Thursday, June 6, 2024

CFPB’s Repeat Offender Registry – Part One


We just learned from our lawyers about the possibility that our firm will need to file as a Repeat Offender. I am really angry about this, and I am turning to you for feedback. This type of filing could crush our business reputation. I am the President and have built this company for over twenty years. Now, because we had a few violations, we are going to be considered repeat offenders. And the whole world is going to view us as repeat offenders. 

I am outraged. I had a conference call with other company owners, and they wanted me to ask you for your understanding of this nasty situation. I mean, really, repeat offenders are felons, sex perverts, murderers, crooks, and criminals of all sorts and stripes. It is insulting to say we are Repeat Offenders. We are not hardened criminals. We are not crooks. 

We are hardworking business people who do the best we can in a highly regulated industry. If we make mistakes, we try to fix them. Sometimes, we make the same mistake, but not out of malice. We’re licensed, and the last thing we want to do is call regulators down on our company for repeating a mistake. We don’t run from our responsibilities. 

Our lawyers are telling us how to manage the situation legally. But all I’m hearing is there’s nothing we can do but accept that we are going to be called “repeat offenders.” One of our lawyers used a fancy word, saying we are a “recidivist” company. Is that word supposed to make me feel better? Whatever. We are going to be burned on the “repeat offender” stake. 

Thank you for letting me rant. I am just so pissed off. Please give me and others some basic understanding of what this new set of regulatory shackles is all about. 

What is the Repeat Offender requirement? 

How does the Repeat Offender filing work? 

Why is my firm being singled out? 


CMS Tune-up®
(Compliance Management System)


For the last few days, we’ve gotten so many calls on this subject that we had to double up the reception team. The emails to us were peaking each day. That’s because, on Monday, June 3rd, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a Final Rule[i] (“Rule”) requiring nonbank consumer financial services companies to register court orders or government agency orders in its Nonbank Registry (“Registry”). This Rule is the “Repeat Offender” registration requirement that you’re referring to. The effective compliance date is September 16, 2024. 

Given the complexity of the Rule, my answer today constitutes Part One. We’ll publish Part Two next week, which will be a continuation of today’s answer and will also contain a chart and another checklist outline. Furthermore, since we have received so many inquiries on this topic, I may include some of those questions in Part Two. 

I understand your concerns. Before I get into some of the details and answer your questions, please relax. If you have competent counsel, they should be responsive and provide helpful guidance. 

You can contact me personally here if you want us to discuss your compliance needs. We have a range of compliance services that will likely mitigate your risk management challenges. When risk management is not functioning well, repeated violations may happen, and regulations can become a minefield. 


You seem surprised by the terminology of “Repeat Offender.” You might like to know that the CFPB has had a Repeat Offender Unit since 2022. It was set up specifically to focus[ii] on these four activities: 

1)    reviewing and monitoring the activities of repeat offenders;

2)    identifying the root cause of recurring violations;

3)    pursuing and recommending solutions and remedies that hold entities accountable for failing to comply with Federal consumer financial law consistently; and

4)    designing a model for order review and monitoring that reduces the occurrences of repeat offenders.

The Repeat Offender Unit is equipped with a national supervision team that is responsible for designing and executing comprehensive oversight of supervised entities subject to CFPB law enforcement orders.[iii] In effect, it is a deterrence strategy that actively ensures a company, its senior management, and its board of directors are not treating any orders as mere suggestions.

Thus, the Bureau is taking several steps to identify specific individuals and entities responsible for repeat offenses. 

And you are correct: the CFPB will make the Registry publicly accessible. The Bureau states in the Rule that a public registry will enable other Federal, state, and local regulators to “realize many of the same market-monitoring benefits that the Bureau anticipates obtaining from this rule.”[iv] The plan here is to facilitate the ability of consumers to identify the entities that are registered with the Bureau, with the goal of enhancing “the ability of investors, research organizations, firms conducting due diligence, and the media to locate, review, and monitor orders enforcing the law.”[v]  


Your firm is not being singled out, though it may feel that way. Don’t develop a persecution complex when dealing with regulators. I have even admonished lawyers who presumably know how to interact with regulators but come at them with righteous indignation. They should know better. 

