#CFPA

What Happened?

On June 3, 2024, the Consumer Financial Protection Bureau (CFPB or Bureau) issued its Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders Final Rule (the Final Rule), a 486-page rule imposing new obligations on nonbank entities that offer or provide a consumer financial product or service. At a high level, the Final Rule contains three primary requirements.

First, the Final Rule requires certain nonbank entities (Covered Nonbanks) to register with the CFPB’s new nonbank registry (NBR) and provide information about the nonbank and certain public Federal, State, or local written orders imposing obligations on the nonbank based on violations of certain consumer protection laws.

Second, for those Covered Nonbanks subject to the Bureau’s supervisory authority under section 1024(a) of the Consumer Financial Protection Act of 2010 (CFPA), the Final Rule will require such supervised registered entities to annually identify the executive(s) responsible for and knowledgeable of the nonbank’s efforts to comply with the orders identified in the NBR and submit an annual written statement and attestation.

Third, the Final Rule describes the registration information that the Bureau may make public.

The Final Rule takes effect on September 16, 2024 (the Effective Date) but establishes different implementation dates for different categories of Covered Nonbanks. Covered Nonbanks will be required comply with the Final Rule by as early as October 16, 2024.

Why Does it Matter?

The Final Rule represents yet another novel interpretation by the Bureau of its authority under the Dodd-Frank Act. As stated by the Bureau, “the registry will accomplish a number of goals, with a particular focus on monitoring for risks to consumers related to repeat offenders of consumer protection law.” As set forth below, the scope and requirements of the Final Rule are broad and complex, and failing to comply with these new requirements can perpetuate a “repeat offender” label.

The Final Rule Applies to Covered Nonbanks

With certain exceptions, the Final Rule will apply to covered persons as defined in the CFPA, including persons that engage in offering or providing a consumer financial product or service, as defined in the CFPA. Under the CFPA, a “covered person” is (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of such person if such affiliate acts as a service provider to such person. Among others, consumer financial products and services generally include the following, to the extent they are offered or provided for use by consumers primarily for personal, family, or household purposes:

• Extending credit and servicing loans;
• Extending or brokering certain leases of personal or real property;
• Providing real estate settlement services;
• Engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds;
• Selling, providing, or issuing stored value or payment instruments;
• Providing check cashing, check collection, or check guaranty services;
• Providing payments or other financial data processing products or services to a consumer by any technological means;
• Providing financial advisory services;
• Collecting, analyzing, maintaining, or providing consumer report information or certain other account information; and
• Collecting debt related to any consumer financial product or service.

The Final Rule does not apply to:

• An insured depository institution or insured credit union (e.g., an FDIC-insured bank);
• A person who is a covered person solely due to being a “related person,” as provided in the Dodd-Frank Act (e.g., controlling shareholders, consultants, and independent contractors, if the person is a covered person only because the person is a “related person” and not a covered person for another reason);
• A State, including federally recognized Indian tribes;
• A natural person;
• Certain motor vehicle dealers;
• A person that qualifies as a covered person under the Dodd-Frank Act only because of conduct excluded from the CFPB’s rulemaking authority, such as certain activities related to charitable contributions.

All other covered persons are covered by the Final Rule and are considered “Covered Nonbanks” for purposes of the Final Rule.

Orders Covered by the Final Rule

The Final Rule applies to “Covered Orders.” A Covered Order is a final public order issued by an agency or court (whether or not issued by settlement or consent) that:

• Identifies a Covered Nonbank by name as a party subject to the order;
• Was issued at least in part in any action or proceeding brough by any Federal Agency, State Agency, or Local Agency;
• Contains public provisions that impose obligations on the Covered Nonbank to take certain actions or to refrain from taking certain actions;
• Imposes such obligations on the Covered Nonbank “based on” an alleged violation of a “Covered Law”; and
• Has an effective date on or later than January 1, 2017.

