| Go-To Guide: |
|
Earlier this year, the CFPB announced shifts to the priorities that would guide the agency’s supervision and enforcement activities, including:
- a “shift back to depository institutions, as opposed to” nonbanks and fintechs,
- prioritizing “actual fraud against consumers” with “measurable consumer damages,” and
- focusing on mortgages, data furnishing, and debt collection over pursuing novel theories.
That announcement predicted the CFPB would cut in half the number of exams it would conduct, and reports seem to indicate that supervisory activity has been limited since February 2025. Meanwhile, the CFPB also initiated wide-ranging rulemakings to reevaluate its larger participant rules, as discussed further below.
The CFPB has now issued a proposed rule that it may seek to finalize soon after the comment period closes. If finalized, it would narrow the standard by which the agency can single out an individual nonbank to bring it within the CFPB’s supervisory authority. Altogether, these changes envision a reduced supervisory apparatus at the CFPB, which may result in some nonbanks only being supervised primarily at the state level.
The CFPB’s Supervision Authority
Supervision is the nonpublic process by which regulators examine a company’s operations to identify issues that may grow into violations of law. The data collected during exams and the matters examiners ultimately highlight for the company to address are highly confidential.1 However, supervisory efforts may sometimes overlap as several regulators may examine the same company on different schedules and with seemingly limited inter-agency coordination. In some cases, supervision might lead to enforcement if the regulator contends that violations of law have already occurred.
The CFPB does not conduct an exam of every entity within its supervisory authority every year. For that reason, the fact that the CFPB has supervisory authority over a company does not necessarily mean that the company will be examined. Each year, the Division of Supervision determines how many exams to conduct, how to prioritize which companies to examine, and ultimately which companies will be examined and when those exams will occur. These decisions aim to protect consumers using the limited supervision resources available.
Supervisory Authority Over Banks
The CFPB has supervisory authority over various banks and nonbanks. Some of this authority is determined by category based on the type and size of the institution.
For example, the CFPB generally has supervisory authority over depository institutions with $10 billion or more in total assets when assessing compliance with the requirements of federal consumer financial laws.2
By comparison, the CFPB typically shares supervisory authority with the prudential regulators over depository institutions with fewer assets when it comes to federal consumer financial law compliance.3 The prudential regulators are the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and for credit unions the National Credit Union Administration.4 Responsibility for a particular depository institution depends on the institution’s charter, amount of total deposits, and whether it is a member of the Federal Reserve.5
Supervisory Authority Over Nonbanks That Are ‘Larger Participants’ in Markets for Consumer Financial Products and Services
The CFPB’s ability to supervise nonbanks is more limited. On a category basis, the CFPB can grant itself supervisory authority over the “larger participants” in certain markets for consumer financial products and services by completing a notice-and-comment rulemaking process to establish the threshold for which participants in that market are sufficiently large.6To date, the CFPB has established supervisory authority over larger participants in the following markets:
- Consumer reporting;7
- Debt collection;8
- Student loan servicing;9
- International money transfers;10
- Automobile financing and leasing;11
- And most recently, general-use digital consumer payment applications, which Congress set aside earlier this year.12
The CFPB recently initiated rulemaking to reconsider the thresholds of several of its previous larger participant rules, suggesting that it is considering raising the thresholds in order to focus on only the very largest participants in these markets.13 It is possible, but not yet clear, that the CFPB may ultimately determine to forego supervision in one or more of these markets altogether, potentially judging that no single participant is sufficiently large.
