Alston & Bird Consumer Finance Blog

Fintech

Financial Services Advisory: FDIC Proposes Rule to Establish Custodial Account Recordkeeping Requirements

By ,

Executive Summary
6 Minute Read

Our Financial Services Team studies the Federal Deposit Insurance Corporation’s plans to require insured depository institutions (IDIs) to keep specific records so that they know the actual owner of deposits placed by fintechs and BaaS providers.

  • IDIs would be required to implement internal controls over the covered accounts
  • IDIs would be permitted to contract with a third party to assist in meeting the recordkeeping requirements
  • Comments on the proposed rule are due 60 after it’s published in the Federal Register

_____________________________________________________________________________

On September 17, 2024, the Federal Deposit Insurance Corporation (FDIC) issued a notice of proposed rulemaking (NPRM), Recordkeeping for Custodial Accounts, that would establish new recordkeeping requirements for insured depository institutions (IDIs) about certain custodial accounts that are often used by financial technology companies and banking as a service (BaaS) providers to hold their customers’ deposits and facilitate transactions. The NPRM appears to be a direct response to the May 2024 collapse of Synapse Financial Technologies, a fintech provider that maintained custodial transaction accounts for end-users. Synapse, former FDIC Chair Jelena McWilliams as bankruptcy trustee for Synapse, and certain partner banks have been unable to reconcile the actual amount of funds in the custodial accounts with existing records related to those accounts, restricting end-users’ access to the funds.

The NPRM refers to the accounts it covers as “custodial deposit accounts with transactional features,” defined as “deposit account[s]: (1) [e]stablished for the benefit of beneficial owners; (2) [i]n which the deposits of multiple beneficial owners are commingled; and (3) [t]hrough which beneficial owner(s) may authorize or direct a transfer through the account holder from the custodial deposit account to a party other than the account holder or beneficial owner.”

Specifically, for each nonexempt covered account, the proposed rule would require IDIs to maintain records in a prescribed format of account ownership, beneficial ownership, ownership right and capacity (e.g., single account, trust account, business account), current balances, and accrued interest balances. Each IDI that holds nonexempt covered accounts would be required to implement internal controls appropriate to its size and the nature, scope, and risk of its activities related to those covered accounts, including by maintaining accurate balances at the beneficial ownership level and reconciling account balances at the close of each business day.

The NPRM would permit IDIs to contract with a third party (e.g., a fintech or BaaS provider that established the covered account) to “assist the [IDI] in meeting” the recordkeeping requirements of the proposed rule. The IDI must:

  • Have direct, continuous, and unrestricted access to the records maintained by the third party, even in the event of the third party’s business interruption, insolvency, or bankruptcy.
  • Have a continuity plan and technical capabilities to ensure compliance with the NPRM, including backup recordkeeping capabilities.
  • Implement internal controls to accurately determine and daily reconcile the beneficial ownership of covered accounts.
  • Have a contractual relationship with the third party that:
    • Clearly defines roles and responsibilities for recordkeeping, including by assigning to the IDI the third party’s rights to access data held by other parties.
    • Requires the third party to implement internal controls that would be required of the IDI if the IDI were performing the outsourced function.
    • Requires a periodic, but not less than annual, validation by an independent third party to assess and verify that the third party is maintaining accurate and complete records consistent with the provisions of the proposed rule.
    • Does not relieve the IDI of its responsibilities under the proposed rule.

The proposed rule would exempt certain covered accounts from its requirements, including: (1) accounts holding only trust deposits; (2) accounts established by a government depositor; (3) accounts established by or on behalf of one or more brokers, dealers, or investment advisers; (4) interest on lawyers trust accounts; (5) accounts held in connection with an employee benefit plan or retirement plan; (6) accounts maintained in connection with a real estate transaction; (7) accounts maintained by a mortgage servicer in a custodial or other fiduciary capacity; (8) accounts that are prohibited by federal or state law to disclose the identities of the beneficial owners of the deposits; (9) accounts maintained through deposit placement or reciprocal networks for purposes other than payment transactions; (10) accounts holding security deposits for homeownership associations governed by state law; and (11) accounts holding security deposits tied to residential or commercial leasehold interests.

