Continuing its trend of aggressive oversight over financial institutions, the CFPB has recently announced proposals to create two publicly accessible databases that, it says, will highlight alleged bad actors, identify systemic unfair and deceptive acts and practices (UDAAP), and increase market transparency and regulatory oversight. This article provides an overview of each proposed registry along with some considerations for nonbanks, FinTech companies, and financial institutions subject to the CFPB’s authority.

Self-Reporting of Court Orders or Judgment for UDAAP Violations

On December 12, 2022, the CFPB announced a proposed rule aimed at nonbank entities subject to federal, state, and local consumer financial protection orders. The proposed rule would require covered entities to report to the Bureau any court orders or judgments brought under federal consumer financial protection laws or state laws regarding UDAAP violations. These reported judgments would then be published in a registry available to the general public. According to the CFPB, this public self-reporting of UDAAP decisions is designed to “detect[,] . . . track and mitigate the risks posed by repeat offenders” and “monitor all lawbreakers subject to agency and court orders.”

Under the proposed rule, certain “nonbank covered persons” (excluding, for example, insured depository institutions, insured credit unions, and others) must register and submit specific information about final, public orders issued by federal, state, or local agencies or courts within 90 days of the effective date of any such order, and update the CFPB’s registry within 90 days of any amendment, modification, termination, extension, or any other change to the original information.

The proposed rule would also impose an attestation requirement for certain larger nonbanks subject to the Bureau’s supervisory authority. Any such entity would be required annually to: (1) designate an executive responsible for and knowledgeable of the entity’s efforts to comply with any order published in the registry, and (2) submit a written statement signed by the executive regarding the entity’s compliance with each order. While the attestation would not have to be signed under penalty of perjury, a false attestation could subject the executive to individual liability as the CFPB noted that “knowingly and willfully filing a false attestation or report with the Bureau” could result in criminal penalties.”

The CFPB indicated that it may consider the information filed in the publicly available registry when making supervisory and civil monetary penalty decisions, as well as to order an entity outside of its supervisory authority to submit to an examination, noting that it considers nonbank covered persons’ compliance records “when prioritizing supervisory resources” and must, per its congressional mandate, consider a covered persons’ history of violations when assessing penalties. Such statements make clear the CFPB’s intention to utilize prior state law violations as grounds for more severe penalties in any enforcement action brought by the Bureau.

Public Reporting of Standard Contract Terms and Clauses

Last month, the CFPB proposed another new public registry designed to highlight nonbanks’ standard terms and conditions in form contracts. Under this proposed rule, nonbanks subject to the CFPB’s supervisory jurisdiction would need to submit information on terms and conditions in form contracts they use that seek to waive or limit individuals’ rights and other legal protections. That information would be posted in a registry that will be open to the public and accessible by other state and federal regulatory agencies.

According to the CFPB, the use of form agreements that contain limits or waivers on a consumer’s rights can mislead consumers. And while not explicitly saying as much, it is likely that the CFPB would evaluate these contractual limitations for UDAAP violations that could trigger supervisory or enforcement oversight. Some of the terms and conditions the CFPB would require nonbanks to publicly disclose include the following: (1) waivers on the types of claims consumers can bring in a lawsuit; (2) limitations on a company’s liability to a consumer; (3) limitations on the time, forum, or venue for a consumer to file a lawsuit; and (4) arbitration agreements (possibly designed to resurrect the Bureau’s previously failed attempt to prohibit arbitration agreements in consumer contracts).

The CFPB envisions this public database will accomplish two things. First, it will allow the Bureau to identify, collect, and publish information on form contracts and facilitate public awareness. Second, the CFPB believes the creation of this public database will increase market transparency and improve oversight. In other words, the CFPB envisions utilizing the public database to identify “bad actors” for prioritized supervisory or enforcement oversight.

What Does it All Mean?

The CFPB clearly believes that the status quo is not working and that “sunlight is the best disinfectant.” With the potential enactment of two new, publicly available databases, impacted financial institutions should consider the following:

1. More Publicity and the Potential to be Declared a Repeat Offender. With additional publicity and consideration of orders and adverse judgments, covered persons also risk publicly disclosed orders or form terms triggering supervisory or investigatory actions by federal or other state agencies into the company’s business practices and policies and procedures. Private litigants may follow suit. Financial institutions may also need to consider whether risk-mitigating language can be added to consent judgments that would be subject to the Bureau’s registry if only to preclude any future arguments in lawsuits regarding purported “admissions” of fault or liability. Likewise, businesses subject to the Bureau’s proposed rule may have to reconsider entering into a consent order altogether to avoid litigation, especially if that results in more publicity and more risk as outlined above.

   Likewise, the CFPB’s consideration of historical state court violations in assessing and determining civil monetary penalties increases the risks associated with entering into any public enforcement orders as this could trigger a “repeat offender” penalty by the CFPB.

2. Review and Revise. Form agreements may need to be reviewed and revised. This includes considering whether to provide individuals with certain “opt-outs” of provisions the CFPB considers as potentially unfair or deceptive.