Nonbank Financial Order Registry Requirements
Summary
Under the Consumer Financial Protection Act of 2010 (CFPA), the Consumer Financial Protection Bureau (Bureau or CFPB) is issuing this final rule to require certain types of nonbank covered persons subject to certain final public orders obtained or issued by a government agency in connection with the offering or provision of a consumer financial product or service to report the existence of the orders and related information to a Bureau registry. The Bureau is also requiring certain supervised nonbanks to file annual reports regarding compliance with registered orders.
Compliance Requirements
- #1
Nonbank covered persons subject to certain final public orders obtained or issued by a government agency in connection with the offering or provision of a consumer financial product or service must report the existence of the orders and related information to a Bureau registry; Nonbank registrants must register with the Bureau starting after an applicable implementation date for the registry specified in the rule; Entities must provide basic identifying information about the company and the order (including a copy of the order) to the Bureau registry; Entities must periodically update the registry to ensure its continued accuracy and completeness; Certain supervised nonbanks subject to the Bureau's supervisory authority under section 1024(a) of the CFPA must annually identify an executive (or executives) responsible for and knowledgeable of the firm's efforts to comply with the orders identified in the registry; Supervised nonbank entities must submit on an annual basis a written statement signed by the applicable executive regarding the entity's compliance with each order in the registry; Nonbanks that are subject to an order published on the Nationwide Multistate Licensing System's Consumer Access website (except for orders issued or obtained at least in part by the Bureau) may elect to comply with a one-time registration option in lieu of complying with the rule's notification and written-statement requirements with respect to that order
Deadline: Implementation dates specified in § 1092.206 (different dates for larger participants, other supervised nonbanks, and other nonbanks not subject to Bureau supervision)
Market Impacts
Nonbank covered persons subject to final public orders must register with CFPB registry, creating compliance barrier for entities with enforcement histories; Creation of centralized public registry provides market intelligence opportunity for regulators, competitors, and consumers to monitor enforcement trends and corporate recidivism; Restricts market access for nonbanks with public enforcement orders by requiring registration and public disclosure, potentially limiting business opportunities; Supervised nonbanks must annually identify executives responsible for compliance and submit written statements regarding order compliance, increasing accountability requirements
Validated Company Impacts
Affirm Holdings, Inc.
Affirm operates as a nonbank provider of consumer financial products and services, specifically offering consumer loans and payment solutions through its platform, which directly falls under the CFPB's jurisdiction for nonbank covered persons. The company's core business of facilitating transparent financial products aligns with the rule's focus on entities offering consumer financial services that could be subject to enforcement orders. The rule's focus on regulatory compliance for nonbank financial entities shows minimal alignment with the company's risk profile, which includes only general regulatory compliance risks without specific mention of consumer financial services enforcement or public orders. The company's identified regulatory risks are broad and not tailored to the CFPB's registry requirements for nonbank covered persons with enforcement histories.
BLACKSTONE MORTGAGE TRUST, INC.
Blackstone Mortgage Trust operates as a nonbank entity providing consumer financial products through mortgage lending activities, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's regulated credit-granting activities and compliance requirements align with the rule's focus on nonbanks subject to enforcement orders in consumer financial services. The rule focuses on consumer financial product enforcement order reporting and compliance, which does not align with the company's primary risk factors of interest rate fluctuations, commercial real estate volatility, loan concentration, CECL reserves, and REIT compliance. The company's single regulatory compliance risk relates to REIT requirements, not consumer financial enforcement orders.
Coinbase Global, Inc.
Coinbase operates as a nonbank covered person offering consumer financial products and services through its cryptocurrency trading platform, directly falling under the CFPB's jurisdiction for consumer financial services. The company's transaction revenue segment involves consumer trading activities that constitute offering financial products, making it subject to the registry requirements if it has applicable public orders. The rule focuses on consumer financial products and services enforcement order reporting, while the company's primary risks center around cryptocurrency market volatility, trading dependency, and general regulatory uncertainty rather than specific consumer financial compliance enforcement. There is minimal overlap as the company operates in digital assets rather than traditional consumer financial services.
