CFPB To Rely on Dormant Authority to Expand Reach to Nonbanks and Fintechs

Executive Summary 

  • The Consumer Financial Protection Bureau (CFPB) has announced its intent to exercise a “dormant” authority granted to it under Dodd-Frank to expand the scope of the entities it supervises. 
  • The CFPB will claim the authority to regulate and supervise any financial actor that performs any kind of activity that could cause risk to consumer—including nonbanks, and particularly fintechs; little is known about how the CFPB will make this assessment. 
  • The lack of a unified federal approach to fintech regulatory oversight has created a turf war in Washington. This latest move by the CFPB marks its foray into the field, yet compared to the other regulatory agencies competing for authority over these entities, the CFPB is particularly ill-equipped to regulate fintechs: It lacks the knowledge, manpower, and resources; more important it has demonstrated an extreme antipathy to the entities it regulates. 


In the wake of the financial crisis, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among a litany of other things, created the Consumer Financial Protection Bureau (CFPB). Tasked with regulating the consumer finance industry, the CFPB works to increase and improve transparency, accountability, and consumer protections. While the vast majority of these powers and responsibilities were already shared by existing financial service regulatory agencies, the CFPB represented an effort to concentrate consumer protection in a single agency under a director with a wide brief.  

That brief is only getting wider. On Monday the CFPB took new steps to annex portions of the economy under its authority. Since 2011, the CFPB has exercised supervisory authority over banks, thrifts, credit unions with assets over $10 billion, nonbank mortgage originators and servicers, payday lenders, and private student lenders of all sizes. One might think that this is more than enough to keep the CFPB busy, but on April 26,2022 the CFPB continued an increasingly muscular disposition under Director Rohit Chopra by announcing that it would invoke a “dormant” power granted to it under Dodd-Frank to examine entirely new categories of nonbank companies, with particular focus on fintechs. To this expansion in scope, the CFPB has also added a procedural rule seeking feedback on the transparency of its risk assessment process. 


For Dodd-Frank 

Section 1024 of the Dodd-Frank Act created five categories of covered persons over whom the CFPB would have authority.  

“This section shall apply to any covered person who— 

(A) offers or provides origination, brokerage, or servicing of loans secured by real estate for use by consumers primarily for personal, family, or household purposes, or loan modification or foreclosure relief services in connection with such loans; 

(B) is a larger participant of a market for other consumer financial products or services, as defined by rule in accordance with paragraph (2); 

(C) the Bureau has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond, based on complaints collected through the system under section 1013(b)(3) or information from other sources, that such covered person is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services; 

(D) offers or provides to a consumer any private education loan, as defined in section 140 of the Truth in Lending Act (15 U.S.C. 1650), notwithstanding section 1027(a)(2)(A) and subject to section 1027(a)(2)(C); or 

(E) offers or provides to a consumer a payday loan.” 

It is section (C) that the CFPB is relying on in its proposed expansion of scope to cover nonbanks and particularly fintechs. Quietly implemented by procedural rule in 2013, the CFPB has until now never employed this authority, referring to it as “dormant” in the agency’s press release and accompanying materials.  

At first glance (and several following glances), this power would seem to be extraordinarily broad in application. The CFPB itself notes that the authority “is not specific to any particular consumer financial product or service.” Any entity that even poses risk (a determination significantly broader than causes risk) becomes fair game for the CFPB. It is not even clear how the CFPB will make these risk determinations for the purposes of covered persons, although more information should be gained after the transparency request for comment. Additionally, the text of Dodd-Frank suggests that the CFPB might only make a covered person decision after notice to the financial entity and sufficient time for the entity to respond; the CFPB press release was silent on this aspect. 

The decade after the enactment of the Dodd-Frank Act has featured a steady shrinking of the law’s scope and application, as vast portions of the rule are shown to be unworkable, unconstitutional, or less relevant than its drafters may have hoped. The scope of the CFPB’s authority has the potential to become yet another contentious flash point  in the law—perhaps along the lines of the Volcker Rule. Even the structure of the CFPB’s board (in particular, leadership by a single director who can only be fired for cause) has been ruled unconstitutional, rendering all subsequent moves by the CFPB of questionable legitimacy. 

