Chris Willis, Jesse Silverman, and Matt Morris explore the complexities of the CFPB's nonbank registry rule.
In this episode of The Consumer Finance Podcast, host Chris Willis is joined by Jesse Silverman and Matt Morris to explore the complexities of the CFPB's nonbank registry rule. This regulation, introduced in 2024, has generated significant confusion due to its intricate requirements. They discuss the rule's purpose, its impact on nonbank financial services, and the detailed steps companies must take to ensure compliance. Tune in to understand the key definitions, registration deadlines, and the broader implications for the industry.
The Consumer Finance Podcast: The CFPB's Nonbank Registry Rule: Challenges and Implications
Host: Chris Willis
Guests: Jesse Silverman and Matt Morris
Date Aired: December 5, 2024
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Practice. And today, we're going to be taking a deep dive into the CFPB's nonbank registry rule and the surprising complexity hidden within that rule. But before we jump into that topic, let me remind you to visit and subscribe to our blogs; TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com. And don't forget about our other podcasts. We have the FCRA Focus, all about credit reporting, The Crypto Exchange, about everything crypto. We have Unauthorized Access, which is our privacy and data security podcast. We have Payments Pros, which is all about the payments industry. And our newest podcast, Moving the Metal, which is our auto finance offering. All of those podcasts are available on all popular podcast platforms.
And speaking of those platforms, if you like this podcast, let us know. Leave us a review on your platform of choice and let us know how we're doing. And if you enjoy reading our blogs and listening to our podcasts, our handy mobile app is the best way to do it. It's available for both iOS and Android. Just go into your app store, type in Troutman Pepper, download it, and give it a try.
Now, as I said, today we're going to be talking about the CFPB's nonbank registry rule, which came about earlier this year in 2024, but which we find to be the subject of a lot of sort of confusion and misunderstanding because the rule is surprisingly complex. So joining me to talk about the rule and its intricacies are two of my colleagues, Jesse Silverman and Matt Morris. So Jesse, Matt, thanks for being on the podcast to talk about this today.
Jesse Silverman:
Thanks, Chris.
Matt Morris:
Thanks, Chris, for having us. First-time caller, long-time listener. I'm excited to be here.
Chris Willis:
I'm really glad you're here, too. And this is an area where we get tons of client questions because it's getting to the point where companies are having to register and put stuff up on the registry. And when you dig into how it actually works, it's not that easy. Let's just talk it from an introductory standpoint, Matt. Tell the audience, in case they're not familiar with it, what is the nonbank registry rule and why was it introduced?
Matt Morris:
Basically, this rule, established under 12 CFR Part 1092 was issued earlier this year in June. As you said, went effective in September, a couple of months ago. And essentially, the purpose of this rule is to create a registry for nonbank entities that are subject to public orders to be required to register on and register information about those orders with.
Jesse Silverman:
The interesting aspect to me, at least, is that CSBS, the Conference of State Banking Supervisors, who operate the NMLS, which is basically everyone who's listening to this knows what the NMLS is. It's the licensing system for a lot of nonbank license types. They were vocally against the introduction of this nonbank registry, obviously rating the tea leaves. They see this as an intrusion on their space, especially with respect to the nonbanks. So that's something that I've been watching and keeping an eye on is that, that tension between this nonbank’s federal registry and the state's NMLS registry.
Chris Willis:
Well, you mentioned the sort of turf of nonbanks and the tension between CSBS, that is the state regulators and the CFPB. Jesse, why don't you go ahead and sort of talk about the scope and the purpose of the regulation? At least as the regulation sets it out and what the CFPB has told us.
Jesse Silverman:
So there's what it's facially designed to do, and then what I think it's really designed to do. Facially, it's designed to create a registry for nonbanks, for banks that are registered and regulated there. When those actions are made public, there are very central locations to find all of that information, whether it's the FDIC, the OCC, the Fed, etc. This is a very well-defined place.
For nonbanks, it's a bit of a hodgepodge in the states if they are licensed by a state that is on the NMLS, and pretty much every state is on the NMLS for some purpose, but not necessarily for every license type. This creates a central place that's at least the facial explanation for the CFPB's drive for the nonbank registry for nonbank consumer finance providers.
Now, I think anyone, if they're being honest, and I don't think this is overtly cynical, but if they're being honest, they're creating a database to keep track of four state AGs who don't have quite as easy access to see which nonbanks has run afoul of the law in various locations, either state or federal. I think that's really pretty plainly the intent behind the nonbank registry.