EQUIFAX INC
Equifax operates as a major consumer credit reporting agency, directly offering consumer financial products and services through credit reports and scores, which falls squarely under the CFPB's jurisdiction for nonbank covered persons. The company's core business model involves handling sensitive consumer financial data and is subject to regulatory oversight, making it highly likely to be affected by this registry requirement for enforcement orders. The rule's focus on regulatory compliance with consumer financial orders shows weak alignment with the company's 'Compliance with Consumer Settlement' risk factor, but this is a general regulatory risk rather than specific to consumer financial products. The company's other major risks (data security, AI, free information availability, FX fluctuations) have no meaningful connection to this financial services registry requirement.
Robinhood Markets, Inc.
Robinhood operates as a nonbank covered person offering consumer financial products and services through its commission-free stock trading and cryptocurrency trading platforms, directly falling under the CFPB's jurisdiction for registry requirements related to enforcement orders. The rule focuses on consumer financial products and services enforcement orders, while the company's primary risks relate to cryptocurrency regulation, financial reporting, and tax compliance with no mention of consumer financial services enforcement actions. The only minimal alignment exists through general regulatory compliance risks, but these are not specific to the consumer financial enforcement context of this rule.
INTUIT INC.
Intuit operates extensively in consumer financial services through its Credit Karma segment (personal finance platform) and Consumer segment (tax preparation products), directly falling under the CFPB's jurisdiction for nonbank covered persons offering consumer financial products. The company's financial technology platform and tax services clearly involve consumer financial products subject to this registry requirement. The rule focuses specifically on regulatory compliance requirements for nonbank financial entities with enforcement orders, while the company's risk factors show only one general regulatory compliance risk without specific mention of consumer financial services enforcement or order compliance. The company's identified risks are primarily financial, operational, and cybersecurity-focused, with minimal overlap with this rule's targeted enforcement order reporting requirements.
Pagaya Technologies Ltd.
Pagaya operates as a nonbank entity connecting financial institutions and consumers with investors using AI-powered underwriting technology, directly engaging in consumer financial products and services which falls under the CFPB's jurisdiction for nonbank covered persons. The company's core business of facilitating access to financial products aligns with the rule's scope requiring registration and compliance reporting for entities subject to enforcement orders related to consumer financial services. The rule focuses on regulatory compliance and enforcement order reporting requirements, which only partially aligns with the company's limited regulatory compliance risk category (2 identified risks). The company's primary risks are financial, market competition, and cybersecurity, with minimal direct overlap with the registry and reporting obligations imposed by this rule.
TransUnion
TransUnion operates as a nonbank covered person providing consumer financial products and services through its credit reporting and data analytics business, directly falling under the CFPB's jurisdiction for consumer financial services. The company's core operations in credit reporting and consumer data services would require compliance with the registry requirements for any applicable public orders. The rule focuses specifically on regulatory compliance requirements for nonbank financial entities with enforcement orders, while the company's risk factors are more general and include data breaches, cybersecurity threats, and market competition without specific mention of enforcement history or consumer financial regulatory actions. There is minimal overlap as only the broad 'Regulatory Changes' risk factor could potentially relate, but it lacks the specificity of enforcement order compliance addressed by this rule.
Mr. Cooper Group Inc.
Mr. Cooper Group operates as a major nonbank mortgage servicer and originator, directly engaging in consumer financial products and services through residential mortgage lending and servicing activities, which fall squarely under the CFPB's jurisdiction for nonbank covered persons subject to enforcement orders. The rule's focus on regulatory compliance requirements for nonbank financial entities with enforcement orders shows weak alignment with the company's single identified regulatory risk factor. While the company acknowledges regulatory changes as a risk, the specific registry and order reporting requirements target a narrow subset of compliance issues that may not directly match the company's broader regulatory change concerns.
