On April 25th, the Consumer Financial Protection Bureau (“CFPB”) announced its intention to conduct supervisory examinations of fintechs and other nonbank consumer finance customer that pose risk to consumers. Effective in thirty days, this announcement could result in a substantial expansion of the CFPB’s supervisory authority.

CFPB Supervisory Examinations: 2012 - May 2022

The CFPB uses supervisory examinations to evaluate a company’s compliance with the Dodd-Frank Act, primarily its prohibition on unfair, deceptive, and abusive acts and practices (“UDAAP”) and the enumerated consumer laws, including the Truth in Lending Act, the Electronic Fund Transfer Act, and the Equal Credit Opportunity Act, and regulations implemented by the Bureau. Through an examination, the CFPB attempts to identify a company’s deficiencies and usually issues a report summarizing any findings and corrections. In some cases, CFPB examinations result in referrals to the CFPB’s Office of Enforcement for investigation and possible public enforcement actions.

The CFPB has historically examined: (i) large banks, credit unions, and thrifts with more than $10 billion in assets, (ii) larger participants in certain industries defined by rule (currently international money transfers, consumer reporting, debt collection, student loan servicing, and automobile financing), and (iii) nonbanks of all sizes involved in mortgage lending and payday lending.[1] The CFPB historically did not engage in examinations of nonbank consumer providers not included in these other categories.

Separately, the CFPB implemented a procedural rule in 2013, 12 C.F.R. § 1091, that established a process for the Bureau to supervise any nonbank covered person that the Bureau “has reasonable cause to determine…is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.”[2] Prior to 2022, the CFPB had not used this authority to conduct any risk-based examinations.

Changes to CFPB Examinations

The CFPB indicates it will now rely on this heretofore unused 2013 authority to examine nonbank providers – including fintechs – that it determines pose risk to consumers. The CFPB’s goal is to provide and enhance consumer protection and to “level the playing field” between nonbank providers, banks, and credit unions. Additionally, the CFPB believes this expansion will provide it with “critical agility to move as quickly as the market” and address financial harm to consumers before it spreads.[3]

The CFPB also proposes releasing details about its decision to engage in a risk-based examination. Previously, apart from CFPB’s quarterly and anonymized supervisory highlights, details about exams were completely confidential and exam proceedings were subject to supervisory privilege.[4] The proposed change will give impacted companies the ability to object to the release of these materials and the CFPB expects it will make redactions consistent with the Freedom of Information Act.

The CFPB explained when it expects to have “reasonable cause” to conduct a risk-based examination. These determinations will be based on complaints and information collected from other sources, which may include judicial opinions, administrative decisions, whistleblower complaints, information from federal and state partners, and news reports.[5] The CFPB notes that risky conduct may include potentially unfair, deceptive or abusive acts or practices, or other acts that may violate federal consumer law.[6]

Impact of this Change

Previously, smaller fintech and nonbank providers (outside of payday lenders and mortgage providers) did not need to worry about CFPB exams. While still subject to CFPB enforcement, these providers could focus on other aspects of developing a complaint operation, including obtaining state licenses and preparing for state exams, working on compliance issues with bank partners and other providers, and developing a robust compliance management system. No longer will fintechs of any size be able to rely on a “supervisory honeymoon” until the company reached a specific size.

Going forward, nonbank providers engaging in consumer financial services should prepare for the possibility of a CFPB examination. These providers should review the relevant sections of the CFPB’s Supervisory Manual to identify whether they have the necessary compliance management system under the relevant provisions of federal consumer finance law.[7] These providers should be able to document their compliance management system, their efforts to prevent UDAAPs in their offerings and marketing, and their policies for the specific consumer finance laws applicable to their business. Finally, providers should track future CFPB guidance to determine if the risks the CFPB identifies are or could be present in their products and services.