For the CFPB 

The CFPB under Director Rohit Chopra has embarked on a muscular approach to supervision; this expansion of authority is simply the latest development in what Politico has called Chopra’s “war against industry.” The CFPB has employed all the powers at its disposal and, in particular, is keen to place a heavy compliance burden on financial actors by use of many and varied requests for information, most recently and notably on fees charged by financial institutions. Chopra has indicated an eagerness to go after big tech, credit reporting, and data handling; he also played a key role in the coup that ousted Chair Jelena McWilliams from leadership of the Federal Deposit Insurance Corporation (FDIC). 

An expansion in the scope of coverage by the CFPB, while surprising and unwelcome, is therefore not unusual. What’s more, aggressive policy from any federal agency has significant practical implications. Without a significant increase in budget (and due to the unique peculiarities of the CFPB structure, it receives its funding directly from the Federal Reserve, meaning Congress has no say) the CFPB risks spreading itself too thin and failing to achieve its core mission. Even if budget and funding were to materialize, the CFPB does not have the resources required for its new supervisory responsibilities, either manpower or detailed nonbank and fintech experience. That these initiatives have been spearheaded by a CFPB Director whose position has been determined unconstitutional by the Supreme Court makes this a particularly difficult pill to swallow. 

For Fintechs 

Responsibility for the regulatory oversight and supervision of nonbanks and fintechs is a contentious policy battle in Washington. The Biden Administration has signaled that it is looking to take a whole-of-government approach to the responsible development of digital assets for which the buy-in of sweeping parts of the federal government will be required. Unsurprisingly, the result has been a turf war among the financial regulators over who gets oversight over what. This is not to imply that assigning oversight is an easy task: The currency aspects of cryptocurrency concern the Federal Reserve and Treasury; the commodity aspects the Commodity Futures Trading Commission; and the securities aspects the Securities and Exchange Commission. The responsible regulator may even vary depending on the cryptocurrency issuer, with parties ranging from the Fed, to the Office of the Comptroller of the Currency, to even the Small Business Administration. The FDIC is waiting in the wings if any of these fintechs require bank charters (usually to deny them). Even outside of the federal financial services regulators, there are broader privacy and security issues that might concern the National Economic Council or the Financial Stability Oversight Council. 

The primary focus of this web of competing interests is to simultaneously foster a beneficial environment for American innovation and protect American consumers from fraud and exploitation. This latest move by the CFPB represents the agency throwing its hat into an already crowded ring, but where the CFPB differs from other contenders is their marked lack of interest in fostering the nonbank market. Instead, any CFPB initiatives will be punitive and may in censuring nonbanks and fintechs inadvertently delineate the (narrow) bounds in which nonbanks and fintechs can operate. Due to the eagerness of the CFPB, American industry will likely learn what it cannot do before it has any idea of what it can do. This enhanced regulatory burden will hit the smallest actors and entrepreneurs hardest as they are least able to absorb additional compliance costs, cutting off innovation at its root. The traditional banking sector, by contrast, is likely to be delighted by this development, having long lobbied for nonbanks providing banking services to be held to the same standards as banks. 


It is difficult to look at the murky policy underpinnings, enforcement excesses, and basic unconstitutionality of the CFPB and wish that there were more of it, and yet that is what we have been provided. While entirely within scope of the broad powers afforded to it by the Dodd-Frank Act, the CFPB’s attempt to extend its coverage to nonbanks indicates that it is keen to enter the tightly contested regulatory and supervisory airspace over fintechs. In a landscape where the remaining financial services regulatory agencies are limping along, the CFPB may get its way simply by virtue of haste, and this has enormous implications both for adding to an already bloated CFPB and strangling a nascent fintech industry in its cradle.