IDIs holding nonexempt covered accounts would be required to establish and maintain written policies and procedures to achieve compliance with the proposed rule and annually certify compliance with the proposed rule to the IDI’s FDIC regional or area office and the appropriate federal banking agency. Further, these IDIs would be required to submit a report to the IDI’s FDIC regional or area office and the appropriate federal banking agency a description of any material changes to the IDI’s information technology systems; a list of account holders that maintain nonexempt covered accounts at the IDI, the total balance of these accounts, and total number of beneficial owners of these accounts; the results of the IDI’s periodic recordkeeping compliance testing; and the results of the independent validations of records maintained by third parties.

Violations of the proposed rule would be subject to enforcement actions under Section 8 of the Federal Deposit Insurance Act and potential termination of the offending IDI’s deposit insurance.

In an accompanying press release, FDIC Chair Martin Gruenberg stated that the proposed rule “is an important step to ensure that banks know the actual owner of deposits placed in a bank by a third party such as Synapse, whether the deposit has actually been placed in the banks, and that the banks are able to provide the depositor their funds even if the third party fails” that would “strengthen the FDIC’s ability to make deposit insurance determinations” and “strengthen compliance with anti-money laundering and countering the finance of terrorism law.”

While the NPRM, if finalized as proposed, would facilitate FDIC administration of pass-through deposit insurance claims by end-users whose funds are held in custodial accounts, the main, practical impact of the rule would likely be that fintech companies and BaaS providers will need to develop recordkeeping and reporting obligations that satisfy explicit FDIC requirements – all under the close scrutiny of their IDI partners. We anticipate that IDIs that hold custodial accounts subject to a final rule as well as their fintech company and BaaS provider partners will need to implement considerable updates to technology systems, internal control practices, and their contractual arrangements to comply with these requirements.

The FDIC’s proposal follows revised rules governing FDIC deposit insurance coverage advertising and misrepresentation, a recent proposed rulemaking and request for information relating to brokered deposits, a July joint statement and request for information relating to bank–fintech arrangements, general third-party risk management guidance that federal agencies updated in 2023, and a handbook the agencies released earlier this year to assist community banks in implementing the guidance.

The FDIC is seeking comment on the NPRM.  Interested IDIs, fintech companies, and BaaS providers should review the NPRM and consider submitting comments. Comments on the NPRM are due 60 days after the proposed rule’s publication in the Federal Register.

Originally published September 24, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

Financial Services Advisory: Regulators Focus on Bank-Fintech Arrangements

By , ,

Executive Summary
10 Minute Read

Through joint guidance and an information request, federal bank regulators underscored banks’ compliance responsibilities in their banking-as-a-service (BaaS) relationships with third parties. Our Financial Services Team unpacks what financial institutions and their counterparties need to know about navigating this evolving BaaS regulatory terrain.

  • Comprehensive governance and third-party risk management practices that clearly delineate the responsibilities of each party
  • Systems and controls to address operational and compliance needs, including timely access to relevant records and the development of appropriate contingency plans
  • Adoption of policies and procedures to prevent the misrepresentation of deposit insurance coverage

_________________________________________________________________________________

Amid recent scrutiny and enforcement activity in the banking-as-a-service (BaaS) space, federal regulators have issued a joint statement reiterating the importance of banks’ oversight of certain third-party relationships through sound risk management practices.

The July 25, 2024 joint statement by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency follows more general third-party risk management guidance the agencies updated in 2023 and a handbook the agencies released earlier this year to assist community banks in implementing such guidance. Like the 2023 guidance, the joint statement reiterates that a bank’s reliance on third parties does not diminish its responsibility to comply with applicable laws and regulations, and it highlights that banks often face increased risks that need to be mitigated when partnering with third parties.

While the agencies note that the joint statement does not alter existing legal or regulatory requirements or establish new supervisory expectations, it examines specific forms of BaaS relationships in more detail than prior guidance, identifying certain categories of risk and circumstances that the agencies have observed in the space and that have been the subject of recent public enforcement actions against banks. The regulators also issued a request for information (RFI) to gather insight into the nature and implications of these relationships and effective risk management practices.