You’ve spent decades building your business, but compliance issues are always traceable and never erasable. Like it or not, your firm has established a risk profile with the Bureau and likely with state banking departments. Your goal must be to prevent, reduce, and mitigate legal and regulatory risks. 

If you want to be proactive, do a self-assessment, such as our CMS Tune-up®which will help you to get a better understanding of the strengths and weaknesses in your Compliance Management System. Get our report. Fix the weaknesses. Conduct an annual review.  

Contact us for more information about the CMS Tune-up® 

We have a Compliance Tune-up® audit for virtually all areas of mortgage banking. Whatever you do, stay focused on ensuring the resiliency of your overall compliance program. 

As you know, we only work in the mortgage compliance space. If you are a covered nonbank providing consumer financial products or services, such as residential mortgage loans, you are probably covered by the Rule.[vi] 


As I said above, the Rule requires the covered nonbank to register court orders or government agency orders into a new Registry. Let me discuss this requirement because it is mandated due to investigations, proceedings, administrative matters and actions, consent orders, agency orders, and court orders. 

Since your lawyers have notified you that you need to register, my guess is that your risk profile contains some of the requirements that mandate registration. Given that you may need to register with the Registry, let’s drill down into the types of orders that can trigger the filing requirement. 

Here’s a helpful outline to help you identify whether you may need to file with the Registry. If any of these orders have happened, you certainly may be subject to registration.[vii]

An order[viii] is covered by the Rule if it:

  • Is a final public order issued by an agency or court. 
  • Identifies a covered nonbank by name as a party subject to the order;
  • Was issued at least in part in any action or proceeding brought by any Federal agency, state agency, or local agency; 
  • Contains public provisions that impose obligations on the covered nonbank to take certain actions or to refrain from taking certain actions;
  • Imposes obligations on the covered nonbank based on an alleged violation of a covered law, which includes Federal consumer financial laws, other laws enforced by the CFPB, and certain unfair, deceptive, or abusive acts or practices laws at both Federal and state levels identified in the final rule; and
  • Has an effective date on or after January 1, 2017. An order is effective on the date specified in the order. If an order does not have an effective date identified, the date of issuance is the effective date. If the issuing agency or a court stays or otherwise suspends an order’s effectiveness, the order’s effective date for purposes of the final rule is delayed until the stay or suspension is lifted.[ix]

The Bureau casts a wide net with respect to the laws covered by the Rule. The Rule covers a federal consumer financial law or any other law the CFPB enforces; Section 5 of the FTC Act (UDAP); state UDAAP laws; and specific state laws identified by the Rule. 


Unfortunately, filing is going to add an administrative burden on management and governance. There’s no getting around it; registration will require you to file information and documentation.[x] The Bureau will provide the Registry format and filing instructions. And, the Rule requires you to submit revised filings within 90 days if any information outlined above changes or the covered order is amended, terminated, rescinded, or abrogated. 

So, it’s clear you will need to do the following: 

1) Covered Nonbank Identity Information 

As specified in the CFPB’s filing instructions, a covered nonbank must submit identifying information about itself, such as its legal name and the address of its principal place of business. 

2) Administrative Information 

As specified in the CFPB’s filing instructions, a covered nonbank must submit certain additional administrative information. For example, administrative information may include information regarding a registered entity’s affiliates that are registered with respect to the same order. 