A “Covered Law” means one of the following laws, to the extent that the violation of law found or alleged “arises out of conduct in connection with the offering or provision of a consumer financial product or service”:

• A Federal consumer financial law;
• Any other law as to which the Bureau may exercise enforcement authority;
• The prohibition on UDAPs under section 5 of the FTC Act or rules or orders issued thereunder;
• A State law prohibiting UDAPs/UDAAPs as identified in Appendix A to the Final Rule;
• A State law amending or otherwise succeeding a law identified in Appendix A to the Final Rule, to the extent the law is materially similar to its predecessor; or
• A rule or order issued by a State agency for the purpose of implementing a State law referenced in the two preceding bullet points.

According to the Bureau, “an obligation is ‘based’ on alleged violation where the order identifies the covered law in question, asserts or otherwise indicates that the covered nonbank has violated it, and imposes the obligation on the covered nonbank at least in part as a result of the alleged violation, even where the order contains provisions clearly stating that the entity does not concede or admit liability.” While the Bureau clarifies the meaning of “based on,” the Bureau declines to provide clarity “for determining the circumstances under which violations of covered laws arise out of conduct ‘in connection with the offering or provision of a consumer financial product or service.’”

It is also noteworthy, that the CFPB declined to narrow the definition of Covered Orders to those involving consumer harm. As a result, even orders of a clerical, technical, or administrative nature could be in scope.

Initial Registration Requirements

During each implementation submission period (discussed below), for all Covered Orders that (1) have an effective date from January 1, 2017, through the start of the Covered Nonbank’s submission period, and (2) for Covered Orders issued prior to September 16, 2024, remains effective as of September 16, 2024, each Covered Nonbank that is identified as a party to such Covered Order must register with the NBR and provide the following information, in the format provided by the Bureau (such filing instructions have not yet been released) within 90 days from the applicable implementation date or after the effective date of the applicable Covered Order:

• A fully executed, accurate and complete copy of the Covered Order (except nonpublic portions may be omitted);
• The name of the agency(ies) and court(s) that issued or obtained the Covered Order, as applicable;
• The effective date of the Covered Order;
• The expiration date of the Covered Order, if any;
• All Covered Laws found to have been violation, or for orders issued upon the parties’ consent, alleged to have been violated;
• Any docket, case, tracking, or similar identifying number(s) assigned to the Covered Order by the applicable agency(ies) or court(s); and
• The name and title of the attesting executive with respect to the Covered Order, if the registered entity is a supervised registered entity.

Annual Supervisory Reports for Supervised Registered Entities

Supervised Registered Entity

The annual reporting requirements apply to an “supervised registered entity” defined to mean a registered entity that is subject to supervision and examination by the Bureau. The definition includes:

• An entity that qualifies as a larger market participant for consumer financial products or services, as defined in the CFPA;
• An entity subject to an order by the Bureau exercising supervisory authority over certain nonbanks based on a risk determination in accordance with the CFPA; and
• An affiliate of an insured depository institution and insured credit unions with more than $10 billion in total assets.

The definition excludes:

• A service provider that is subject to Bureau examination and supervision solely in its capacity as a service provider and that is not otherwise subject to Bureau supervision and examination;
• A motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, with limited exception;
• Persons with less than $5 million in annual receipts resulting from offering or providing all consumer financial products or services;
• A person that qualifies as a covered person based solely on conduct that is the subject of, and that is not otherwise exempted from, an exclusion from the Bureau’s supervisory authority under the CFPA; and
• An affiliate of an insured depository institutions and insured credit unions with less than $10 billion in total assets.

Designation of Attesting Executive

A supervised registered entity subject to a Covered Order is required to annually designate one attesting executive for each Covered Order and all submissions related to that order who is “its highest-ranking duly-appointed senior executive officer (or, if the supervised registered entity does not have any duly appointed officers, the highest-ranking individual charged with managerial or oversight responsibility for the supervised registered entity) whose assigned duties include ensuring the supervised registered entity’s compliance with Federal consumer financial law, who has knowledge of the entity’s systems and procedures for ensuing compliance with the covered order, and who has control over the entity’s efforts to comply with the covered order.”