Supervisory Authority Through Risk-Based Designation Proceedings
Among other sources of supervisory authority over nonbanks, the CFPB can grant itself supervisory authority over a single nonbank covered person. This may occur when the Bureau “has reasonable cause to determine, by order, after notice to the covered person and a reasonable opportunity for such covered person to respond . . . that such covered person is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” This authority can reach any “covered person,” meaning any company that “engages in offering or providing a consumer financial product or service” or an affiliate that acts as a service provider to that company.14 The CFPB might base its determination on information from consumer complaints that reach the CFPB or from other sources.15
This is the source of authority the CFPB now proposes to curtail. The Dodd-Frank Act does not define these risks, but also broadly states that one purpose of supervision is “detecting and assessing risks to consumers and to markets for consumer financial products and services.”16 The CFPB implemented procedures for these determinations in 2013.17 In doing so, the CFPB expressly declined to define “risks to consumers” because that standard was set by statute and the final rule was merely procedural and not a “substantive conduct rule” that “prohibits any conduct or requires any disclosures.”18
Nonetheless, a supervisory designation may carry consequences. Once an entity is subject to CFPB supervision, the CFPB “may examine the entire entity for compliance with all Federal consumer financial laws, assess enterprise-wide compliance systems and procedures, and assess and detect risks to consumers or to markets for consumer financial products and services posed by any activity of the entity, not just the activities that initially rendered the entity subject to Bureau supervisory authority.”19
The CFPB made certain amendments to these procedures in 2022 and 2024, all of which the CFPB proposed to rescind earlier this year.20 The 2022-2024 amendments made it possible for certain supervisory designation orders to be made public, to increase transparency into and give precedential effect to the designations,21 and to reflect an internal restructuring that split the CFPB’s supervision functions into a separate division from its enforcement functions.22 Those rules acknowledged, however, that the CFPB had rarely used its nonbank supervision designation power prior to 2022.23 The procedural changes, if the move to rescind the amendments is finalized, coupled with the more stringent substantive standard of the proposed rule, might make this source of authority even more rarely used.
The Proposed Rule to Define Risks to Consumers
On Aug. 26, 2025, Acting Director Russell Vought issued a proposed rule that would define “conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services” to mean conduct that both:
- presents a high likelihood of significant harm to consumers, and
- is directly connected to the offering or provision of a consumer financial product or service as defined in Dodd-Frank.24
According to the CFPB’s preliminarily reasoning, “Congress would not have expected [the CFPB] to expend its supervisory resources on issues that are speculative in likelihood or trivial in impact.”25 The CFPB also proposes to interpret the statutory phrase “with regard to the offering or provision of consumer financial products or services” to require a direct connection to a consumer financial product or service, so that the CFPB may “focus only on the specific categories of products and services that Congress charged the Bureau with overseeing.”26
In this regard, the proposal would narrow the CFPB’s risk-based supervision authority in two ways compared with past practice. First, designation proceedings would need to establish a greater standard both in terms of probability and impact: “a high likelihood of significant harm.” Second, and perhaps even more significantly, any harm that ultimately results to consumers—no matter how likely or how severe—qualifies for designation only if the conduct predicating such harm is “directly connected” to the offering or provision of a consumer financial product or service specifically defined under Dodd Frank. For example, in one of the few published designation orders, the CFPB concluded that “each of [several] risks alone is sufficient to exercise” its designation power.27 However, some of the identified risks did not arise from the financial product or service itself, but from ancillary products, such as an optional insurance policy offered to the same consumers.28 Others were the supposed risks of repeated use of the same financial product or service.29 In another designation order, the CFPB maintained the designation, placing the entity under potential supervision even when the entity was discontinuing the product that was the basis for the designation, making those risks unlikely to recur in the future.
The CFPB expects that, if finalized, it “will be less likely to designate any particular entity for supervision, all other factors being equal.”30
Questions for Comment
The CFPB requests comment “on all aspects of this standard,” but also specifically requests comment on “whether ‘risks to consumers’ must be potential violations of law” to qualify in this context.31 This might indicate that the CFPB is considering whether to further narrow the proposed standard to look not just for a “high likelihood” of “significant harm” but also to require that the conduct that forms the basis for a supervisory designation constitute a potential violation of law.
Key Takeaways
The CFPB is undertaking affirmative rulemaking to narrow its own supervisory authority. At the same time, current leadership appears to be limiting its supervisory activity in the short term. Consistent with its announcements earlier this year, these changes may reduce the CFPB’s oversight of nonbanks and fintechs for at least the next few years.