The 2023 guidance largely restates previously published third-party risk management principles and applies to virtually any third-party relationship that a bank enters into (including referral arrangements and certain types of the bank’s own customer relationships). The joint statement, on the other hand, focuses on arrangements between banks and third parties to deliver bank deposit products and services. According to the joint statement, these third parties “sometimes include non-bank companies, such as, but not limited to, certain financial technology (or fintech) companies.” The RFI expands on this concept (including in connection with lending and payments services) to explore a stated interest in whether “enhancements to existing supervisory guidance may be helpful in addressing risks associated with these arrangements.” In this sense, the agencies articulate a new regulatory concept of BaaS and possible heightened supervisory expectations that may apply to it.

The RFI contrasts these bank-fintech arrangements with those involving “a core bank service provider or other third-party providers,” which the agencies suggest may “help or hinder” such arrangements. Both the joint statement and RFI seem to distinguish these arrangements from traditional core or similar providers based on (1) their complexity, including the involvement of multiple subcontractors or other intermediaries (including “middleware” firms); (2) the prevalence of a direct relationship between these providers and the relevant “end users” of the products and services; and (3) the degree of the bank’s reliance on fintech partners not only for engaging in direct customer communications but also for performing compliance functions. A major theme of the joint statement is that these factors can combine to outpace the ability of a bank to appropriately manage the risks such an arrangement poses to its customers and to its overall safety and soundness.

Although the joint statement expresses support for responsible innovation and banks’ engaging in BaaS relationships that are conducted in a safe and sound manner, the regulators focus on a number of areas where new risks may emerge or existing risks may be amplified, some of which have surfaced in recent enforcement actions and BaaS market dynamics. As general themes, the regulators highlight:

  • Operational and compliance risks that may develop when significant bank operations are performed in whole or in part by third parties, when there’s a lack of access to key records maintained by third parties, or when there’s a reliance on third parties to perform bank compliance functions.
  • Risks relating to growth, including misaligned incentives between a bank and the third party, operational capabilities that lag rapid growth resulting from BaaS arrangements, financial risks from rapidly increasing funding concentrations, and the potential inability to manage emerging liquidity risks when a significant proportion of a bank’s deposits or revenues are associated with a third party.
  • End user confusion and misrepresentation relating to the availability of FDIC deposit insurance coverage, including potentially misleading statements and marketing from nonbank third parties.

The joint statement and RFI exhibit an understanding of and specific interest in particular details of these arrangements that will be familiar to many who have developed or helped to document them, including:

  • Account Titling and Associated Recordkeeping. The RFI includes a request for feedback on deposit account titling and recordkeeping practices, and it recognizes that the bank’s “core deposit ledger may only include omnibus [end user] accounts,” often titled as “for the benefit of” or “FBO” accounts. The agencies question what controls exist to ensure the accurate exchange of information between banks and fintechs about these accounts and note the possibility that a bank’s lack of sufficient access to such information could lead to delays in end users’ access to deposits and associated legal and compliance risks.
  • Determining the Bank’s “Customer” for Regulatory Purposes. The technology or user experience layering associated with BaaS arrangements can lead to ambiguity in the application of existing laws and regulations that depend on whether the fintech, its end users, or both are “customers” of the bank. The RFI specifically refers to this issue in the context of customer identification program obligations under the Bank Secrecy Act and privacy-related obligations under Regulation P. Of particular importance to nonbank fintechs, a designation of an end user as a customer of both the bank and the fintech or solely as a customer of the fintech also potentially impacts the fintech’s independent regulatory obligations, especially under state and federal money transmission licensing and registration requirements.
  • Data Use and Ownership. The 2023 guidance identified data use and ownership as a risk consideration for banks, but the joint statement and RFI explore this issue in greater detail, including the degree to which the use of innovative data inputs and formats (such as for underwriting purposes) poses risks to banks. Other potential risks cited by the agencies in this regard include increased exposure to fraud and data security incidents based on the parties’ systems integration, as well as the use or access restrictions that the fintech may attempt to impose on data generated as part of a BaaS arrangement that the fintech regards as its proprietary information. Regulatory attention to this issue by these agencies could overlap with existing and possible future rulemaking by the Consumer Financial Protection Bureau, which is not a party to the joint statement or RFI, on open banking or digital wallets. The RFI specifically identifies larger firms (which, according to the RFI, are sometimes referred to as “Big Tech”) with multiuse technology platforms as among the types of “fintech” companies having bank partnerships on which the agencies are focused for purposes of their analysis.
  • Allocation of Responsibility. As with data rights, the 2023 guidance and prior regulatory pronouncements generally emphasize the importance of clear contractual and operational allocation of responsibility any time a bank partners with a third party to conduct activities, while the RFI and joint statement explore this issue in some depth, including the potential for gaps or delays to occur that could cause a bank to violate applicable law. In addition, the agencies observe that a bank’s lack of meaningful negotiating power relative to the fintech partner or the bank’s heavy reliance on revenue or liquidity from the fintech partner could impede the bank staff’s ability to effectively oversee and challenge critical aspects of the fintech’s performance. This consideration also implicates the role of middleware providers or other intermediaries engaged by a bank’s fintech partner whose contractual or other legal obligations to the bank may not be clear. These obligations may arise, if at all, through pass-through or other provisions of the bank-fintech agreement by which the bank seeks to rely on the fintech partner to enforce the bank’s expectations and to exercise appropriate monitoring and oversight of the middleware providers or other intermediaries.
  • FDIC Insurance Disclosures and Customer Confusion. The RFI and guidance identify the risk of end user confusion around the availability and terms of FDIC deposit insurance as a key risk of fintech partnerships that involve deposits. Citing aspects of advertising rules that the FDIC recently revised, including with respect to pass-through insurance disclosure requirements, the regulators indicate that bank-fintech arrangements pose unique risks in this regard given the tendency for end users to have a direct relationship with and visibility to a bank’s fintech partner, who the end user may view as its primary provider.
  • Brokered Deposit Treatment. The agencies did not address directly the issue of brokered deposits in the 2023 guidance, but it is a focus of both the RFI and the joint statement. The joint statement encourages institutions to conduct appropriate analyses to determine whether parties involved in the placement of deposits meet the definition of a deposit broker and whether deposits placed through a program require reporting as brokered deposits. Within days of the publication of the RFI and joint statement, the FDIC published proposed changes to aspects of the substantial overhaul to brokered deposit rules finalized by the agency in 2020, including their “primary purpose” exceptions. In this proposal, the FDIC specifically notes that certain operational and liquidity problems it has observed since 2020 (including in connection with high-profile bank and nonbank insolvency events) can be attributed, in part, to rapid growth based on banks’ reliance on middleware fintech companies and the volatility of some bank-fintech deposit placement programs.

The joint statement references the 2023 guidance along with various other previous advisories and policy statements on bank safety and soundness expectations relating to managing third-party risk and the importance of board and senior management oversight. It also highlights examples of effective risk management practices, providing banks with an opportunity to review and potentially refresh their existing risk management practices and governance mechanisms to align with those in the joint statement. It may also be productive for fintechs to assess whether their own operational and compliance processes can support the regulatory expectations to which their partner banks are subject. According to the agencies, effective risk management practices include:

  • Comprehensive governance and third-party risk management practices, including risk assessments tailored to the specific features of each third-party arrangement, with appropriate due diligence and contracts that clearly delineate the roles and responsibilities of each party.
  • Systems and controls to manage operational and compliance implications, including risk-based contingency plans or exit strategies to address the disruption or business failure of the third party that could affect end-user access to funds, and ensuring effective complaint management and resolution.
  • Adequate structures to ensure bank compliance with applicable Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) rules and sanctions requirements.
  • Management of growth, liquidity, and capital implications, including contingency funding plans in the event of unexpected customer withdrawals.
  • Adoption of policies and procedures to prevent the misrepresentation of deposit insurance coverage.

As the BaaS market continues to develop, both banks and fintechs should consider contributing to the regulatory dialogue through responses to the RFI. Responses are due on September 30, 2024.

The RFI could lead to a number of regulatory initiatives designed to increase the requirements associated with BaaS arrangements or even expand the agencies’ ability to supervise nonbank fintech firms directly, such as under existing Bank Service Company Act authority. In the meantime, the joint statement and RFI provide a road map for banks and fintechs in the BaaS space that outlines corresponding risk management expectations of the prudential U.S. bank regulators, and these publications can be expected to reflect and influence the way in which examiners oversee such arrangements.