3) Covered Order Information 

To register a covered order, a covered nonbank must submit at least the following to the CFPB:

  • A fully executed, accurate, and complete copy of the covered order in a PDF format.[xi]
  • The applicable agency(ies) and court(s) that issued or obtained the covered order.[xii]
  • The effective date of the covered order.[xiii]
  • The date of expiration, if any, of the covered order or a statement that there is none.
  • All covered laws found to have been violated or, for orders issued upon the parties’ consent, alleged to have been violated.
  • Any docket, case, tracking, or other similar identifying number(s) assigned to the covered order by the applicable agency(ies) or court(s). 


The administrative challenge does not stop with the foregoing filing requirements. There is an annual filing requirement, too, in the form of a written statement.[xiv] In effect, this is an attestation, which, along with all supporting documentation, must be retained for five years. On an annual basis, you'll need to review and submit, as applicable, certain additional information regarding covered orders with an effective date on or after the beginning of their applicable implementation submission period. The information must include: 

  • The name and title of an attesting executive[xv] with respect to each of the covered orders registered, upon registration of the order and thereafter upon any change to this information; and
  • An annual written statement signed by the attesting executive for each covered order subject to registration. 

This is where governance now clearly and unambiguously plays a role because the designated executive must provide in the separate attestation (1) a description of the steps the executive has taken to review and oversee the covered nonbank’s activities subject to the order during the preceding calendar year, and (2) attest whether, to the executive’s knowledge, the institution identified any violations or noncompliance with any applicable obligations imposed in the order’s public provisions during the preceding calendar year. 

I don’t think you should be too anxious that the Registry will “crush your business reputation.” However, it would be best if you were prepared to explain the requirement to interested consumers or other parties. The Bureau will not publish the annual written statement itself. Still, it does plan to publish the name and title of the attesting executive(s) who submitted this attestation. 

Part One ends here. Next week, I will discuss other aspects of the Repeat Offender requirements, such as where and how to file, when to file, alternative registration requirements, ongoing and annual filing guidelines, termination of filing requirements, and several other important features of the Rule. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group

[i] Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, Final Rule, 12 CFR Part 1092, June 3, 2024, Consumer Financial Protection Bureau

[ii] Supervisory Highlights, Issue 28, Fall 2022, pp 2-3, Consumer Financial Protection Bureau

[iii] CFPB Creates Registry to Detect Corporate Repeat Offenders, June 3, 3024, Announcement, Consumer Financial Protection Bureau

[iv] Op. cit. i, p 23

[v] Idem

[vi] An insured depository institution or insured credit union (i.e., an FDIC-insured bank) is excluded from the Rule.

[vii] Executive Summary of the Nonbank Registration of Orders Rule, June 3, 2024, Consumer Financial Protection Bureau

[viii] Idem, pp2-3

[ix] The final rule’s registration requirements apply to covered orders that remain in effect on September 16, 2024, or have an effective date on or after that date.

[x] Op. cit. vii, pp 3-4

[xi] Any portions of the covered order that are nonpublic should be excluded, such as by redaction, but those portions must be clearly marked on the copy submitted as not public portions.

[xii] For agency-issued orders, the covered nonbank must list the issuing agency(ies), and for court-issued orders, the covered nonbank must list both the issuing court and the agency(ies) that initiated the action that resulted in the court’s order.

[xiii] If no express effective date is included in the order, the date of issuance is submitted. In the event of an agency- or court-issued stay or suspension of the effective date, the effective date will be delayed until the stay or suspension is lifted.

[xiv] The annual attestation requirement pertains to “supervised registered entities,” which is generally defined as a nonbank “subject to supervision and examination by the Bureau pursuant to 12 U.S.C. 5514(a)” (viz., mortgage lenders, brokers, and servicers) that has $5 million or more in annual receipts from all consumer financial products and services.

[xv] See Op. cit. i, defining the “attesting executive” as the “highest-ranking duly appointed senior executive officer [or individual if the company does not have officers]…whose assigned duties include ensuring the supervised registered entity’s compliance with Federal consumer financial law, who has knowledge of the entity’s systems and procedures for achieving compliance with the covered order, and who has control over the entity’s efforts to comply with the covered order.”