While the Bureau expects that under most circumstances the supervised registered entity would designate one single individual as its attesting executive for all of the Covered Orders to which it is subject, the Final Rule does not include such a requirement as the Bureau recognizes that there may be situations where there is no one executive with the requisite knowledge for all Covered Orders.

The entity must authorize the attesting executive to perform the duties of an attesting executive on behalf of the supervised registered entity with respect the Covered Order, including providing prompt access to all documents and information related to the supervised registered entity’s compliance with all applicable Covered Orders to make the required annual statement, as described below.

Annual Statement

The Annual Statement requirement applies prospectively to Covered Orders with an effective date after the Nonbank Registry Implementation Date. The Bureau states that it will treat the written statement submitted by the supervised registered entity as confidential supervisory information but does intend to publish the name and title of the attesting executive as it believes that publication of the executive’s name “will provide an incentive to pay more attention to covered orders.”

On or before March 31^st of each calendar year, the supervised registered entity must submit to the NBR a written statement for each Covered Order signed by the attesting executive. Such statement must include:

• A general description of the steps that the attesting individual has undertaken to review and oversee the supervised registered entity’s activities applicable to the Covered Order for the preceding calendar year; and
• Attest whether to the attesting executive’s knowledge, the supervised registered entity during the preceding calendar year identified any violations or instances of noncompliance with any public provisions of the Covered Order.

The Bureau does not establish any minimum procedures or steps the attesting executive must take in order to review and oversee the entity’s activities. With that said, the Bureau declined “to impose a reasonableness, good faith or other standards regarding the steps that the attesting executive has undertaken to review and oversee the supervised registered entity’s activities subject to the applicable covered order.” The Bureau also declined to impose materiality requirements as to the types of violations that must be declared – even minor ones are important to the Bureau.

Recordkeeping

Supervised registered entities are required to maintain documents and other records to provide reasonable support for its written statement for 5 years after its submission is required.

Optional One-Time Registration of NMLS-Published Covered Orders

In lieu of requiring compliance with the registration and annual reporting requirements, a Covered Nonbank that is identified by name with respect to an NMLS-published Covered Order may elect to comply with a one-time registration option. The CFPB will specify what information the Covered Nonbank must provide to the NBR for purposes of identifying the NMLS-published Covered Order and for coordinating with the NMLS. Upon supplying this information, the Covered Nonbank will have no further reporting obligations with respect to that Covered Order. A Covered Nonbank may avail itself of this one-time registration for all or some of its NMLS-published orders, which are those orders published on the NMLS Consumer Access website. However, “no covered order issued or obtained at least in part by the Bureau shall be an NMLS-published covered order.” Thus, if the applicable Covered Order was issued either by a court or the Bureau itself, or brought at least in part by the Bureau, this optional one-time registration is not available to such order. That is because the Bureau is requiring such orders to be included in the NBR so that the CFPB can monitor and enforce its own orders as well as obtaining the annual written statement regarding CFPB orders.

Termination of Registration Requirements

Covered Orders are subject to ongoing registration requirements until it is deemed to expire under the Final Rule, or all relevant provisions are fully terminated by an agency or court or under its own terms on a date expressly provided for in the Covered Order.

The Final Rule provides that a Covered Order that does not expressly provide for a termination date and is not otherwise terminated earlier is deemed to expire 10 years after its effective date. Alternatively, if a Covered Order provides for a termination date that is longer than 10 years, the Covered Order is not deemed to have terminated until the longer period provided for in the order.

The Final Rule requires that Covered Nonbanks notify the Bureau within 90 days from the date any Covered Order is modified, terminated, or abrogated.

If a Covered Order expires, is terminated, or is otherwise modified such that it is no longer a Covered Order, then the Covered Nonbank is relieved of ongoing registration and written statement obligations with respect to such order after the Covered Nonbank files a final notice with the Bureau. That is not to say, however, that the Covered Order would be removed from the CFPB’s registry. Subject to the Bureau’s discretion, the CFPB may maintain information on Covered Orders and the Covered Nonbanks subject to them on the NBR indefinitely.

Publication and Correction of Submissions to the NBR

Publication of NBR Information

The Final Rule provides that the CFPB may publish certain information about registered Covered Nonbanks and Covered Orders on its website. However, the written statement will be treated as confidential supervisory information. In addition, at its discretion, the CFPB may also publish aggregations or summary reports using the information submitted to the CFPB’s NBR.

Corrections of Submissions

If any information submitted to the NBR was inaccurate when submitted and remains inaccurate, a Covered Nonbank must file a corrected report in the form and manner specified by the Bureau within 30 days after the date on which the Covered Nonbank becomes aware or has reason to know of the inaccuracy. In addition, the Bureau may at any time and in its discretion direct a Covered Nonbank to correct errors or other non-compliant submissions to the NBR.

Implementation Submission Periods and Ongoing Registration

Implementation Submission Periods

The Final Rule provides for phased implementation dates that vary depending on the type of Covered Nonbank. As reflected in the below table, the Final Rule provides the following 90-day registration window for each category of Covered Nonbank to register all Covered Orders with effective dates from January 1, 2017, until the start of that implementation submission period:

Covered Nonbank Type	Registration Submission Period*	Registration Deadline*
Larger Participant CFPB-Supervised Covered Nonbanks Covered Nonbanks that are larger participants of a market for consumer financial products or services described under 12 U.S.C. 5514(a)(1)(B) as defined by one or more rules issued by the Bureau	October 16, 2024 through January 14, 2025	January 14, 2025
Other CFPB-Supervised Covered Nonbanks Covered Nonbanks described under any other provision of 12 U.S.C. 5514(a)(1)	January 14, 2025 through April 14, 2025	April 14, 2025
All other Covered Nonbanks	April 14, 2025 through July 14, 2025	July 14, 2025

* The Final Rule requires any dates that fall on a Saturday, Sunday, or Federal holiday be converted to the next day that is not a Saturday, Sunday, or Federal holiday. The Bureau has adjusted the above implementation submission period dates accordingly.

As noted above, during each of the above Registration Submission Periods, the Covered Nonbank must register all Covered Orders that: (1) have an effective date from January 1, 2017, through the start of the Covered Nonbank’s Registration Submission Period, and (2) for Covered Orders issued prior to September 16, 2024, the Covered Order remains effective as of September 16, 2024.

By way of example, assume an Other CFPB-Supervised Covered Nonbank has the following orders (that otherwise meet the definition of a Covered Order): (1) an order that took effect on January 1, 2016, and that expires on January 1, 2026, (2) an order that took effect on January 1, 2017, and that expires on October 30, 2025, and (3) an order that becomes effective on January 1, 2025, and that expires on January 1, 2031. During the applicable Registration Submission Period (noted above), the Other CFPB-Supervised Covered Nonbank:

• Would not register the first order (effective January 1, 2016) because it took effect before January 1, 2017.
• Must register the second order (effective January 1, 2017) because it took effect on or after January 1, 2017 (and prior to the start of the applicable submission period) and remained in effect as of September 16, 2024.
• Must register the third order (effective January 1, 2025) because it took effect on or after September 16, 2024, and prior to the start of the applicable submission period.

Ongoing Registration

After the start of a Covered Nonbank’s implementation submission period, a Covered Nonbank must begin complying with the Final Rule’s ongoing registration timing requirements to register new Covered Orders and to submit changes or updates related to previously registered Covered Orders. Generally, a Covered Nonbank must return to the NBR and make a registration submission within the identified 90-day window for each of the following events:

• Any updates or changes to the nonbank’s identifying information or administrative information, within 90 days after the date of that change.
• Any amendments to previously registered Covered Orders, including changes to submitted order information, within 90 days after the date the amendments are made.
• Any new Covered Orders applicable to the Covered Nonbank (with effective dates on or after the start of the applicable implementation period), within 90 days after the effective date of the new Covered Order.
• A revised filing if there is any termination or expiration (as discussed above) of a previously registered Covered Order, within 90 days after the effective date of that termination or expiration.

