[Federal Register Volume 89, Number 142 (Wednesday, July 24, 2024)]
[Notices]
[Pages 59900-59903]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-16245]


=======================================================================
-----------------------------------------------------------------------

CONSUMER FINANCIAL PROTECTION BUREAU

[Docket No: CFPB-2024-0029]


Privacy Act of 1974; System of Records

AGENCY: Consumer Financial Protection Bureau.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the Consumer 
Financial Protection Bureau (CFPB or Bureau) proposes to establish a 
new CFPB system of records titled, ``CFPB.030--Nonbank Registry'' 
(Nonbank Registry). Generally, ``nonbanks'' are institutions involved 
in the offering or provision of consumer financial products or services 
that are not insured depository institutions or insured credit unions 
(hereinafter referred to as ``nonbanks''). The Nonbank Registry system 
of records covers information collected and maintained as part of the 
CFPB nonbank registration program. The Nonbank Registry enables certain 
nonbanks to register with the CFPB through the Bureau's Nonbank 
Registry portal and to provide additional required information and/or 
other required documents. The records maintained in the Nonbank 
Registry enables the CFPB to gather information from registered 
nonbanks; to monitor and identify consumer risks; to gather information 
and documents to conduct examinations of registered nonbanks subject to 
the CFPB's supervisory authority; and to ensure that registered 
nonbanks subject to the CFPB's supervisory authority are legitimate 
entities and able to perform their obligations to consumers,

[[Page 59901]]

including their obligations under Federal consumer financial law. This 
newly established system of records will be included in the CFPB's 
inventory of records systems.

DATES: Comments must be received no later than August 23, 2024. The new 
system of records will be effective August 23, 2024 unless the comments 
received result in a contrary determination.

ADDRESSES: You may submit comments, identified by the title and docket 
number (see above Docket No. CFPB-2024-0029), by any of the following 
methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments. A brief summary of 
this document will be available at https://www.regulations.gov/docket/CFPB-2024-0029.
     Email: [email protected]. Include Docket No. CFPB-2024-0029 
in the subject line of the email.
     Mail/Hand Delivery/Courier: Kathryn Fong, Chief Privacy 
Officer, Consumer Financial Protection Bureau, 1700 G Street NW, 
Washington, DC 20552, (202) 435-7058. Because paper mail in the 
Washington, DC area and at CFPB is subject to delay, commenters are 
encouraged to submit comments electronically.
    All submissions must include the agency name and docket number for 
this notice. In general, all comments received will be posted without 
change to http://www.regulations.gov. All comments, including 
attachments and other supporting materials, will become part of the 
public record and subject to public disclosure. You should submit only 
information that you wish to make available publicly. Sensitive 
personal information, such as account numbers or Social Security 
numbers, should not be included.

FOR FURTHER INFORMATION CONTACT: Kathryn Fong, Chief Privacy Officer, 
Consumer Financial Protection Bureau, 1700 G Street NW, Washington, DC 
20552; (202) 435-7058. If you require this document in an alternative 
electronic format, please contact [email protected]. Please 
do not submit comments to this email box.

SUPPLEMENTARY INFORMATION: In accordance with the Privacy Act of 1974, 
5 U.S.C. 552a, the CFPB is establishing a new system of records titled, 
``CFPB.030, Nonbank Registry.'' On June 3, 2024, the CFPB published the 
Registry of Nonbank Covered Persons Subject to Certain Agency and Court 
Orders Final Rule (Orders Rule) pursuant to sections 1022 and 1024 of 
the Consumer Financial Protection Act (CFPA) of 2010. The Orders Rule 
imposes specific requirements on ``covered nonbanks,'' as that term is 
defined in section 1092.201(d) of the Orders Rule. Covered nonbanks are 
generally required to register ``covered orders,'' as that term is 
defined in section 1092.201(e) of the Orders Rule, that remain in or 
take effect on or after the Orders Rule's effective date.
    The CFPB's exercise of its nonbank registration rulemaking 
authority expands the category of individuals and records collected and 
maintained on nonbanks to include those required to register with the 
CFPB to enable the Bureau to monitor and reduce the risks to consumers 
posed by these institutions more effectively. The registry also allows 
the Bureau to monitor trends in enforcement and more effectively 
utilize Bureau resources. To this end, the CFPB has created the Nonbank 
Registry portal to facilitate the registration process and information 
collection maintained in the Nonbank Registry system of records for 
nonbanks that are required to register with the CFPB in accordance with 
current or subsequent CFPB regulations. Finally, the CFPB may publish 
certain information collected and maintained in the Nonbank Registry 
system of records as is in the public interest and in accordance with 
CFPB regulations.

