On April 25, 2022, the Consumer Financial Protection Bureau (CFPB) announced that it plans to use its supervisory authority to examine any nonbank financial company that poses a risk to consumers, and it plans to make the results public. 

The CFPB will determine if a company poses a risk to consumers by looking at CFPB complaints, judicial opinions, administrative decisions, whistleblower complaints, state partners, federal partners, or news reports. Though not defined, "risky conduct" may include unfair, deceptive, or abusive acts or practices or other acts or practices that potentially violate federal consumer financial law.

CFPB Director Rohit Chopra had this to say: “Given the rapid growth of consumer offerings by nonbanks, the CFPB is now utilizing a dormant authority to hold nonbanks to the same standards that banks are held to. This authority gives us critical agility to move as quickly as the market, allowing us to conduct examinations of financial companies posing risks to consumers and stop harm before it spreads.”

Publishing Supervisory Determinations

The existing rule governing examinations of nonbanks provides that documents, records, and other items which are given to the CFPB in connection with a supervisory proceeding are confidential. Typically CFPB examiners provide a report of problems to an entity so that entity can fix any issues. The procedural change announced on April 25, 2022, will allow the CFPB to publicly release results.  


In the CFPB’s view, the public interest in transparency outweighs the need for confidentiality in the supervisory process.  Further, the CFPB states that publicly released supervisory decisions and orders will be precedent for future proceedings.

Pursuant to the new procedure, once the CFPB issues a supervisory decision or order, the supervised entity will have 7 days to file a submission regarding why the decision or order should not be published to the CFPB’s website. The decision regarding publication will then be made by the CFPB Director or the Directors’ designee. The Director may also choose to release any challenges to publication. Notably, the Bureau explicitly declined to codify a standard regarding the criteria that must be met either for, or against, publication, but welcomed comments on that topic. 

Though comments will be accepted, in the CFPB’s opinion this change is procedural therefore no notice-and-comment period is required. Comments are due 30 days from the date the procedural change is published to the Federal Register. 

insideARM Perspective:

This announcement raises several points of concern:

  • Fintechs, telcom, healthcare providers, BNPL (Buy Now Pay Later), and others should be on high alert: the CFPB is coming. Though this announcement specifically references fintechs, the announcement covers any entity that interfaces with consumers and impacts consumers’ financial status. If any company dealing with consumers in a financial capacity thinks they are immune from CFPB scrutiny, they should think again.
  • The CFPB will be using multiple sources to determine which entities it can reasonably determine  “pose a risk” to consumers, including publicly available resources like bad press; it should be assumed this also includes online reviews. Further, the release did not mention the merit of complaints, just the volume. If your company or its clients are not thinking of collections and financial services as a customer service endeavor, you may want to revisit your strategy.  For example, see this article on reducing friction. 
  • Along those same lines, neither financial impacts, reasonableness, nor risk is defined in this announcement. There is no indication regarding how great or minor the financial impact to consumers must be to trigger scrutiny. There are no guardrails for reasonableness, and there is no list of the types of risks the CFPB will be looking at. Therefore, the CFPB has essentially unfettered discretion to subject nonbank entities to supervisory examinations. All companies which impact consumers and their finances should take note. 
  • In light of the above, any entity which is or may be subject to the CFPB supervisory examinations, should ensure that their compliance department is more than just window dressing. Although compliance personnel are not revenue generators, the CFPB’s most recent publication makes it clear the stakes are high. If a supervisory examiner finds an issue, it will no longer be a private matter to be corrected. Instead, the proverbial dirty laundry will be aired publicly for consumers, investors, and other business partners to see. The CFPB won’t be easily swayed regarding whether it has the authority to take these actions. The best defense here is a strong compliance group and compliance management system to prevent findings before they occur.


Looking for guidance on how the CFPB's new oversight can affect your CMS?  Subscribe to Research Assistant - insideARM's source for premium, practical compliance guidance and in-depth, weekly peer group discussion.

When the CFPB announces new expectations, it's a good time to think about the gaps in your CMS, too. Find out how to start your own assessment with the on-demand  Research Assistant webinar, A Complete Guide to Risk and Gap Assessments - How to Get Started. Get it here.

On May 12 at 2pm ET, learn how Risk and Gap Assessments can help you find large gaps and manage all the relevant laws in the new Research Assistant webinar, A Complete Guide to Risk and Gap Assessments Part II. Register here.  

Next Article: 3 Under-the-Radar Strategies to Reduce Friction in ...