Enforcement / Penalties for Noncompliance with Final Rule

General Enforcement

The Bureau declined to establish special rules or remedies for violation of the Final Rule. With that said, the Preamble to the Final Rule clearly states that the Final Rule is a Federal consumer financial law under the CFPA and that “[v]iolation of the [F]inal [R]ule would be an independent violation of Federal consumer financial law subject to enforcement as provided in the CFPA, and applicable remedies under law, including potential civil money penalties.”

Additional Enforcement Considerations for Supervised Registered Entities

With respect to supervised registered entities, the Final Rule clarifies that the obligation to designate an attesting executive or to submit a written statement when required to do so, belongs to the supervised registered entity, and not to any particular individual. Accordingly, the Bureau states that “[i]f a supervised registered entity failed to designate an attesting executive or to submit a written statement when required to do so, the supervised registered entity – not a particular individual – would potentially be subject to an enforcement action.”

Notwithstanding the foregoing, the Bureau stated its expectation that the requirement to designate a single attesting executive for a Covered Order will prompt the executive to focus greater attention on ensuring compliance, which in turn will increase the likelihood of compliance. The Bureau also indicated that it intends to use the information submitted under § 1092.204 to facilitate its efforts to assess compliance with any Covered Orders that may be enforced by the Bureau, and to make determinations regarding any potential Bureau supervisory or enforcement actions related to the Covered Order or any other identified risks to consumers. For example, “where information obtained under proposed 1092.204 indicates that a high-ranking executive has knowledge of (or has recklessly disregarded) violations of legal obligations falling within the scope of the Bureau’s jurisdiction, and has authority to control the violative conduct, the Bureau may use that information in assessing whether an enforcement action should be brought not only against the nonbank covered person, but also against the individual executive.” However, the Final Rule itself does not impose any legal obligation on the attesting executive to ensure compliance with any Covered Order.

Finally, with respect to the attestation required to be submitted as part of the annual written statement, the Bureau notes that Final Rule “does not purport to interpret provisions of criminal law . . . or to identify particular circumstances under which an attesting executive would become criminally liable for false statements,” however the Bureau indicates that it “expects attesting executives to submit truthful statements under the Final Rule and believes that the existence of other laws like 18 USC 1001 provides incentives in that regard.” Notably, however, 18 USC 1001 makes it a crime to make any false statements in any matter within the jurisdiction of the executive, legislative, or judicial branch of the U.S. government. Therefore, the Bureau appears to suggest that making a false attestation under the Final Rule may also constitute a crime under 18 USC 1001 or other applicable law.

What Do I Need to Do?

The Final Rule is complicated – some might say unnecessarily so – with lots of opportunities for missteps. Between the Final Rule and the Bureau’s recent apparent strategy to issue consent orders with indefinite terms, companies will need to be extra vigilant to avoid the scarlet letter designation of a repeat offender.  Now is the time to double down on compliance. This also holds true for Covered Nonbanks that are not subject to CFPB supervision as the Final Rule also coincides with the CFPB’s increased use of its so-called “dormant authority,” which empowers the Bureau to designate nonbanks for supervision based on certain risks to consumers. Covered Nonbanks that are designated for CFPB supervision must also comply with the additional reporting and attestation requirements applicable to supervised registered entities.

While the Final Rule does not establish any minimum procedures nor otherwise specify the steps an entity must take to comply with the Final Rule, failure to implement steps in accordance with the CFPB’s expectations will not be viewed positively by the Bureau. As a result, now is the time for nonbanks to work with counsel to understand and implement the Final Rule, as applicable, into their compliance management systems once the filing instructions are released.