CFPB Finalizes New Rule to Monitor Nonbank ‘Repeat Offenders’

The Consumer Financial Protection Bureau (CFPB) recently finalized its proposed rule to create a so-called “Repeat Offender” registry for certain covered financial services providers and individuals violating federal, state, and local orders to which they are subject.

The rule, which focuses primarily on nonbank covered entities and individuals, will require those subject to an order by a federal, state, or local court or enforcement body to (1) register the order in the CFPB’s newly created public database and (2) provide an attestation from a senior executive that the covered entity is not violating that order. Under the final rule, the registry may be public, searchable, and is expected to “go live” in 2025.

According to CFPB Director Rohit Chopra, “too often, financial firms treat penalties for illegal activity as the cost of doing business.” Chopra stated that the new rule “will help law enforcement across the country detect and stop repeat offenders.”

Although covered orders are ordinarily public, the registry may increase companies’ exposure to follow-on private litigation or enforcement activity, given the ready availability and accessibility of information in a single, central repository. The registry also may have implications for registrants’ access to capital, future strategic partnerships, combinations, and overall reputational risk.

Further, the rule has potential significant ramifications for executives attesting to compliance with those orders, creating tail risk that any such attestation may be questioned years later based on information in the repository.

The CFPB’s promulgation of this final rule follows a flurry of activity by the agency after it successfully defended its funding structure, and as it seeks to complete its agenda in advance of a potential change in the administration’s next year. The final rule also reflects the CFPB’s recent enforcement focus on individual accountability and liability.

THE RULE

On June 3, 2024, the CFPB promulgated its final rule, Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, 12 CFR Part 1092, under its authority pursuant to the Consumer Financial Protection Act (CFPA) and the Dodd-Frank Act. The rule is effective September 16, 2024, and registration is effective October 16, 2024.

According to the CFPB, the rule requires certain nonbank entities to register (1) information about their company and (2) certain orders, including submitting copies of those orders to the CFPB. The final rule solely applies to those nonbank “covered persons” under the CFPA and does not apply to depository institutions, credit unions, and certain motor vehicle dealers.

As to “covered orders,” covered persons must register orders that relate to investigations, matters, or proceedings if the order

• is a final, public order issued by an agency or court;
• identifies a covered nonbank by name as a party subject to the order;
• was issued at least in part in any action or proceeding brought by any federal, state, or local agency;
• contains public provisions that impose obligations on the covered nonbank to take certain actions or to refrain from taking certain actions;
• imposes obligations on the covered nonbank based on an alleged violation of a covered law, which includes federal consumer financial laws, other laws enforced by the CFPB, and certain unfair, deceptive, or abusive acts or practices laws at both federal and state levels identified in the final rule; and
• has an effective date on or after January 1, 2017.

Nonbank covered persons also must register identity information, administrative information such as a nonbank’s affiliate entities, and a written statement attesting to non-violation of the covered order. The written statement, provided on an annual basis by an executive of the covered bank, must include

• a description of the steps the executive has taken to review and oversee the covered nonbank’s activities subject to the order; and
• an attestation as to whether, to the executive’s knowledge, during the proceeding calendar year, the covered nonbank identified any violations or noncompliance with any applicable obligations imposed in the order’s public provisions.

The final rule provides covered nonbank entities certain timeframes in which to comply with the requirements, including submission of their registrations.

The final rule does not differ greatly from the proposed rule but does provide for a limited one-time, alternative registration option for covered orders that are published on the Nationwide Multistate Licensing System (NMLS) Consumer Access website.

TAKEAWAYS

The rule potentially aggregates information that is public—but often difficult to locate, compile, and synthesize—into a single central repository, where it can be used not only by federal, state, and local enforcement and regulatory officials to consider a target’s status as a recidivist but also by class action and individual plaintiffs. As such, this registry may amplify the reputational risk to companies from unfavorable orders, as well as any subsequent violations of those orders. And it may impact companies’ ability, in turn, to access capital and conduct dealmaking activities.

Moreover, the requirement that companies report relevant orders, and their compliance therewith, creates a significant risk of “federalizing” what have traditionally been state and local matters, as well as tail risk for any individuals who falsely attest to the accuracy and completeness of the reports submitted.

Preparation in advance of the September 16 effective date is the best practice to mitigate liability from the registry. Those covered under the rule should do the following:

• Understand its requirements and potential implications. As the rule is retroactive to 2017, covered persons should review prior orders to determine whether they are reportable.
• Create an internal system for determining whether any order is reportable and, if so, ensuring it is filed with the CFPB in a timely manner, and that the reporting is accurate. Companies also may consider implementing a “tickler” system to ensure compliance with reporting requirements.
• Evaluate the implications of any potential resolution of a government investigation or inquiry, based on the reporting requirements set forth in the rule.

While the rule may prove a boon for plaintiffs’ lawyers, it may complicate regulators’ ability to consensually resolve investigations, as covered entities may be wary of any associated reporting requirements under the rule. That could result in more litigation, burdening state and federal courts.