Dave Inc./DE
Dave Inc. operates as a nonbank provider of consumer financial products and services through its mobile-first platform, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's core business of offering financial alternatives to traditional banking aligns with the rule's focus on consumer financial products and services, making it subject to registration requirements if it has applicable public orders. The company's disclosed risk factors show minimal alignment with this rule's focus on regulatory compliance for nonbank financial entities with enforcement orders. While the company identifies 'emerging growth company status' as a regulatory risk, this relates to financial reporting comparisons rather than consumer financial product enforcement or order compliance requirements. The rule targets entities with existing public enforcement orders, which is not reflected in the company's risk profile.
FISERV INC
Fiserv operates extensively in consumer financial services through merchant acquiring, payment processing, and card issuer services, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's core business activities involve offering consumer financial products and services, making it subject to the registry requirements if it has applicable public orders. The rule focuses on consumer financial services enforcement and compliance reporting requirements, while the company's disclosed risks are primarily financial and operational with minimal regulatory compliance focus. The company's two regulatory compliance risks relate to taxation complexity, not consumer financial services enforcement or order reporting obligations.
GLOBAL PAYMENTS INC
Global Payments Inc operates as a nonbank provider of consumer financial products and services through its digital payment solutions, including credit/debit card processing and ecommerce payment services, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's core business of processing consumer financial transactions would subject it to the registry requirements if it were subject to applicable enforcement orders. The rule focuses on regulatory compliance for consumer financial services enforcement orders, while the company's risk factors are primarily financial and accounting-related with minimal regulatory compliance exposure. The company's three regulatory compliance risks relate to accounting pronouncements and financial reporting, not consumer financial enforcement actions or CFPB oversight.
Payoneer Global Inc.
Payoneer operates as a nonbank financial technology company providing cross-border payment services, working capital management, and multicurrency accounts - all consumer financial products and services that fall directly under the CFPB's jurisdiction. As a nonbank covered person offering consumer financial services, Payoneer would be subject to the registry requirements if it ever becomes subject to relevant enforcement orders. The rule focuses on regulatory compliance requirements for nonbank financial entities with enforcement orders, but the company's disclosed risks show minimal regulatory compliance concerns (only 2 of 9 total risks) and no specific mention of enforcement actions or consumer financial product compliance. The company's primary risks center on operational execution, market competition, and customer fund management rather than regulatory reporting obligations.
PayPal Holdings, Inc.
PayPal operates as a nonbank covered person offering consumer financial products and services including digital wallets, P2P payments, and consumer credit products, which directly fall under the CFPB's jurisdiction and would be subject to the registry requirements for any applicable enforcement orders. The company's core business model involves consumer financial transactions that are explicitly targeted by this rule. The company's single regulatory compliance risk ('Legal and Regulatory Proceedings') shows minimal alignment with this rule's focus on reporting enforcement orders, as the rule specifically targets nonbank financial entities with public orders related to consumer financial products, which is not clearly indicated in the company's generic regulatory risk disclosure. The company's other risks are primarily financial and operational, with no direct connection to consumer financial services enforcement or registry requirements.
Remitly Global, Inc.
Remitly operates as a nonbank provider of consumer financial services through its digital remittance platform, directly falling under the CFPB's jurisdiction for consumer financial products and services. The company's core business of money transfers and foreign exchange services clearly aligns with the rule's scope for nonbank covered persons subject to enforcement orders. The rule focuses specifically on regulatory compliance for nonbank financial entities with enforcement orders, while the company's risk profile emphasizes general cybersecurity, privacy laws, and operational risks without specific mention of consumer financial regulatory enforcement or order compliance. There is minimal overlap as the company's regulatory compliance risks appear broader and not specifically tied to financial services enforcement mechanisms.
Rithm Capital Corp.