Originally published August 8, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

California DFPI Digital Asset Lending Regulatory Year in Review

By ,

A&B ABstract:

In December of 2022 California released an interagency progress report (“Report”) analyzing the current regulatory status of Web3, Crypto Assets, and Blockchain. The report was prepared pursuant to Executive Order N-9-22 (the “Order”) issued by California Governor Gavin Newsome on May 4, 2022, which declared California’s intent to regulate blockchain, including crypto assets and related financial technologies, and directed California state agencies, including the Governor’s Office of Business and Economic Development (“GO-Biz”), the Government Operations Agency, the Business, Consumer Service and Housing Agency, and the Department of Financial Protection and Innovation (“DFPI”) to collect feedback from various stakeholders to understand the risks and explore opportunities for the state. The Order, among other directives, advises these California agencies, led by DFPI, in consultation with GO-Biz, to create a regulatory framework for crypto assets in coordination with federal and state authorities, with the goals of ensuring equity, regulatory clarity, consumer protection, innovation, and job growth. Although these new technologies present some novel questions, for entities engaging in lending backed by digital assets, the DFPI has made clear that the California Financing Law and similar regulatory burdens apply.

Current Registration Requirements

The Report follows earlier requests for public comment, including from the DFPI, which published a request for public comment (the “Request”) stating an intent to develop a comprehensive state regulatory framework for the offering of digital asset related financial products and services in California. Within the previous request for comment, the DFPI states that it possesses the authority to develop comprehensive regulations under the California Consumer Financial Protection Law (CCFPL), which authorizes the DFPI to “prescribe rules regarding registration requirements applicable to a covered person engaged in the business of offering or providing a consumer financial product or service.” Accordingly, the DFPI has put forth that it currently has the authority to require licensing and regulation of crypto asset-related financial products. In the Order issued by Governor Newsom “crypto assets” is defined as “a digital asset, which may be a medium of exchange, for which generation or ownership records are supported through a blockchain technology.” Given this backdrop, we can expect the DFPI to issue regulations without further legislative input.

Public Feedback

Responses to the request for comment and other opportunities to provide public input resulted in several key suggestions for regulation, including the following:

  • Provide regulatory clarity—including by basing regulations on specific types of activities, products, and services (rather than specific entities).
  • Harmonize with federal guidelines—including by modeling key terms and requirements on those used by federal regulators.
  • Avoid over-regulation—including by minimizing compliance costs.

CCFPL Regulation and Supervision

The Report states that DFPI has issued licenses to 10 crypto asset related companies that engage in lending activities under California financial licensing laws. Some make consumer loans that are secured by crypto assets, while others make commercial loans to crypto asset-related companies. In addition to licensing and other compliance activity, the Report further notes that enforcement actions were also underway. The highlighted enforcement actions within the report related to companies allegedly operating crypto deposit accounts that qualified as unregistered securities as well as investment schemes. The Report did not highlight any enforcement actions related to loans secured by crypto assets or other licensing violations.

However, on November 18, 2022 and November 22, 2022, the DFPI suspended California Financing Law licenses for two entities in connection with their crypto asset platforms. In both instances, the entities paused activity on their platforms. The investigation of one entity remains ongoing while the other entered into an agreement to pause collection of repayments and interest on loans belonging to California residents while its CFL License is suspended or as further agreed to between the DFPI and the entity.

Takeaway

While many aspects of Web3, Crypto Assets, and Blockchain regulation remain unclear, it is clear that those engaging in lending activities collateralized or otherwise related to such assets are regulated under the CCFPL and other California law, and must abide by the same strictures as any other lender.

CFPB Continues Scrutiny of Algorithmic Technology

By ,

On May 26, 2022 the Consumer Financial Protection Bureau released a Consumer Financial Protection Circular stating that creditors utilizing algorithmic tools in credit making decisions must provide “statements of specific reasons to applicants against whom adverse action is taken” pursuant to ECOA and Regulation B. The CFPB previously stated that circulars are policy statements meant to “provide guidance to other agencies with consumer financial protection responsibilities on how the CFPB intends to enforce federal consumer financial law.” The circular at issue posits that some complex algorithms amount to an uninterpretable “black-box,” that makes it difficult—if not impossible—to accurately identify the specific reasons for denying credit or taking other adverse actions. The CFPB concluded that “[a] creditor cannot justify noncompliance with ECOA and Regulation B’s requirements based on the mere fact that the technology it employs to evaluate applications is too complicated or opaque to understand.”

