As the one-year anniversary of the start of the Consumer
Financial Protection Bureau ("CFPB" or the
"Bureau") approaches, look for a fundamental shift in
press coverage about the Bureau, as information about its initial
investigations and enforcement activity becomes public. This
new focus will emerge as the Bureau builds on some of its first
investigations to determine whether there have been violations of
federal consumer financial protection laws. These
investigations and potential enforcement actions will have
long-term consequences for their targets and be an important
indicator of the Bureau's approach to consumer protection in
the future.
Enforcement Authority Overview
The Bureau has responsibility to enforce federal consumer financial
law over nonbank entities, regardless of whether they are subject
to the Bureau's supervisory authority. Federal consumer
financial laws include the Consumer Financial Protection Act
("CFPA") enacted as part of the Dodd-Frank Wall Street
Reform and Consumer Protection Act, which prohibits unfair,
deceptive, or abusive acts and practices ("UDAAP") in
connection with consumer financial products and services, as well
as 18 consumer protection laws transferred to the Bureau, and
several rules issued by the Federal Trade Commission
("FTC").
The Bureau's coverage of nonbank entities and their service
providers is broad and includes advertisers, marketers, and
providers of payday loans, private education loans, mortgage
origination and servicing, debt collection, credit reports, prepaid
cards, money transmission, consumer installment loans, and debt
relief services.
While the total number and details of investigations being
conducted by the Bureau's Office of Enforcement are
confidential, already the existence of some investigations of
nonbank financial providers has become public as a result of
corporate filings. For example, within the last month, a
for-profit school announced it was being investigated as to private
education loans. Also, the Bureau itself has stated it has
other non-public investigations in progress.
Federal Consumer Financial Protection Law
The Bureau has two primary areas of enforcement authority:
the CFPA's UDAAP prohibition; and the laws and rules that it
inherited from other agencies. For a primer on the laws and
regulations that fall under the scope of the CFPB, review the CFPB
Supervision and Examination Guidance on its website – www.consumerfinance.gov. This material is
geared for Bureau examination staff, it provides a good overview of
the ways enforcement staff may approach an
investigation.
In particular, the available guidance includes examples from
federal enforcement actions and provides insight into practices
that have been alleged to be unfair, deceptive or abusive by other
regulators and may inform the Bureau's determinations.
However, an enforcement action may require the Bureau to clarify
particular laws and regulations under its jurisdiction as applied
to specific facts. Although the Bureau has broad rulemaking
authority to add clarity to the law, the Bureau may not want to
wait until it can initiate and conclude a rulemaking before
bringing an enforcement action to highlight particular conduct it
would view as problematic.
The Bureau has yet to demonstrate where or when it will intervene
in the specific actions of a company or seek to set an example for
others through enforcement actions. Conduct changes and
financial penalties aimed at specific companies are likely not the
only goal of the CFPB. Another result is that it may promote
better compliance within given markets and careful development of
compliant goods and services along the way.
Investigatory Process
The CFPB is authorized to conduct investigations to determine
whether any person is, or has, engaged in conduct that violates
federal consumer financial law. The Bureau drew heavily on
the procedures used by the FTC, the Securities and Exchange
Commission, and existing banking regulators for guidance in
developing its investigatory rules. Here are some
highlights:
- Investigations may be conducted jointly with other federal and state regulators, and may include subpoenas or civil investigative demands ("CIDs") for testimony, responses to written questions, documents, or other materials.
- The Assistant Director of the Division of Enforcement is empowered to negotiate and approve the terms of compliance with CIDs and grant extensions for good cause. Further, CID recipients may seek an order to modify or set aside a CID, which will be ruled upon by the Bureau Director. If an agreement cannot be reached, the Bureau may initiate an action to enforce a CID in federal court. In addition, the Bureau may seek civil contempt or other appropriate relief in cases where a court order enforcing a CID has been violated.
- Persons may withhold material responsive to a CID. The rules require that they assert a privilege by the production date and, if so, as directed in the CID, submit a detailed schedule of the items withheld. The rules also provide protection for inadvertently disclosed privileged information.
- Investigations generally are non-public. However, a Bureau investigator may disclose the existence of an investigation to the extent necessary to advance the investigation, and information obtained in an investigation may be shared with other federal and state agencies.
Key Steps to Responding to an Investigation
A recipient of a CFPB CID needs to move quickly to assess the
scope of the CID, retain counsel, and be prepared to proactively
discuss compliance issues. Here are some key steps:
1. Review the CID – A review of the
CID, among many things, will identify the purpose of the
investigation, the assigned staff enforcement attorneys, the
production deadline (e.g., 30 days from issuance), the
definitions, instructions, and interrogatory and document
requests.
2. Establish a Response Team – When
a CID is received, the recipient should establish a response team
comprised of in-house legal counsel, compliance staff, business
staff, and IT staff. This group, along with others within the
company, and the support of outside counsel, will be needed to help
with gathering documents and answering interrogatory questions,
ensuring compliance with legal obligations, maintaining
confidentiality, assessing whether responsive information is
privileged, taking proper steps to preserve responsive materials
(e.g., implementation of a document preservation policy),
avoiding liability, and preventing future claims and damage to the
company. In addition, a recipient of a CID will need to
decide whether public disclosure is required pursuant to other
applicable legal and regulatory obligations.
3. Assess the CID for Possible Modification
Requests – Once the team is assembled, legal
counsel needs to determine the scope and timing of the CID response
and whether any modifications are needed. The scope of the
Bureau's authority in issuing the CID also needs to be
determined. Questions to ask include:
- What information is the Bureau seeking?
- What information do we have?
- How difficult will be it be to identify and gather the information?
- Would compliance with the CID violate other legal requirements?