Rithm Capital operates extensively in consumer financial services through mortgage origination, servicing, and consumer lending activities, directly falling under the CFPB's jurisdiction as a nonbank covered person. The company's mortgage servicing rights, consumer loans, and residential lending operations clearly involve offering consumer financial products and services subject to this registry requirement. The rule focuses on regulatory compliance requirements for nonbank financial entities with enforcement orders, while the company's only identified risk is a financial liquidity shortfall with no mention of regulatory or compliance risks. There is no overlap between the rule's enforcement order reporting requirements and the company's disclosed financial risk profile.
Rocket Companies, Inc.
Rocket Companies operates as a nonbank mortgage originator and financial technology company offering consumer financial products and services, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's mortgage origination and financial services activities make it subject to the registry requirements for entities with enforcement orders related to consumer financial products. The rule focuses specifically on regulatory compliance requirements for nonbank financial entities with enforcement orders, while the company's single regulatory risk factor (Legal Proceedings Risk) is generic and not specifically tied to consumer financial services enforcement. There is minimal overlap as the company's risk profile does not indicate involvement in consumer financial products or services that would trigger this registry requirement.
Sezzle Inc.
Sezzle operates as a nonbank provider of consumer financial products and services through its digital payments platform offering flexible credit alternatives, directly falling under the CFPB's jurisdiction for nonbank covered persons. The company's core business of providing consumer credit alternatives and payment services aligns precisely with the rule's focus on entities offering consumer financial products and services subject to enforcement orders. The company operates in the technology sector with no involvement in consumer financial products or services, and its risk factors focus on technology development, intellectual property, and market competition rather than regulatory compliance with financial consumer protection orders. There is no alignment with the rule's requirements for nonbank financial entities subject to enforcement orders.
SLM Corp
SLM Corporation operates as a nonbank provider of private education loans and related financial services, directly falling under the CFPB's jurisdiction for consumer financial products. As a lender in the student loan market, it would be subject to the registry requirements if subject to any final public orders related to its consumer lending activities. The rule focuses specifically on regulatory compliance requirements for nonbank financial entities with enforcement orders, while the company's single regulatory risk factor is generic and doesn't specifically address enforcement history or consumer financial services compliance. The company's risk profile emphasizes financial, operational, and cybersecurity risks rather than the targeted enforcement registry requirements.
SoFi Technologies, Inc.
SoFi Technologies operates as a nonbank financial services company offering consumer loans, banking services, and investment products, directly falling under the CFPB's jurisdiction for consumer financial products and services. As a supervised nonbank under CFPA section 1024(a), the company would be subject to both the registry reporting requirements and the annual executive compliance certification obligations. The rule focuses on enforcement order reporting and compliance for consumer financial services, while the company's disclosed risks are entirely financial and accounting-related (deferred tax assets, impairment charges, accounting standards). There is no overlap with the regulatory compliance requirements for consumer financial product enforcement orders.
Upstart Holdings, Inc.
Upstart operates as a nonbank lender providing consumer financial products including personal loans and auto refinancing, directly falling under the CFPB's jurisdiction as a nonbank covered person offering consumer financial services. The company's core business model involves originating and servicing consumer loans, making it highly likely to be subject to this registry requirement if it has any relevant enforcement orders. The company operates in the technology sector with no involvement in consumer financial products or services, and its risk factors focus on technology development, intellectual property, and market competition rather than regulatory compliance with financial consumer protection orders. There is no overlap between the rule's requirements for nonbank financial entities and the company's business operations or identified risk areas.
Block, Inc.
Block, Inc. operates multiple consumer financial services through its Square and Cash App ecosystems, including payment processing, peer-to-peer payments, lending, and banking services, which directly fall under the CFPB's jurisdiction for nonbank covered persons offering consumer financial products. The company's business model involves transaction fees and service fees from financial activities that would subject it to the registry requirements if subject to qualifying enforcement orders. The rule focuses specifically on consumer financial product enforcement orders and compliance reporting requirements, which does not align with the company's disclosed risk factors. The company's regulatory risks are general and not specific to consumer financial services enforcement actions or order compliance reporting obligations.