The public had until Sept. 22, 2025, to supply evidence through public comment that would assist the CFPB in determining the appropriate thresholds for the larger participants in select markets that are subject to supervision and has until Sept. 25, 2025, to submit public comments on the proposed rule narrowing the CFPB’s risk-based supervisory designation authority.
1 12 U.S.C. § 5512(c)(6).
2 12 U.S.C. § 5515.
3 12 U.S.C. § 5516.
4 12 U.S.C. § 5481(24).
5 12 U.S.C. § 1813(q).
6 12 U.S.C. § 5514(a)(1)(B), (a)(2).
7 77 Fed. Reg. 42874 (July 20, 2012); 12 C.F.R. § 1090.104.
8 77 Fed. Reg. 65775 (Oct. 31, 2012); 12 C.F.R. § 1090.105.
9 78 Fed. Reg. 73383 (Dec. 6, 2013); 12 C.F.R. § 1090.106.
10 79 Fed. Reg. 56631 (Sept. 23, 2014); 12 C.F.R. § 1090.107.
11 80 Fed. Reg. 37496 (June 30, 2015); 12 C.F.R. § 1090.108.
12 89 Fed. Reg. 99582 (Dec. 10, 2024) (to be codified at 12 C.F.R. § 1090.109); Pub. L. 119-11, 139 Stat. 54 (May 9, 2025).
13 Defining Larger Participants of the Consumer Reporting Market, 90 Fed. Reg. 38409 (Aug. 8, 2025); Defining Larger Participants of the Automobile Financing Market, 90 Fed. Reg. 38415 (Aug. 8, 2025); Defining Larger Participants of the International Money Transfer Market, 90 Fed. Reg. 38412 (Aug. 8, 2025); Defining Larger Participants of the Consumer Debt Collection Market, 90 Fed. Reg. 38418 (Aug. 8, 2025). This leaves unmodified the larger participant rules for student loan servicing and The comment periods on these advanced notices of proposed rulemaking are due September 22, 2025. After the CFPB considers these comments, it is expected to issue a proposed rule announcing the new anticipated thresholds and take in an additional round of public comment.
14 12 U.S.C. § 5481(6), (26).
15 12 U.S.C. § 5514(a)(1)(C).
16 12 U.S.C. § 5514(b)(1)(C).
17 Procedural Rule to Establish Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination, 78 Fed. Reg. 40352 (July 3, 2013) (codified at 12 C.F.R. pt. 1091).
18 78 Fed. Reg. at 40357.
19 78 Fed. Reg. at 40354.
20 Procedures for Supervisory Designation Proceedings, 90 Fed. Reg. 20401 (May 14, 2025).
21 Supervisory Authority Over Certain Nonbank Covered Persons Based on Risk Determination; Public Release of Decisions and Orders, 87 Fed. Reg. 25397 (April 29, 2022); 87 Fed. Reg. 70703 (Nov. 21, 2022) (updated final rule).
22 Procedures for Supervisory Designation Proceedings, 89 Fed. Reg. 30259 (April 23, 2024).
23 Id. at 30259.
24 Dodd-Frank lists the “financial products and services” in 15 U.S.C. § 5841(15) that qualify as “consumer financial products and services” if they are either “offered or provided for use by consumers primarily for personal, family, or household purposes;” or “delivered, offered, or provided in connection with” such a product or service that involves brokering, originating, or servicing loans; providing real estate settlement services; consumer reporting; or collecting debt related to any consumer financial product or service. 15 U.S.C. § 5841(5) (citing 15 U.S.C. § 5481(15)(A)(i), (iii), (ix), (x)).
25 90 Fed. Reg. at 41520–21.
26 Id. at 41521.
27 E.g., In re World Acceptance Corp., No. 2023-CFPB-SUP-0001, at 7 (Nov. 30, 2023).
28 Id. at 7.
29 Id. at 15–17.
30 90 Fed. Reg. at 41521.
31 Id.