CFPB will build on dormant authority to expand reach to non-banks and fintechs


  • The Consumer Financial Protection Bureau (CFPB) has announced its intention to exercise “dormant” authority granted to it under Dodd-Frank to expand the scope of entities it oversees.
  • The CFPB will claim the power to regulate and supervise any financial player carrying out any type of activity likely to pose a risk to the consumer, including non-banks, and in particular fintechs; little is known about how the CFPB will conduct this assessment.
  • The lack of a unified federal approach to fintech regulatory oversight has created a turf war in Washington. This latest initiative by the CFPB marks its foray into the field, but compared to other regulatory agencies vying for authority over these entities, the CFPB is particularly ill-equipped to regulate fintechs: it lacks the knowledge, the manpower work and resources; more importantly, it has shown extreme antipathy towards the entities it regulates.


In the aftermath of the financial crisis, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among a litany of other things, created the Consumer Financial Protection Bureau (CFPB). Responsible for regulating the consumer credit industry, the CFPB works to increase and improve transparency, accountability and consumer protection. While the vast majority of these powers and responsibilities were already shared by existing financial services regulatory agencies, the CFPB represented an effort to concentrate consumer protection in a single agency under a director with a broad mandate.

This file is only expanding. On Monday, the CFPB took further steps to annex swathes of the economy under its authority. Since 2011, the CFPB has exercised supervisory power on banks, thrifts, credit unions with assets over $10 billion, non-bank mortgage originators and servicers, payday lenders and private student lenders of all sizes. You’d think that’s more than enough to keep the CFPB busy, but on April 26, 2022, the CFPB pursued an increasingly muscular disposition under Director Rohit Chopra by announcing that it would invoke a “dormant” power granted to it under Dodd-Frank to examine entirely new categories of non-banking companies, with particular attention on fintechs. To this widening of scope, the CFPB has also added a rule of procedure seeking comments on the transparency of its risk assessment process.


For Dodd Frank

Section 1024 of the Dodd-Frank Act created five classes of covered persons over which the CFPB would have jurisdiction.

“This Section applies to any Covered Person who:

(A) offers or provides origination, brokerage, or servicing of real estate-secured loans for use by consumers primarily for personal, family, or household purposes, or loan modification or relief services in the event of seizure in connection with these loans;

(B) is a significant player in a market for other consumer financial products or services, as defined by the rule pursuant to paragraph (2);

(C) the Bureau has reasonable cause to determine, by order, after notice to the Covered Person and a reasonable opportunity for that Covered Person to respond, based on complaints collected through the System under Section 1013(b) )(3) or information from other sources, that such Covered Person is engaging or has engaged in conduct that poses risks to consumers with respect to the offering or provision of financial products or services to consumers;

(D) offers or provides a consumer with a private education loan, as defined in Section 140 of the Truth in Lending Act (15 USC 1650), notwithstanding Section 1027(a)(2)(A) ) and subject to Section 1027(a)(2)(C); or

(E) offers or provides a consumer with a payday loan.

It is on section (C) that the CFPB relies in its proposal to extend the scope to non-banks and in particular to fintechs. Quietly implemented by rule of procedure in 2013, the CFPB has so far never used this authority, calling it “dormant” in the agency’s press release and accompanying documents.

At first glance (and several subsequent glances), this power would appear to be of extraordinarily broad application. The CFPB itself notes that the authority “is not specific to any particular consumer financial product or service.” Any entity that even presents a risk (a determination significantly broader than entails a risk) becomes fair game for the CFPB. It is not even clear how the CFPB will make these risk determinations for the purposes of covered persons, although more information should be obtained after the transparency request for comment. Further, the Dodd-Frank text suggests that the CFPB could only make a covered person decision after notification to the financial entity and sufficient time for the entity to respond; the CFPB press release was silent on this aspect.

