Last month, the United States government's Consumer Financial Protection Bureau (CFPB) invoked a "dormant authority to examine nonbank companies posing risks to consumers." Here's why this is a fee-fi-fo-fum moment for the fintech world.
Some Quick Background
The CFPB was brought into being by the Dodd-Frank Act of 2010 as a response to the 2008 financial crisis, much of which was driven by years of deregulation and subsequent malpractice by financial institutions.
Generally, the agency was tasked by Congress to "stop companies [within the financial sector] from engaging in conduct that pose risk to consumers," through either traditional law enforcement or by supervisory action (which comes in the form of examination and monitoring). The CFPB's supervisory scope, since its inception, was limited to large financial institutions (with over $10b in assets), as well as "nonbank entities" within the mortgage, loans, debt collection and consumer reporting industries. However, another provision was added to the Dodd-Frank Act in 2013 that extended the CFPB’s sphere of supervisory authority to ANY nonbank financial entity that they think poses a risk to consumers. Total carte blanche, in other words. This provision lay dormant for nearly 9 years, until last month.
What's "risky" and how is risky even determined?
The 2013 provision broadly defines risk as essentially anything the CFPB determines, with reasonable cause, to be risky. By design, this gives the agency the flexibility to extend their coverage anywhere they see fit, and the agility to move "as quickly as the market."
According to the CFPB’s press release, "risky conduct may involve, for example, potentially unfair, deceptive, or abusive acts or practices, or other acts or practices that potentially violate federal consumer financial law." The CFPB also has a ton of elasticity in terms of HOW they can determine what's risky.
The provision allows the Bureau to base "reasonable-cause determinations on complaints collected ...or on information collected from other sources." Slightly more detail was provided in last month's press release: "The CFPB may base such reasonable cause determinations on complaints collected by the CFPB, or on information from other sources, such as judicial opinions and administrative decisions. The CFPB may also learn of such risks through whistle-blower complaints, state partners, federal partners, or news reports."
In short, the CFPB has the discretion to use their supervisory authority on any fintech they deem risky based on any evidence they deem credible.
That's Not All
The CFPB also announced the addition of a new procedural rule that gives them the ability to publicly disclose the subjects – in terms of both who is being supervised and for what – of their supervisory actions. In the CFPB’s words, "there is a public interest in transparency when it comes to these potentially significant rulings."
Once again, the definition of when this newfound ability can be used has been kept ambiguous.
Potential Implications
Taken altogether, the CFPB can now pretty much exercise their supervisory authority on whoever they want and tell the world about it.
At this point, it's still not known how frequently the CFPB will invoke their expanded authority, but the mere fact it exists and has been publicly and forcefully acknowledged could act as a powerful deterrent: nobody wants to go through a resource-consuming examination and monitoring process, and nobody wants to be named and shamed.
However, there are clear signals that the Bureau is gearing up for an escalation in activities.
One day after the Bureau released their dormant provision announcement, CFPB Director Rohit Chopra testified before the U.S. Senate Banking Committee and offered some choice words aimed at "big tech and big data in banking:"
"The outsized influence of...dominant tech conglomerates over the financial services ecosystem comes with risks and raises a host of questions about privacy, fraud, discrimination, and more. The CFPB is currently studying these issues first as part of our inquiry into Big Tech’s entry into consumer payments in the United States. The agency has issued a set of orders to Google, Facebook, Amazon, Apple, PayPal and Block (formerly Square) to further understand key issues on their plans for consumer payments. We expect to issue reports on our research to contribute to the critical policy discussions about the future of consumer finance and relationship banking in our country."
And just a few weeks ago, it was revealed that "Eric Halperin, the CFPB’s enforcement chief, told staff at an all-hands meeting last week that the enforcement team received the go-ahead to add 20 more full-time employees, most of them attorneys."
All of this comes after a flurry of CFPB speeches, announcements, orders, and injunctions in recent months seemingly aimed at (but not limited to) the new fintechs on the block, e.g., neobanks, BNPLs (buy-now-pay-laters), digital wallets, banking-as-a-services, alternative credit providers, peer-to-peer payment networks, crypto in all its various forms, and more. Zooming further outward, we see this is as part of a larger trend of tighter regulatory scrutiny for fintech, in which governments appear to be building out capabilities – whether by technological infrastructure, legal framework, and more – to catch up to, then keep up with the speed of the ever-evolving market.
Our advice, beyond the requisite calls to not be evil and for customer-centricity: be proactive and don't wait for a ruling to come into effect. Establish relationships with regulators early and often and collaborate with them on how to shape your compliance program to what's coming. Of course, this often comes with a price tag - but always remind detractors that great compliance is a strategic advantage, a value proposition, and sometimes, the difference between survival and collapse.
Plus, remediation is almost always far more expensive.