This most recent circular follows a proposal from the CFPB related to review of AI used in automated valuation models (“AVMs”). As we noted in our previous post on that topic, the CFPB stated that certain algorithmic systems could potentially run afoul of ECOA and implementing regulations (“Regulation B”). In that prior outline of proposals with respect to data input, the CFPB acknowledged that certain machine learning algorithms may often be too “opaque” for auditing. The CFPB further theorized that algorithmic models “can replicate historical patterns of discrimination or introduce new forms of discrimination because of the way a model is designed, implemented, and used.”

Pursuant to Regulation B, a statement of reasons for adverse action taken “must be specific and indicate the principal reason(s) for the adverse action. Statements that the adverse action was based on the creditor’s internal standards or policies or that the applicant, joint applicant, or similar party failed to achieve a qualifying score on the creditor’s credit scoring system are insufficient.” In the circular, the CFPB reiterated that, in utilizing model disclosure forms, “if the reasons listed on the forms are not the factors actually used, a creditor will not satisfy the notice requirement by simply checking the closest identifiable factor listed.” In another related advisory opinion, the CFPB earlier this month also asserted that the provisions of ECOA and Reg B applies not just to applicants for credit, but also to those who have already received credit. This position echoes the Bureau’s previous amicus brief on the same topic filed in John Fralish v. Bank of Am., N.A., nos. 21-2846(L), 21-2999 (7th Cir.). As a result, the CFPB asserts that ECOA requires lenders to provide “adverse action notices” to borrowers with existing credit. For example, the CFPB asserts that ECOA prohibits lenders from lowering the credit limit of certain borrowers’ accounts or subjecting certain borrowers to more aggressive collections practices on a prohibited basis, such as race.

The CFPB’s most recent circular signals a less favorable view of AI technology as compared to previous statements from the Bureau. In a blog post from July of 2020, the CFPB highlighted the benefits to consumers of using AI or machine learning in credit underwriting, noting that it “has the potential to expand credit access by enabling lenders to evaluate the creditworthiness of some of the millions of consumers who are unscorable using traditional underwriting techniques.” The CFPB also acknowledged that uncertainty concerning the existing regulatory framework may slow the adoption of such technology. At the time, the CFPB indicated that ECOA maintained a level of “flexibility” and opined that “a creditor need not describe how or why a disclosed factor adversely affected an application … or, for credit scoring systems, how the factor relates to creditworthiness.” In that prior post, the CFPB concluded that “a creditor may disclose a reason for a denial even if the relationship of that disclosed factor to predicting creditworthiness may be unclear to the applicant. This flexibility may be useful to creditors when issuing adverse action notices based on AI models where the variables and key reasons are known, but which may rely upon non-intuitive relationships.” That post also highlighted the Bureau’s No-Action Letter Policy and Compliance Assistance Sandbox Policy as tools to help provide a safe-harbor for AI development. However, in a recent statement, the CFPB criticized those programs as ineffective and it appears those programs are no longer a priority for the Bureau. So too, that prior blog post now includes a disclaimer that it “conveys an incomplete description of the adverse action notice requirements of ECOA and Regulation B, which apply equally to all credit decisions, regardless of the technology used to make them. ECOA and Regulation B do not permit creditors to use technology for which they cannot provide accurate reasons for adverse actions.” The disclaimer directs readers to the CFPB’s recent circular as providing more information. This latest update makes clear that the CFPB will closely scrutinize the underpinnings of systems utilizing such technology and require detailed explanations for their conclusions.

Update Regarding the CFPB’s Buy Now, Pay Later Orders

By

In a prior post, we reported that the language used in orders recently issued by the CFPB to leading Buy Now, Pay Later (“BNPL”) providers suggested that the CFPB intends to use the information it collects to build enforcement cases rather than monitor market developments. We also reported that if this is the case, it is a departure from historic precedent and can be considered an end-run around the procedural safeguards established by Congress in Section 1052 of the Dodd-Frank Act to ensure that due process is afforded to financial institutions that become the target of CFPB enforcement investigations.

The CFPB’s intentions were apparently confirmed in a January 5 article in Axios about the BNPL orders, which quotes the CFPB’s small dollar, marketplace and installment lending program manager as saying:

It is certainly possible that we could as a result of the data collection take enforcement action.

Assuming this quote is accurate, recipients of CFPB 1022(c)(4) market monitoring orders should be well aware that any information provided to the agency may be used for enforcement purposes.