The decade following the enactment of the Dodd-Frank Act was marked by a steady reduction in the scope and application of the law, as large parts of the rule were found to be unenforceable, unconstitutional, or less relevant than its editors might have hoped. The extent of the CFPB’s authority has the potential to become another contentious flashpoint in the law, perhaps along the lines of the Volcker’s rule. Even the structure of the CFPB board of directors (in particular, management by a single director who can only be removed for cause) was declared unconstitutionalrendering all subsequent CFPB moves of dubious legitimacy.

For the CFPB

The CFPB under Rohit Chopra embarked on a heavy-handed approach to oversight; this expansion of authority is merely the latest development of this Politics called Chopra’s”war on industry.” The CFPB has used all the powers at its disposal and, in particular, wishes to impose a heavy compliance burden on financial players through the use of numerous and varied requests for information, lastly and in particular on fees charged by financial institutions. Chopra indicated his eagerness to tackle big tech, credit reporting and data processing; he also played a key role in kick which ousted Chairwoman Jelena McWilliams from the management of the Federal Deposit Insurance Corporation (FDIC).

An extension of the scope of coverage by the CFPB, although surprising and unwelcome, is therefore not unusual. Moreover, an aggressive policy by any federal agency has important practical implications. Without a significant budget increase (and due to the unique idiosyncrasies of the CFPB structure, it receives its funding directly from the Federal Reserve, which means that Congress has no say), the CFPB risks becoming too dispersed and not fulfilling its main mission. Even if the budget and funding were to materialize, the CFPB lacks the resources for its new oversight responsibilities, neither in staff nor in detailed non-banking and fintech experience. The fact that these initiatives were spearheaded by a CFPB director whose position was ruled unconstitutional by the Supreme Court makes them a particularly hard pill to swallow.

For fintechs

Responsibility for regulatory oversight and supervision of non-banks and fintechs is a contentious political battle in Washington. The Biden administration has signaled that it is seeking to take a whole-of-government approach to the responsible development of digital assets for which the support of entire sections of the federal government will be necessary. Unsurprisingly, the result has been a turf war between financial regulators over who controls what. This is not to say that assigning oversight is an easy task: the monetary aspects of cryptocurrency concern the Federal Reserve and the Treasury; commodity aspects the Commodity Futures Trading Commission; and securities matters, the Securities and Exchange Commission. The responsible regulator can even vary depending on the issuer of the cryptocurrency, with parties ranging from the Fed to the Office of the Comptroller of the Currency to the Small Business Administration. The FDIC is waiting in the wings if any of these fintechs require bank charters (usually to deny them). Even outside of the federal financial services regulators, there are broader privacy and security concerns that could concern the National Economic Council or the Financial Stability Supervisory Board.

The primary goal of this network of competing interests is to simultaneously foster an environment beneficial to American innovation and to protect American consumers from fraud and exploitation. This latest move by the CFPB represents the agency throwing its hat into an already crowded circle, but where the CFPB differs from other competitors is its marked lack of interest in promoting the non-bank market. Instead, any CFPB initiative will be punitive and may, by censoring non-banks and fintechs, inadvertently delineate the (narrow) boundaries within which non-banks and fintechs can operate. Because of the CFPB’s eagerness, American industry will likely learn what it can’t do before it has a clue what it can do. This increased regulatory burden will hit the smallest players and entrepreneurs hardest as they are the least able to absorb the additional compliance costs, cutting off innovation at its root. The traditional banking sector, on the other hand, should welcome this development, having long argued for non-banks providing banking services must be held to the same standards as banks.


It is hard to look at the murky political underpinnings, over-enforcement, and fundamental unconstitutionality of the CFPB and wish there were more of it, and yet that is what was provided to us. Although entirely within the scope of the broad powers granted to it by the Dodd-Frank Act, the CFPB’s attempt to extend its coverage to non-banks signals that it wishes to enter the highly regulatory and supervisory airspace. contested fintechs. In a landscape where the remaining financial services regulators are limping, the CFPB can make its way simply by haste, and that has huge implications both for adding to an already bloated CFPB and for strangling a fledgling fintech industry in its cradle.