A&B ABstract: The CFPB’s Bulletin 2021-01 released on March 31, 2021 announced changes to the Bureau’s type of communications. Does this bulletin suggest a desire of the CFPB to use the examination process for purposes that go beyond the Dodd-Frank Act?
The Dodd Frank Act
The Dodd-Frank Act grants the CFPB authority to require reports and conduct examinations of certain covered persons, including nonbanks and banks with greater than $10 billion in assets. However, the CFPB’s supervisory authority over these institutions is not unlimited. In general, the CFPB may engage in supervision only for three purposes: (1) assessing compliance with the requirements of “Federal consumer financial laws” (a term defined in 12 U.S.C. 5481(14) to include specific enumerated consumer laws); (2) obtaining information about the activities subject to such laws and the associated compliance systems or procedures of financial institutions; and (3) detecting and assessing associated risks to consumers and to markets for consumer financial products and services. See 12 U.S.C. 5515(b).
The CFPB’s examination manual outlines its supervision and examination process, and in relevant part provides that when all onsite examination activities are complete, the examiner in charge of the examination should meet with the supervised entity’s management to discuss the CFPB’s preliminary examination findings, expected Matters Requiring Attention (“MRAs”), consumer compliance ratings (if applicable, and next steps. MRAs, the examination manual explains:
“are used by the Bureau to communicate to an institution’s Board of Directors, senior management, or both, specific goals to be accomplished in order to correct violations of Federal consumer financial law, remediate harmed consumers, and address related weaknesses in the CMS that the examiners found are directly related to violations of Federal consumer financial law.”
As a strictly legal matter, MRAs are not enforceable. However, there are real-world consequences for supervised institutions that do not take the actions prescribed in MRAs within the implementation timeframes prescribed by the CFPB. For instance, an institution’s responses to MRAs are considered by the CFPB when assessing its consumer compliance rating or the need for an enforcement action and also when scheduling future exam work. In other words, MRAs are not voluntary. Also, the CFPB’s exam findings, including MRAs, and institutions’ responses to MRAs are deemed confidential supervisory information under the CFPB’s rules. Consequently, they are non-public and not subject to release under FOIA.
This process creates a risk that the CFPB could abuse its supervisory authority. What happens, for instance, if the CFPB issues MRAs or other orders that require a supervised institution to take actions that exceed the requirements of the law? Could the CFPB issue MRAs that require the institution to conduct business in a manner that the CFPB prefers, above and beyond compliance with applicable laws or regulations? Supervised institutions understandably have a strong desire to avoid antagonizing examiners and avoiding a public enforcement action, so their interest is always to accommodate the CFPB’s supervisory demands. If the CFPB’s MRAs are never challenged, the risk of mission creep is very real.
CFPB’s Prior Guidance on Supervisory Communications
In 2018, the CFPB sought to mitigate mission creep risk and ensure that the CFPB would not exceed its supervisory authority by issuing a public bulletin that made clear that MRAs would relate only to violations of Federal consumer financial law or CMS weaknesses that are directly related to those violations. The bulletin also created a second category of supervisory communication known as a Supervisory Recommendation (“SR”). However, SRs were to be used by the CFPB only to raise CMS concerns in cases where examiners did not identify a violation of Federal consumer financial law, and SRs do not include provisions for periodic reporting nor expected timelines for implementation. In other words, SRs are voluntary, and it is up to the supervised institution to decide whether address the CFPB’s concerns or act on its recommendations. By distinguishing MRAs from SRs, the CFPB sought to reinforce the clear statutory boundaries governing its supervisory authority.
CFPB’s Bulletin 2021-01
On March 31, 2021, the CFPB rescinded the 2018 bulletin, and issued a new bulletin in its stead. This new bulletin eliminates the SR category of supervisory communication and declares that CFPB examiners “may issue MRAs with or without a related supervisory finding that a supervisory entity has violated a Federal consumer financial law.”
Additionally, the bulletin declares that the CFPB will now use MRAs to convey its supervisory expectations not just for violations of Federal consumer financial laws and related CMS deficiencies, but also for “other laws enforced by the Bureau.” The CFPB does have authority to enforce certain laws that are not defined as Federal consumer financial laws, meaning that it can use its enforcement powers, including civil investigative demands, to detect violations of those laws, but it lacks authority to examine institutions for compliance with those laws. And in the examination context, the CFPB is not required to turn a blind eye to violations of law it may uncover; there are statutory mechanisms for the referral of certain violations to appropriate Departments and agencies. But here, the CFPB’s bulletin is declaring that the CFPB will use the supervisory process to address violations of laws other than Federal consumer financial laws through MRAs, which appears to exceed its statutory authority.
Also, the bulletin states that the CFPB “expects supervised entities to implement a CMS that, among other things, effectively prevents, identifies, and addresses risks to consumers.” This statement is inconsistent with the CFPB’s own examination manual, which states that the purpose of CMS is to maintain legal compliance with Federal consumer financial laws, not to address all risks to consumers. A violation of law Federal consumer financial law, of course, often represents a risk to consumers, but the two concepts are not coextensive. The Dodd-Frank Act does permit the CFPB to engage in market monitoring activities to identify risks to consumers and the proper functioning of consumer financial markets, but that authority is separate and distinct from its supervisory authority. See 12 U.S.C. 5511(b)(3) and 5512(c). However, with regard to supervision, the Dodd-Frank Act specifically limits the CFPB’s authority to address risks to consumers in two ways: first, the risk must generally be associated with a violation of Federal consumer financial law; and second, the risk must be created by the offering or provision of “consumer financial products and services,” which are specifically defined in 12 U.S.C. 5481(5). The CFPB’s bulletin does not acknowledge these statutory limitations, and the resulting lack of precision creates concern that the CFPB could identify risks to consumers not associated with the provision of consumer financial products and services or a violation of Federal consumer financial law and use its supervisory process to force supervised institutions to address them.
Finally, the bulletin warns that the CFPB is committed to using the full range of its authorities to “promote compliance with the law and to ensure that supervised entities protect consumers.” Here again, the CFPB is publicly committing to using the supervisory process to achieve an objective that goes beyond compliance with Federal consumer financial law. And while all observers would agree that “protecting consumers” is a laudable objective in the abstract, the bulletin neglects to define that phrase for purposes of supervision and examination, so readers are left in the dark as to the CFPB’s intended meaning. In what way can the objective of ensuring that supervised entities protect consumers be distinguished from promoting compliance with Federal consumer financial law? Without additional clarity from the CFPB, the statement appears on its face to assert a broader supervisory mandate than the one set forth in the Dodd-Frank Act.
At best, the language used in the CFPB’s new bulletin is imprecise; at worst, it articulates an expansive view of the CFPB’s authority that should concern all supervised institutions and the public at large. However, because of the confidential nature of the supervisory examination process, the public lacks the means to evaluate how the CFPB administers its bulletin. Additional clarification from the CFPB regarding its intentions and commitment to maintaining the boundaries of its statutory authority would no doubt be welcomed. Failing that, appropriate oversight by Congress or the Federal Reserve’s inspector general, which possess authority to review the CFPB’s confidential supervisory material, may eventually be warranted.