Expertise to help you reach your goals and maximize the value of your financial data.
April 29, 2022 | 20min read
By Lexi Hall, Director of Policy, MX
The Consumer Financial Protection Bureau (CFPB) is taking measures to increase federal oversight of the fintech industry, with the announcement of a new use for old authority to supervise non-bank companies that it believes pose risks to consumers.
Although the CFPB has broad enforcement powers over the consumer finance industry, it has limited powers to supervise (i.e., proactively inspect and examine) companies for compliance. By invoking its “dormant” authority over risk-based entities, the Bureau can bring a new swath of fintechs under supervision.
It is likely the CFPB will prioritize determinations over individual neobanks, ‘Buy Now, Pay Later’ companies, ‘super-apps,’ and big tech.
A 2013 rule to implement this authority under Section 1024 of the Dodd-Frank Act (“1024 authority”) outlines a risk-based process for the Bureau to (1) identify potentially-covered entities; (2) provide opportunity for their notice and response; and (3) make a final determination of status.
While risk determinations by the CFPB will be entity-specific, the Bureau’s decision to disclose outcomes can potentially be viewed as a way to publish industry-wide guidance. The CFPB will publicly disclose such outcomes (i.e., whether it determines that a company is a covered entity subject to direct supervision). This information would otherwise be confidential.
Financial services regulation is amid a period where definitions, boundaries, and frameworks face uncertainty. The last decade has seen the incredible scale of fintech firms that support or offer aspects of bank services (i.e. lending, payments, deposits), often promising faster, cheaper, and more personalized solutions. This has challenged the top-down regulatory approach that sees prudential regulators directly supervise banks, which are then responsible for the compliance of their affiliates and technology service providers (TSPs). It has also created fragmented, uneven oversight that’s led to debate over how best to regulate nonbank financial services providers. Here at MX, we refer to this as ‘square peg, round hole’ regulation.
Impact on banks, thrifts, and credit unions
By invoking 1024 authority, the CFPB is looking to “level the [regulatory] playing field” between banks and certain fintech companies not currently subject to federal oversight. This may prove especially beneficial to smaller depositories like regional or community banks that compete with limited resources.
Importantly, the CFPB views “uncontrolled flows of consumer data” as risky and may recommend, through examination, that covered entities establish secure data sharing methods (i.e., APIs) with third-parties, including depositories. What does this mean? That Open Finance is more urgent than ever. And as the industry awaits codification of a consumer data right through Section 1033 rulemaking, banks and nonbanks have an imperative — competitive and regulatory- to lay groundwork now.
Implications for fintech and other non-bank companies
Given its scope, the CFPB’s 1024 authority will have outsized impact on nonbank entities, and may prove to be a double-edged sword. On one hand, many fintechs advocate for a uniform federal oversight regime to simplify the patchwork of state regulation and operate under greater market clarity. On the other hand, it’s unclear how the CFPB will practically apply 1024 and if/how its direct supervision may preempt other statutory requirements.
What is clear? That 1024 authority is broadly applied when it comes to defining “reasonable cause,” which includes information from consumer/whistleblower complaints, referrals from federal/state partners, news reports, judicial filings, administrative actions and other sources.
The CFPB may also find “reasonable cause” to invoke its authority:
Finally, once a company is brought under CFPB supervision, the Bureau may examine the entire entity for compliance with all Federal consumer financial law (not just the initial activities that triggered oversight).