Chris Willis:
Yeah. And Jesse, I would add to that, one of my perceptions of the CFPB during the administration that we're finishing up now is that this CFPB has been much more interested in assisting private plaintiffs’ lawyers, consumer-side lawyers, in litigation against the industry than I ever saw the bureau be during its previous two iterations. And so, I also interpreted the nonbank registry as a cue or maybe a shopping list for plaintiffs’ lawyers in addition to the state AGs, which I totally agree with that too.
Jesse Silverman:
I think that you can see that this is a topic for another podcast, but you can see it in their recent update on privacy loss, right? That was an invitation to the states to go take some actions with respect to privacy that they have been unable to accomplish themselves on the federal level.
Chris Willis:
Well, that was a carbon copy of what they did with the Fair Credit Reporting Act a couple of years ago. They rolled out the red carpet and said nothing will ever be preempted, essentially.
Jesse Silverman:
Correct. So, I was going to go there. But absolutely, this is very much in keeping with that trend of they realize their own limitations, so they would like to deputize the states a little bit more. This is a tool to do so.
Chris Willis:
And the interesting thing about that, Jesse, is even though we're about to have a change in administration at the federal level, unless the nonbank registry goes away, it will continue to serve that purpose, and the states will be completely unhindered in their use of that information despite the fact of a federal administration change.
Jesse Silverman:
Not only will they be unhindered, I suspect they will be wildly encouraged. We've had this conversation before. I think sometimes there's a mistake in what people think will happen at the change of an administration. And even if we were to assume these sort of rose-colored glasses view that how the Trump administration is going to wildly dial back federal enforcement, which parenthetically I don't believe, and that's not what happened in the last Trump administration. I also think that there will be plenty of state attorney generals who will fill in that void to the extent they believe that it exists. This registry is a very good jumping-off point for all of those blue-state AGs.
Chris Willis:
Okay. So, thank you for that conversation, Jesse. Let's dive back into sort of the nuts and bolts of how the registry rule works. So, Matt, let me come back to you. What are some of the key definitions that we need to understand in order to attain an understanding of how the registry rule works?
Matt Morris:
Yeah. There are a lot of moving parts of this registry and several significant complex analyses that need to happen. So a few key terms that you'll hear thrown around quite a bit are covered nonbanks, which from a 20,000-foot view are just nonbanks that offer consumer financial products or services and are subject to public orders. There's covered orders, which is a final public order issued by an agency or a court and poses some sort of obligations. On a covered nonbank, there's supervised registered entities, which we'll talk about a little bit later, I guess. And they're held to a slightly higher standard and they're entities that should be registered on the nonbank registry and are subject to supervision and examination by the CFPB. Yeah, those are kind of from a 20,000-foot view some of the more important terms that you hear from them a lot.
Chris Willis:
Okay, well, let's step through this and step through the various sort of gates that we need to figure out to determine if a particular company has to register. First, how does a company determine if they're a covered nonbank that is required to register with the registry?
Matt Morris:
It's not easy. I've found that the best way to determine whether or not a company is required to register is to determine whether or not they are a nonbank covered person. And the first step of that is to determine whether they’re a covered person. And that is statutorily defined as any person that engages in offering or providing a consumer financial product or service, or any affiliate of that person, or as long as the affiliate acts as a service provider.
Once they've determined whether or not they're a nonbank-covered person, they need to determine whether or not they are subject to a covered order. And there's also several elements that go into that determination. There needs to be a final public order. It can be issued by consent or otherwise. It's got to identify the company by name as a party. It's got to be issued in part of any action or proceeding brought by a federal state or local agency. It needs to have provisions that impose obligations to the company based on a covered law, and it has to have an effective date on or after January 1, 2017.
Chris Willis:
Okay. So, we know, for example, that a final order or a judgment in a purely private civil action doesn't count for purpose of the registry because it has to have been brought by some government agency. Right, Matt?
Matt Morris:
Right. Correct.
Chris Willis:
Okay. And you mentioned that it has to impose obligations on the nonbank, and that that has to be because of an alleged violation of a covered law. What are the covered laws?
