The Consumer Financial Protection Bureau (CFPB) recently finalized its proposed rule to create a so-called “Repeat Offender” registry for certain covered financial services providers and individuals violating federal, state, and local orders to which they are subject.
The rule, which focuses primarily on nonbank covered entities and individuals, will require those subject to an order by a federal, state, or local court or enforcement body to (1) register the order in the CFPB’s newly created public database and (2) provide an attestation from a senior executive that the covered entity is not violating that order. Under the final rule, the registry may be public, searchable, and is expected to “go live” in 2025.
According to CFPB Director Rohit Chopra, “too often, financial firms treat penalties for illegal activity as the cost of doing business.” Chopra stated that the new rule “will help law enforcement across the country detect and stop repeat offenders.”
Although covered orders are ordinarily public, the registry may increase companies’ exposure to follow-on private litigation or enforcement activity, given the ready availability and accessibility of information in a single, central repository. The registry also may have implications for registrants’ access to capital, future strategic partnerships, combinations, and overall reputational risk.
Further, the rule has potential significant ramifications for executives attesting to compliance with those orders, creating tail risk that any such attestation may be questioned years later based on information in the repository.
The CFPB’s promulgation of this final rule follows a flurry of activity by the agency after it successfully defended its funding structure, and as it seeks to complete its agenda in advance of a potential change in the administration’s next year. The final rule also reflects the CFPB’s recent enforcement focus on individual accountability and liability.
On June 3, 2024, the CFPB promulgated its final rule, Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, 12 CFR Part 1092, under its authority pursuant to the Consumer Financial Protection Act (CFPA) and the Dodd-Frank Act. The rule is effective September 16, 2024, and registration is effective October 16, 2024.
According to the CFPB, the rule requires certain nonbank entities to register (1) information about their company and (2) certain orders, including submitting copies of those orders to the CFPB. The final rule solely applies to those nonbank “covered persons” under the CFPA and does not apply to depository institutions, credit unions, and certain motor vehicle dealers.
As to “covered orders,” covered persons must register orders that relate to investigations, matters, or proceedings if the order
Nonbank covered persons also must register identity information, administrative information such as a nonbank’s affiliate entities, and a written statement attesting to non-violation of the covered order. The written statement, provided on an annual basis by an executive of the covered bank, must include
The final rule provides covered nonbank entities certain timeframes in which to comply with the requirements, including submission of their registrations.
The final rule does not differ greatly from the proposed rule but does provide for a limited one-time, alternative registration option for covered orders that are published on the Nationwide Multistate Licensing System (NMLS) Consumer Access website.
The rule potentially aggregates information that is public—but often difficult to locate, compile, and synthesize—into a single central repository, where it can be used not only by federal, state, and local enforcement and regulatory officials to consider a target’s status as a recidivist but also by class action and individual plaintiffs. As such, this registry may amplify the reputational risk to companies from unfavorable orders, as well as any subsequent violations of those orders. And it may impact companies’ ability, in turn, to access capital and conduct dealmaking activities.
Moreover, the requirement that companies report relevant orders, and their compliance therewith, creates a significant risk of “federalizing” what have traditionally been state and local matters, as well as tail risk for any individuals who falsely attest to the accuracy and completeness of the reports submitted.
Preparation in advance of the September 16 effective date is the best practice to mitigate liability from the registry. Those covered under the rule should do the following:
While the rule may prove a boon for plaintiffs’ lawyers, it may complicate regulators’ ability to consensually resolve investigations, as covered entities may be wary of any associated reporting requirements under the rule. That could result in more litigation, burdening state and federal courts.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: