of Article II and that the CFPB violated the APA), on reh’g en banc, 881 F.3d 75, 83 (D.C. Cir. 2018) (en banc) (vacating a $109 million penalty because the CFPB misinterpreted the statute and violated due process by retroactively applying its new interpretation); Bus. Roundtable v. SEC, 647 F.3d 1144 (D.C. Cir. 2011) (defeat of SEC “proxy access” rule).
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact Gibson Dunn’s Crypto Taskforce (cryptotaskforce@gibsondunn.com), or any member of its Financial Institutions, Global Financial Regulatory, Privacy, Cybersecurity and Data Innovation, Public Policy, or Administrative Law teams, including the following authors:
Ryan T. Bergsieker – Partner, Privacy, Cybersecurity & Data Innovation Group, Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Ashlie Beringer – Co-Chair, Privacy, Cybersecurity & Data Innovation Group, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com)
Matthew L. Biben – Co-Chair, Financial Institutions Group, New York (+1 212-351-6300, mbiben@gibsondunn.com)
Michael D. Bopp – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-955-8256, mbopp@gibsondunn.com)
Stephanie L. Brooker – Co-Chair, Financial Institutions Group and White Collar Defense & Investigations Group, Washington, D.C. (+1 202-887-3502, sbrooker@gibsondunn.com)
M. Kendall Day – Co-Chair, Financial Institutions Group, Washington, D.C. (+1 202-955-8220, kday@gibsondunn.com)
Roscoe Jones, Jr. – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-887-3530, rjones@gibsondunn.com)
Eugene Scalia – Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C. (+1 202-955-8543, escalia@gibsondunn.com)
Helgi C. Walker – Co-Chair, Administrative Law & Regulatory Practice Group, Washington, D.C. (+1 202-887-3599, hwalker@gibsondunn.com)
Associates Nick Harper and Philip Hammersley also contributed to this client alert.
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