Matt Morris:
Well, there's another analysis that needs to take place here. It's a pretty substantial universe of laws. It could be they're defined as any federal consumer financial law, any other law that the CFPB may exercise enforcement authority. UDAAP laws and state laws prohibiting unfair, deceptive, or abuse of actual practices that are identified in an appendix to Part 1092, as well as any law amending or succeeding those state laws. And just to kind of give you an idea of how many laws fill that world, exhibit A is a list of state-covered laws that's about 16 pages long.
Chris Willis:
But interestingly, Matt, what's not included is a violation of a specific state consumer credit law. Let's say a state has the Uniform Commercial Consumer Credit Code and somebody gets a consent order for violating that, or some other state sort of credit-specific law that's not a UDAAP law. That's not a covered law, is it?
Matt Morris:
No. No, it's not. It's noticeably absent.
Chris Willis:
Yeah, I thought that was interesting too.
Jesse Silverman:
The other thing I just want to point out for the listeners is it's not just CFPB UDAAP, it's also FTC UDAP. Single A UDAP. So it is a broad mélange of potential violations.
Chris Willis:
Right. And it covers the state UDAP laws, which could be one or two As, because states are variable in that regard.
Jesse Silverman:
Correct. And I think notwithstanding the complication that Matt was describing, it gets even more complicated when you start to calculate affiliates and, heaven forbid, acquisitions, whether or not the timing will trigger it, whether or not the affiliates should be counted for or against the larger entity structure. I mean, I'm going to go out and say this might be the most complicated rule when you look at it in terms of the value it brings to the marketplace. The amount of time that it takes to go through and do that analysis is exceptionally complicated to have the resulting value be a partially constructed registry.
Chris Willis:
Yeah. Well, that was certainly the criticism of the rule.
Matt Morris:
The stated purposes of this rule are to assist the CFPB in supervision, whether or not they're being disingenuous with that, it does seem rather problematic that, I mean, a typical consumer finance company is going to have an incredibly hard time determining whether or not this rule requires them to register. And I think you're going to find a lot of companies that probably shouldn't be registering on this entity registering also. And then you kind of run into an issue where a regulatory organization, which is already arguably stretched pretty thin from a regulations standpoint now has to chase down, or look at, or weed through a bunch of orders that they don't need to be worrying about.
Chris Willis:
Right. We know it's a complex process, but let's dive into it a little bit, Matt. Tell me how does the registration process work for a covered nonbank entity?
Matt Morris:
Basically, a covered nonbank entity that's identified by name in a covered order has to register on the registry. They'll need to submit identifying information, such as the company's legal name, the address of the principal place of business, and also upload a fully executed copy of the covered order and details about the order, like the issuing agency, the effective date of the order, and any violations of law that took place regarding that order.
And it's an ongoing reporting requirement. So anytime that information changes, it's got to be updated within 90 days. And that includes when this covered order expires. Within 90 days of the expiration of this covered order, the companies will have to file and request that they be removed from the registry.
Chris Willis:
Okay. What does it mean for a covered order to expire? How do we figure that out?
Matt Morris:
The regulation places an expiration date on covered orders of either the later of 10 years after its effective date, or if the order expressly provides a termination date that's greater than 10 years than the termination date. To kind of put this in perspective a little bit, if a company received a covered order in October of 2019, five years before this rule came into effect and there was a termination date five years later in October of 2024, that company would need to register. And not only that, that registration and that order would be on the registry until October 2029 even though that order terminated five years earlier.
Chris Willis:
Okay. That is quite a wrinkle, Matt. Once companies submit stuff to the registry, how is the CFPB going to handle the publication and correction of what gets submitted into this portal?
Matt Morris:
They can publish registration information on their website, but they do have to exclude any confidential supervisory information and administrative details. And if any information is found to be inaccurate, then the nonbank has to file a corrected report within 30 days. And the CFPB can also direct covered nonbanks to correct errors or other non-compliant submissions at any time.
Chris Willis:
Matt, I also remember there being provisions in this rule that, for certain registrants, there also has to be like an attestation from some officer of the company about how they're complying with the covered order. Who does that apply to?