SYSTEM NAME AND NUMBER:
    CFPB.030--Nonbank Registry.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Consumer Financial Protection Bureau, 1700 G Street NW, Washington, 
DC 20552.

SYSTEM MANAGER(S):
    Program Director, Systems and Registrations Team, Office of 
Supervision, Consumer Financial Protection Bureau, 1700 G Street NW, 
Washington, DC 20552.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Public Law 111-203, title X, sections 1022 and 1024, codified at 12 
U.S.C. 5512 and 5514.

PURPOSE(S) OF THE SYSTEM:
    The purposes of the Nonbank Registry are: (1) To effectively 
monitor and understand financial markets related to nonbanks or nonbank 
institutions; (2) To monitor for risks to consumers in the offering or 
provision of consumer financial products or services; (3) To facilitate 
the CFPB's risk-based nonbank supervision program; (4) To ensure that 
registered nonbanks subject to the CFPB's supervisory authority are 
legitimate entities and are able to perform their obligations to 
consumers, including their obligations under Federal consumer financial 
law; and (5) To maintain a central public registry of information on 
nonbanks to facilitate public awareness and oversight.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The CFPB collects and maintains information on the following 
individuals:
     Authorized representatives acting on behalf of nonbanks 
who are authorized to submit information to the Nonbank Registry 
portal;
     Attesting executives;
     Individuals (e.g., consenting party, defendant) listed or 
included in a covered order and related public records, such as court 
or agency documents, or other documents provided to the registry;
     Individuals, including authorized representatives who 
submit a question via the Nonbank Registry portal about related 
regulations or that require technical assistance with the Nonbank 
Registry; and
     CFPB staff assigned to maintain the Nonbank Registry, 
including system developers, system administrators, and similar system 
stakeholders who support the Nonbank Registry and program operations.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records maintained in this Nonbank Registry include:
     Full names and business contact information (e.g., 
business title, email address, and phone number) for authorized 
representatives and attesting executives provided during the 
registration process;
     Information related to individuals associated with 
nonbanks found in submitted documents, such as covered orders and 
related public records, such as court or agency documents, or other 
documents provided to the Nonbank Registry;
     Annual written statements signed by an attesting executive 
(or executives) and notification/confirmation of non-registration;
     Names and contact information (e.g., phone number, email 
address) of individuals, along with question submitted about related 
regulations or that require technical assistance with the Nonbank 
Registry; and
     Access records to CFPB computers and networks (e.g., 
external facing portals) containing usernames and passwords and first 
and last names of CFPB staff and external users authorized

[[Page 59902]]

to access the Nonbank Registry, and other audit-related information, 
such as date and time stamps of submissions via the Nonbank Registry 
portal, and information regarding reconciliation or correction of 
errors.