- Does the CID overlap with supervision and examination authority the Bureau has, or will likely have in the future?
4. Meet and Confer with Bureau Enforcement Attorneys
– Bureau CID's that we are familiar with have had
an instruction providing for the opportunity to have an early
"meet and confer" meeting with Bureau staff on issues
relating to the scope of the CID and document production
matters. The practice has been that the meet and confer is
within 10 days after receipt of the CID. Preparation steps
for the meet and confer and ensuing follow-up include:
- Identify specific definitions, instructions, and requests that may pose a burden.
- Quantify the burden to the company (e.g., use of all IT resources for several weeks).
- Propose alternative options that address the same subject matter.
- Demonstrate commitment to full and frank discussion regarding limitations and availability of information, including database and IT matters, document retention policies, and organizational structure of company.
- Identify and propose a production timeline that is reasonable and takes into account the ease with which information can be provided.
5. Petition to Modify or Set Aside the CID
– The Bureau's investigatory rules generally allow
CID recipients to file a petition to modify or set aside an
information request if the request is filed within 20 days of
receipt of the CID unless an extension is granted by the head of
the Office of Enforcement. The Bureau's rules require
parties to engage in meaningful "meet and confer"
sessions with enforcement staff before they file any petition to
quash Bureau CID requests. Within the CFPB context, we are
not aware of any motions to modify or quash having been
granted. Indeed, in similar situations at the FTC, we find
that it is frequently more effective and efficient to have detailed
and ongoing conversations with the enforcement attorneys to limit
the scope of particular CID requests. While the Bureau staff
may resist modifying the scope of the CID, any reduction that is
allowed can be accompanied by a provision requiring parties to
provide additional information upon the request of Bureau
staff. However, the timely filing of a petition for an order
modifying or setting aside a CID will stay the time permitted for
compliance with the portion challenged.
6. Electronically Stored Information
– The identification, collection, review, and processing
of electronically stored information, such as emails, poses certain
challenges on most businesses. The burden and cost continues
to increase as the amount of electronically stored information that
the average organization or custodian regularly maintains continues
to rise. Among the first steps that should be done when
receiving a CID is to suspend any automatic deletion process for
responsive electronically stored materials. In addition, the
recipient should work to identify relevant custodians for each
request and attempt to reach agreement on ways to mitigate the
burden of requests using the lists of custodians and other relevant
methods.
7. Production – The CID
instructions will cover specifics regarding production formats and
logistics. Generally the Bureau has required electronic
production of responses and has not been hampered by legacy
government IT systems or protocols. Further, when responding
to a CID, material that is withheld based on asserting a privilege
is required to be identified on a privilege log. This is a
very significant step, as well as a source of burden and expense,
so the instructions and any modifications to this process should be
discussed with Bureau staff well in advance of the response
deadline.
Once it is clear that an investigation is underway, careful
consideration should be given to how best to advocate on behalf of
the company in a proactive manner. While presentations and
white papers will not eliminate the need to respond to the CID,
they can provide the company with an important opportunity to
present its view of the facts. In addition, detailed cover
letters and other explanatory material may be useful. Also,
consider whether any remedial steps are needed, how the company may
implement them, and how best to communicate any changes to the
Bureau.
Careful thought should be given to how the investigation will
affect the long-term relationship of the company with the
Bureau. This is especially important when the company is
subject to automatic supervision and examination authority, may be
considered by the Bureau to have engaged in activities that pose
risks to consumers, or could be considered a larger player, or
"larger participant," in other markets, such as those
included in an initial proposal on consumer reporting companies and
debt collectors. Importantly, a CFPB investigation may also
impact state investigations and relationships with state
regulators. The specific considerations and consequences will
not be the same for every investigation.
Notice and Opportunity to Respond and Advise
According to a bulletin published in January 2012, before the
Office of Enforcement recommends that the Bureau commence
enforcement proceedings, the Office of Enforcement may give the
subject of such recommendation notice of the nature of the
subject's potential violations and may offer the subject the
opportunity to submit a written statement in response.
The Bulletin notes that "the decision whether to give such
notice is discretionary, and a notice may not be appropriate in
some situations, such as in cases of ongoing fraud or when the
Office of Enforcement needs to act quickly."
The objective of the notice is to ensure that potential subjects of
enforcement actions have the opportunity to present their positions
to the Bureau before an enforcement action is recommended or
commenced, according to the bulletin.
Administrative Proceedings and Civil Actions
The CFPB may bring administrative enforcement proceedings or civil
actions in Federal district court. The Bureau can
obtain "any appropriate legal or equitable relief with respect
to a violation of Federal consumer financial law," including,
but not limited to:
- Rescission or reformation of contracts.
- Refund of money or return of real property.
- Restitution.
- Disgorgement or compensation for unjust enrichment.
- Payment of damages or other monetary relief.
- Public notification regarding the violation.
- Limits on the activities or functions of the person against whom the action is brought.
- Civil monetary penalties (which can go either to victims or to financial education).
The CFPB has no criminal enforcement authority.
If a positive and realistic resolution is not possible before the
Bureau, a CID recipient may have to litigate against the
agency. In some cases, companies may need to weigh final
settlement offers from the Bureau with the worst-case litigation
scenario, including restrictive injunctive provisions and
penalties.
Seeking to Avoid a CFPB Investigation
For companies seeking to avoid a CFPB investigation, there are many
steps that may be appropriate. Among them, consider
performing a risk assessment and gap analysis to determine where
the attention of the compliance department and others may be
needed, as well as record keeping. Also consider a consumer
financial protection compliance training program. One goal of
the program can be to train staff on how to spot certain basics as
part of an overall compliance program. Further, consult with
experienced and skilled outside counsel to help navigate the
nuances of consumer financial protection laws and how they may
apply to specific situations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.