Federal regulators landed the first blow: Several major credit card companies paid more than half a billion dollars in customer restitution and fines as part of settlements reached with the Consumer Financial Protection Bureau in the summer and fall of 2012. But while these companies were still reeling from the first punch, shareholders took the next swing, filing class action shareholder derivative suits against the directors and senior officers of these financial services companies, alleging the CFPB's findings and the settlements demonstrated mismanagement, breach of fiduciary duty, and unjust enrichment at the companies' expense.

The three shareholder derivative suits target senior officers and directors, whose actions are presumably covered by D&O policies, and suggest a pattern: Plaintiffs invoke the companies' compliance policies and related representations, cite at length to governmental investigations or settlements, and then allege that the divergence between the companies' representations and the investigations or settlements evidence a breach of fiduciary duty, mismanagement, or unjust enrichment. The companies' refusals to admit wrongdoing, including in the settlement, is not acknowledged.

"Follow-on" or "piggyback" suits filed on the heels of settlements with government regulators are not uncommon—most frequently with the Federal Trade Commission (consumer product violations), the Securities and Exchange Commission (securities violations) and the Department of Justice (antitrust or Foreign Corrupt Practices Act violations)—so these new suits are not entirely surprising. Also, because the CFPB is a new agency with only a few settlements— albeit significant ones—on its record and the follow-on suits are in early stages, extrapolating guidance from previous forms of piggyback litigation must only be done cautiously. Still, the phenomenon deserves revisiting in this latest iteration for several reasons.

First, a backlash against the attendant abuses of follow-on class actions in the context of FTC and SEC investigations already may have limited the prospects of these suits. In cases in which plaintiffs have attempted to bootstrap FTC settlements involving "lack-of-substantiation" claims into false advertising or state consumer protection claims, courts have held those claims to the higher standard of proving actual falsity through affirmative evidence, rather than mere lack of substantiation. Even the FTC filed amicus briefs opposing some follow-on suits, suggesting they benefit the plaintiffs' bar more than consumers. Similarly, the heightened pleading burdens under case law interpreting Rule 10b-5 and the Private Securities Litigation Reform Act of 1995 have limited follow-on securities litigation in federal court.

Complaints that do little more than cut and paste defendants' public assertions of compliance and allegations from SEC reports have suffered dismissals for failure to plead particularized facts alleging fraudulent circumstances and intent. Against this background—and perhaps as a way to avoid existing adverse federal precedents and rules—current CFPB-related follow-on lawsuits have alleged only state common-law claims of breach of fiduciary duty, corporate waste/ mismanagement, and unjust enrichment.

Second, not only will precedents discouraging vaguely pled or frivolous follow-on CFPB litigation take time to develop, but this process will occur under statutes with greater tolerance for private rights of action generally. As the history of class actions following FTC settlements indicates, these cases encountered judicial opposition, in part, because the FTC Act provides no private right of action. In contrast, a number of the rules, regulations, and statutory schemes that the CFPB now oversees expressly allow for private rights of action, providing greater latitude for follow-on lawsuits after CFPB settlements than has historically been the case after FTC resolutions.

Third, the credit card issuers that settled with the CFPB are large and sophisticated financial services companies—long accustomed to having compliance officers and committees managing risks, carrying comprehensive D&O insurance coverage, and managing substantial litigation budgets. But the universe of companies subject to CFPB regulation includes many much smaller companies that may still be trying to determine their basic obligations to the CFPB, much less how to deal with the risk of follow-on litigation. The CFPB's recently announced definition of "larger participants" in the debt collection market—companies with $10 million in annual receipts— targets approximately 175 companies for CFPB supervision, demonstrating that even so-called "large" companies for CFPB purposes are both relatively small and significant in number.

The CFPB also has the authority to regulate all nonbank entities of any size that offer financial products or services in residential mortgage, private education lending, and payday lending markets, meaning that the 175 or so "larger participants" in debt collection represents a small fraction of companies now under the CFPB's authority oversight. Add in the "service providers" to these consumer financial services companies, which the CFPB also has authority to regulate, and the likely number of companies whose officers and directors could be subject to follow-on lawsuits (many with limited resources relative to large financial services companies or even "large participants"), is both inestimable and potentially staggering.

Accordingly, before they come to grips fully with the compliance and litigation risk management needs to which large credit card issuers have become accustomed, companies that have recently become subject to CFPB regulation understandably need to work through several layers of comprehension. Many companies, especially "service providers," undoubtedly have not yet even recognized the possibility that a federal financial regulator is or may soon be looking over their shoulder.

Larger numbers of companies may be in the early stages of thinking about CFPB oversight and compliance, but have not yet identified anyone to whom they can turn for help—be that compliance personnel, compliance committees, or informed in-house or external advisers. For a subset of these companies, the need to proactively prepare for examinations, possible investigations, and the risk of CFPB enforcement is on the horizon, along with the recognition that before they are scrutinized they should conduct a "gap analysis," identifying deficiencies between regulatory requirements and their current practices. But even many of these forward-thinking companies have yet to fully recognize that service provider relationships are also regulated, and that failure to ensure that service providers are complying with the law is an independent basis for liability of the "outsourcer."

Thus, the prospect that CFPB regulation, supervision, and enforcement carries with it potentially significant private litigation exposure, including for officers and directors, may not even be on the radar of many companies. Yet given that follow-on litigation is common in other regulatory contexts, sometimes even before the regulator has completed its investigation, companies should consider the risk of litigation alongside the evaluation of compliance deficiencies. At a minimum, the prospect that followon litigation could add a potentially lengthy and expensive "second stage" of exposure to liability based on CFPB allegations suggests an even greater urgency for companies to prepare for CFPB oversight as soon as possible.

Previously published in Corporate Counsel, March 4, 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.