Government Relations Newsletter: Vol 10 Iss 4: "CFPB..."

Posted By: Barrie VanBrackle Government Relations,

CFPB Invokes Authority to Examine Nonbank Companies Posing Risks to Consumers

Authored by: Barrie van Brackle, Partner, Latham & Watkins


Through its authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”), in April 2022, the Consumer Financial Protection Bureau (“CFPB”) announced it will begin supervising nonbank financial services providers, which may include users and providers of banking-as-a-service (“BaaS”), on the basis of the potential risks these entities pose to consumers.

The Dodd-FrankAct granted the CFPB authority to regulate the following categories of nonbanks through supervisory examinations: (i) all nonbanks in the mortgage, private student loan, and payday loan industries, independent of the size of the entity; (ii) large nonbanks involved in consumer reporting, debt collection, student loan servicing, international remittances, and auto loan servicing; and (iii) all nonbanks the CFPB reasonably believes pose risks to consumers (not specific to any consumer financial product or service).

Prior to this year, the CFPB used its authority to supervise nonbanks in the first two categories. However, the CFPB announced it is invoking its authority to supervise nonbanks in the third category – nonbanks engaging in activities that it reasonably believes pose risks to consumers – due to the rapid growth of consumer financial services offerings by nonbanks in recent years (particularly those that operate in markets outside the markets identified in the first and second categories above). The risks posed to consumers by nonbanks may include potentially unfair, deceptive, or abusive acts or practices or other activities that may violate federal consumer financial law.

At the same time it announced this decision, the CFPB issued a rule to establish a notice and opportunity to respond procedure for nonbanks subject to supervision based on risks posed to consumers. For the purpose of transparency, the procedural rule states the CFPB will authorize the release of certain information about any final determination made in connection with subjecting a nonbank to supervision based on risks posed to consumers, and the nonbank involved will have an opportunity to request the CFPB to not release certain information. If subject to a CFPB supervisory examination, a nonbank would have to cooperate with the CFPB’s review of its books and records. After such review, CFPB regulators usually provide a list of issues to the examined entity for prompt corrective action.


The CFPB’s decision to invoke the authority to supervise nonbanks posing risks to consumers has significant potential implications for the use of BaaS by banks and their nonbank partners. BaaS enables financial technology companies (e.g., digital payments or lending platforms) and other companies (e.g., digital travel, health, or telecom platforms) to embed bank services into their consumer-facing applications by providing technical interfaces between such companies and banks (typically through a third-party service provider that provides and manages technical interfaces – i.e., application programming interfaces – between such companies and banks).

The use of BaaS has increased significantly in recent years as banks and nonbanks have realized the significant potential benefits of its implementation. For banks, these benefits include increased revenue streams by leveraging the customer base of a nonbank partner to provide its products and services to more customers at a relatively lower cost. BaaS provides a compelling opportunity for banks lacking a digital presence to compete with other providers of financial products and services (i.e., financial technology companies and other banks that have more digitized business models) by allowing these banks to embed their financial services and products directly into nonbanks’ digital platforms. For nonbanks, these benefits include providing financial products and services under their own brand to their customers without needing to expend resources to comply with regulatory requirements to provide such financial products and services. BaaS also enables nonbanks to obtain a far deeper understanding of their customers’ behavior by analyzing the financial services-related data made available through implementing BaaS.

However, the CFPB’s decision to invoke the authority to supervise nonbanks posing risks to consumers may subject nonbanks using BaaS to CFPB supervision. For example, if a nonbank uses BaaS to offer a loan product through its digital platform and includes deceptive language (in the CFPB’s judgment) to describe the loan product, then the CFPB may subject such nonbank to its supervision based on risks posed to consumers. The bank enabling the loan product at issue may also be subject to increased CFPB regulatory scrutiny as a result of its involvement. Further, nonbank service providers that enable the provision of BaaS between banks and nonbanks (i.e., through providing application programming interfaces that link nonbanks’ and banks’ technical infrastructure) could be subject to CFPB supervision on the basis of posing risks to consumers. For instance, if a nonbank service provider has repeated technical issues that disrupt the financial products and services offered to the end consumer, the CFPB may believe this nonbank service provider presents enough risk to consumers to warrant CFPB supervision.

The CFPB’s main goal in invoking this authority is leveling the playing field between banks and nonbanks by subjecting nonbanks providing financial products and services to a similar level of federal supervision as banks. The impact of this authority on nonbanks remains to be seen, as well as the compliance burdens and obligations, and ramifications.