By Ryan Labriola
The CFPB is focusing its attention on financial services companies that have previously entered into formal agreements with federal regulators. In this post, Asurity discusses what actions financial services companies can take to best prepare themselves for this development.
Last month, the Consumer Financial Protection Bureau (CFPB) took a step forward on its long-awaited actions against “repeat offenders,” or institutions that the CFPB and other regulatory agencies allege were noncompliant with laws and regulations in separate historical instances. In connection with this initiative, the consumer watchdog agency issued its final rule creating a registry that tracks enforcement orders against financial services companies. In a press release, the CFPB wrote:
The registry will… help the CFPB to identify repeat offenders and recidivism trends. The new registry is part of the CFPB’s ongoing focus on holding lawbreaking companies accountable and stopping corporate recidivism. […] The CFPB’s new registry will facilitate better understanding of bad actors that seek to restart a scam, fraudulent scheme, or other illegal conduct that harms the public. The CFPB expects that the registry will be used by state attorneys general, state regulators, and a range of other law enforcement agencies. The registry will also assist investors, creditors, business partners, and members of the public that are conducting due diligence or research on financial firms bound by law enforcement orders. (See CFPB Creates Registry to Detect Corporate Repeat Offenders, June 3, 2024.)
While consent orders, cease and desist orders, and other enforcement actions are public and searchable on each respective federal regulator’s website, the repeat offender database will offer easier and consolidated access to financial services companies’ public enforcement actions. Additionally, regulatory agencies will be more readily able to determine whether allegations of noncompliance appear to be part of a pattern or practice which, in some cases, could result in referrals to the U.S. Department of Justice.
In the same announcement, the CFPB also specifically noted it intends to register nonbank financial services companies pursuant to its authority under the Consumer Financial Protection Act. The final rule requires nonbanks to:
- Report to the CFPB any final agency and court orders and judgments addressing consumer protection laws; and
- For those nonbanks subject to an order, provide a written attestation from a senior executive confirming that the company complies with the associated orders.
Through press releases, blogs, and other written and mass media communications, the CFPB has expressed an interest in recent years toward regulating nonbank entities such as fintech organizations. Namely, the CFPB has discussed invoking its “dormant authority” under the Dodd-Frank Act to supervise certain nonbanks.
What does this mean and to what degree will its “dormant authority” affect the financial services industry globally?
- Institutions operating under consent orders must ensure that they enhance their compliance monitoring and testing efforts in areas identified as deficient or noncompliant in the consent order. The CFPB and other regulators will now be able to reference the registry to identify areas that an institution is subject to a consent order and will likely focus more on those areas in examinations to attempt to find repeat offenders.
- Institutions should prepare their regulatory affairs function for the impacts of this registry. Regulators will likely apply heightened review standards towards potential “repeat offenders.” From a CFPB perspective, regulatory affairs should be empowered by the first and second lines of defense to evaluate: i) performance under and compliance with an enforcement order; and ii) the institution’s efforts towards ongoing compliance with applicable laws and regulations.
- Institutions should continually invest in robust compliance and control infrastructures. The importance of financial services institutions’ compliance programs remains critical. The existence of a registry with the express purpose of tracking institutions’ regulatory issues put the onus on Boards of Directors to ensure that their organizations have an adequate budget for compliance and compliance-related processes and infrastructure. As regulators adapt to having direct access to greater information, institutions must have the requisite resources needed to demonstrate effective ongoing compliance.