As a fintech company, platform offering payment services, or a cryptocurrency business, you may be used to operating in uncharted waters; the Consumer Financial Protection Bureau (CFPB), however, is ready to start drawing some maps. It has announced that it will begin to exercise its supervisory authority over non-bank consumer financial entities that the CFPB has reason to believe pose risks to consumers. It also announced a new procedural rule to govern when CFPB decisions related to these supervisory actions will be made available to the public.

The CFPB’s Supervisory Authority over Non-Bank Consumer Financial Entities

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the CFPB has supervisory authority over non-bank consumer financial entities that: 1) are in the mortgage, private student loan, or payday loan industries; 2) are “larger participants”1 in other nonbank markets for consumer financial products and services; or 3) engage in activities the CFPB has reason to believe pose risks to consumers. Last week’s press release relates to the third category of non-bank consumer financial entities: those whose activities may present risks to consumers. This category is potentially more far-reaching than the CFPB’s other angles of supervisory authority.

While the CFPB implemented a procedural rule governing this consumer risk-focused authority in 2013, the agency has only now indicated that it plans to utilize this authority. The agency announced that it is doing so in order to better help consumers and to level the playing field between banks and non-bank entities. Further, the CFPB notes that this authority will allow the “CFPB to be agile and supervise entities that may be fast-growing or are in markets outside the existing nonbank supervision program.” Given this context, it seems likely that the CFPB is interested in using this authority to pursue less traditional forms of consumer financial entities, such as fintech platforms and services and cryptocurrency businesses.

New Transparency Procedures

At the same time, the CFPB also announced a new procedural rule related to its assessment of whether a financial entity’s activities pose risks to consumers. Until now, all documentation associated with this assessment was required to be kept confidential between the company at issue and the CFPB. The new rule would change this standard, allowing certain information (excluding trade secret or other private information) to be posted publicly. Although the rule is effective as of the publication date in the Federal Register (April 29), the CFPB will accept public comment for 30 days after the rule is published.

What This Means for Fintech

The CFPB has broad discretion in determining what conduct constitutes a risk to consumers: the press release notes only that “risky” conduct may include potentially unfair, deceptive, or abusive acts or practices, as well as other acts or practices that potentially violate federal consumer financial laws. These laws include the Fair Credit Reporting Act, the Truth in Lending Act, the Equal Credit Opportunity Act, the Fair Debt Collection Practices Act, and others.

If the CFPB determines that it has supervisory authority over a particular company, then the CFPB may require reports from and conduct examinations of the company to assess whether the company is in compliance with federal consumer financial laws, as well as to obtain information about the company’s compliance program and to detect and assess risks to consumers and the market stemming from the company’s actions. If the CFPB believes that the company has violated the law, it may refer the matter to the CFPB’s enforcement division, which can file an action against the company either in district court or through an administrative proceeding. The enforcement division can obtain various types of relief through these actions, including consumer redress, disgorgement, civil penalties, and injunctive relief.

So, what should fintech companies do in light of the CFPB’s announcement?

  • Consider whether any of your practices might raise eyebrows at the CFPB or otherwise be viewed as posing risks to consumers. Follow the CFPB’s statements for clues about its priorities in this regard. For example, Director Rohit Chopra issued a statement in the fall regarding the CFPB’s inquiry into big tech payment platforms, noting that “payment businesses are network businesses and can gain tremendous scale and market power, potentially posing new risks and undermining fair competition.” The CFPB’s December press release about Buy Now, Pay Later companies discusses the agency’s interest in reporting to the public about industry practices and risks. And in March, Director Chopra issued a statement commenting on President Biden’s Executive Order on digital assets and cryptocurrency, committing to “reducing the risks that digital assets could pose to our safety and security.” Companies in these industries are likely to be of interest to the CFPB.
  • Monitor the CFPB website. Now that the CFPB can publicly post its decisions about whether a company’s practices pose risks to consumers such that supervision is warranted, the CFPB may use past decisions as precedent to supervise additional entities with similar business models.

As noted above, public comments are due 30 days after the CFPB’s rule is published in the Federal Register. For more information or to submit a public comment, please contact Maneesha MithalLibby WeingartenLaura Ahmed, or another member of the firm’s privacy and cybersecurity practice.


[1]The CFPB defines what constitutes a “larger participant” on a market-by-market basis through the issuance of rules. For example, it has defined larger participants in the consumer reporting, debt collection, student loan servicing, international money transfer, and automobile finance markets.