RECORD SOURCE CATEGORIES:
    The information in the Nonbank Registry system of records is 
collected directly from covered nonbanks and the authorized 
representatives and executives acting on behalf of the covered 
nonbanks; CFPB staff; and from individuals that submit questions via 
the Nonbank Registry portal about related regulations or that require 
technical assistance.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, and consistent with the CFPB's Disclosure 
of Records and Information Rules, promulgated at 12 CFR part 1070, all 
or a portion of the records or information contained in this system may 
be disclosed outside the CFPB as a routine use to:
    (1) Appropriate agencies, entities, and persons when (a) the Bureau 
suspects or has confirmed that there has been a breach of the system of 
records; (b) the Bureau has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the Bureau (including its information systems, programs, and 
operations), the Federal Government, or national security; and (c) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Bureau's efforts to respond 
to the suspected or confirmed breach or to prevent, minimize, or remedy 
such harm.
    (2) Another Federal agency or entity, when the Bureau determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (a) responding to a suspected 
or confirmed breach or (b) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
government, or national security, resulting from a suspected or 
confirmed breach.
    (3) Another Federal or State agency to (a) permit a decision as to 
access, amendment, or correction of records to be made in consultation 
with or by that agency, or (b) verify the identity of an individual or 
the accuracy of information submitted by an individual who has 
requested access to or amendment or correction of records.
    (4) The Executive Office of the President in response to an inquiry 
from that office made at the request of the subject of a record or a 
third party on that person's behalf.
    (5) Congressional offices in response to an inquiry made at the 
request of the individual to whom the record pertains.
    (6) Contractors, agents, or other authorized individuals performing 
work on a contract, service, cooperative agreement, job, or other 
activity on behalf of the Bureau or the U.S. Government and who have a 
need to access the information in the performance of their mission, 
including duties or activities.
    (7) The Department of Justice (DOJ) for its use in providing legal 
advice to the Bureau or in representing the Bureau in a proceeding 
before a court, adjudicative body, or other administrative body, where 
the use of such information by the DOJ is deemed by the Bureau to be 
relevant and necessary to the advice or proceeding, and such proceeding 
names as a party in interest:
    (a) The CFPB;
    (b) Any employee of the Bureau in their official capacity;
    (c) Any employee of the Bureau in their individual capacity where 
DOJ has agreed to represent the employee; or
    (d) The United States, where the CFPB determines that litigation is 
likely to affect the Bureau or any of its components.
    (8) Appropriate Federal, State, local, foreign, Tribal, or self-
regulatory organizations or agencies responsible for investigating, 
prosecuting, enforcing, implementing, issuing, or carrying out a 
statute, rule, regulation, order, policy, or license if the information 
may be relevant to a potential violation of civil or criminal law, 
rule, regulation, order, policy, or license.
    (9) To the National Archives and Records Administration (NARA) or 
other Federal Government agencies pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.
    (10) A grand jury pursuant either to a Federal or State grand jury 
subpoena, or to a prosecution request that such record be released for 
the purpose of its introduction to a grand jury, where the subpoena or 
request has been specifically approved by a court. In those cases where 
the Federal Government is not a party to the proceeding, records may be 
disclosed if a subpoena has been signed by a judge.
    (11) A court, magistrate, or administrative tribunal in the course 
of an administrative proceeding or judicial proceeding, including 
disclosures to opposing counsel or witnesses (including expert 
witnesses) in the course of discovery or other pre-hearing exchanges of 
information, litigation, or settlement negotiations, where relevant or 
potentially relevant to a proceeding, or in connection with criminal 
law proceedings.
    (12) To members of the public as is in the public interest in 
accordance with 12 CFR part 1092. Such disclosure would be limited to 
the names and titles of attesting executives and individuals listed or 
included in a covered order and related public records, such as court 
or agency documents, or other documents provided to the registry.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The records are maintained in electronic media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records maintained in this system of records are retrievable using 
a personal identifier, including an individual's name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The records contained within the Nonbank Registry system of records 
are considered unscheduled and will be maintained as permanent until 
there is an approved records schedule for the Nonbank Registry.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    External access to the Nonbank Registry via the portal for nonbank 
user accounts is limited to the nonbank that created the account with 
the CFPB. Nonbanks will login with a username and password using multi-
factor authentication. Internal access to electronic records is 
restricted to authorized CFPB staff based on role-based access controls 
using multi-factor authentication.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to any record contained in this system 
of records may inquire in writing in accordance with instructions in 12 
CFR 1070.50 et seq. Address such requests to: Chief Privacy Officer, 
Consumer Financial Protection Bureau, 1700 G Street NW, Washington, DC 
20552. Instructions are also provided on the Bureau website: https://www.consumerfinance.gov/foia-requests/submit-request/.

[[Page 59903]]

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest the content of any record contained 
in this system of records may inquire in writing in accordance with 
instructions in 12 CFR 1070.50 et seq. Address such requests to: Chief 
Privacy Officer, Consumer Financial Protection Bureau, 1700 G Street 
NW, Washington, DC 20552. Instructions are also provided on the Bureau 
website: https://www.consumerfinance.gov/privacy/amending-and-correcting-records-under-privacy-act/.

NOTIFICATION PROCEDURES:
    See ``Record Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This is a new system of records.

Kathryn Fong,
Chief Privacy Officer, Consumer Financial Protection Bureau.
[FR Doc. 2024-16245 Filed 7-23-24; 8:45 am]
BILLING CODE 4810-AM-P