Matt Morris:
Now we're talking about supervised registered entities. They are entities that are subject to supervision by the bureau due to designation by Dodd-Frank, or if they are within the scope of a larger participant group, or if they've been designated individually as a person who poses a threat to consumers. And this is kind of another rather complex analysis that needs to occur here in figuring out if you're a supervised registered entity, because, man, if you are, by March 31st each year, you have to submit a written statement to the CFPB signed by an attesting executive. And you have to describe the steps taken to ensure compliance and any violations of your covered order. And you also have to maintain records supporting compliance for five years following each submission. And this can be problematic. Because I think figuring out if you fall into one of those categories as a supervised registered entity is not necessarily the simplest task. You might find some smaller consumer finance companies who don't have in-house counsel who aren't necessarily sure if they're a supervised registered entity.
Jesse Silverman:
Let's be clear. There are various CEOs of corporations who want to go take personal attestations rather than in their corporate role. There are lots of reasons for people to not be fond of that particular requirement.
Chris Willis:
Well, sure. And I interpreted that requirement in the rule when it was first proposed as trying to sort of turn up the heat on corporate executives and make them easier targets for later enforcement by whoever the enforcement might be brought by.
Jesse Silverman:
I know, which I always find fascinating because there seems to be an appetite to name individuals at nonbanks. But somehow, individuals at banks always seem to avoid being named in CFPB orders. I think that, if I remember correctly, there's only been one ever, and that was really tangential. That was more banking mortgage executive rather than a sort of real pure bank exec.
Chris Willis:
Right. All right. Matt, there's one more complexity I want to talk to you about, and that is when is the deadline for people who are supposed to register to actually register? Because it's not just one date and it's not that simple. Can you explain that to the audience?
Matt Morris:
Yeah, there are multiple windows for registration. Larger participants in the consumer financial market, their registration submission period started on October 16. And the deadline for them to register is January 14, 2025. For covered nonbanks under 12 USC 5514(a)(1), that registration submission period begins on January 14, 2025. And the deadline is April 14th. And for all other covered nonbanks, their registration period begins on April 14, 2025. And the deadline to register is July 14, 2025.
We've kind of come into an issue also where people are asking us, "Okay, we're pretty sure that we have to register with the nonbank registry, but when do we have to register by?" And that, again, becomes another analysis of which of these three categories does the company fit into.
Chris Willis:
Yeah. And I'm a history buff, so I have to sort of admire the complexity of this rule. I feel like I've been transported back in time to the Byzantine Empire or something. That's really the overwhelming impression that it gives me. But now I'm going to ask both of you, starting with you, Jesse, what impact do you think this regulation will have on the nonbank financial services sector?
Jesse Silverman:
Honestly, I think it's somewhat limited, right? You have to assume that those state AGs that were inclined to find problems lacked the capacity to do so already. I'm not sure that I buy that. Honestly, like I said earlier, the juice is not worth the squeeze here. But again, if you're not paying for the juice, then it's easy. This has got to be one of the more complicated rules to comply with for the least amount of value.
Chris Willis:
Matt, I'm going to give you the last word on this. What do you think the impact will be on the registry or of the registry?
Matt Morris:
Yeah. I mean, I got to agree with everything Jesse said. And I think just the application of this law is just incredibly fact-intensive, and it's convoluted, and you got to figure out if you're a covered person, if you're a covered nonbank, if the order that you have is a covered order. What type of nonbank covered entity you are? What your deadline is? There's just a ton of hoops that need to be jumped through here for companies to register on this registry and determine if they need to. And I think at the end of the day, that could cause more problems than it solves. I'm not so sure that due to the convoluted nature of this law that it's going to really solve the issues that it purports to want to solve.
Jesse Silverman:
I'm going to jump in and take the actual last word here. Because the last word is call your lawyer and figure out where you fit into this. Because it is complicated.
Chris Willis:
Yeah, it certainly seems like it. Well, gentlemen, thank you both very much for being on the podcast today and walking us through some of this. I mean, for the moment, at least, we're stuck with this regulation. So everybody's got to deal with compliance for it. And I think your insights have been very valuable to those in the audience who may be affected by it.
And of course, thanks to our audience for listening to today's episode as well. Don't forget to visit and subscribe to our blogs, troutmanpeperfinancialservices.com and ConsumerFinancialServicesLawMonitor.com. And while you're at it, why not visit us on the web at troutman.com and add yourself to our Consumer Financial Services email list. That way we can add you to the distribution for the alerts and advisories that we send out as well as the invitations that we do for our occasional industry-only webinars.
And as I said at the top of the show, try to check out our handy mobile app sometime. Just type in Troutman Pepper in your app store and give it a test drive. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.