May 30, 2012

Navigating a Consumer Financial Protection Bureau Investigation and Enforcement Action

11 min

As the one-year anniversary of the start of the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) approaches, look for a fundamental shift in press coverage about the Bureau, as information about its initial investigations and enforcement activity becomes public.  This new focus will emerge as the Bureau builds on some of its first investigations to determine whether there have been violations of federal consumer financial protection laws.  These investigations and potential enforcement actions will have long-term consequences for their targets and be an important indicator of the Bureau’s approach to consumer protection in the future.
Enforcement Authority Overview

The Bureau has responsibility to enforce federal consumer financial law over nonbank entities, regardless of whether they are subject to the Bureau’s supervisory authority.  Federal consumer financial laws include the Consumer Financial Protection Act (“CFPA”) enacted as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which prohibits unfair, deceptive, or abusive acts and practices (“UDAAP”) in connection with consumer financial products and services, as well as 18 consumer protection laws transferred to the Bureau, and several rules issued by the Federal Trade Commission (“FTC”).

The Bureau’s coverage of nonbank entities and their service providers is broad and includes advertisers, marketers, and providers of payday loans, private education loans, mortgage origination and servicing, debt collection, credit reports, prepaid cards, money transmission, consumer installment loans, and debt relief services. 
While the total number and details of investigations being conducted by the Bureau’s Office of Enforcement are confidential, already the existence of some investigations of nonbank financial providers has become public as a result of corporate filings.  For example, within the last month, a for-profit school announced it was being investigated as to private education loans.  Also, the Bureau itself has stated it has other non-public investigations in progress.

Federal Consumer Financial Protection Law

The Bureau has two primary areas of enforcement authority:  the CFPA’s UDAAP prohibition; and the laws and rules that it inherited from other agencies.  For a primer on the laws and regulations that fall under the scope of the CFPB, review the CFPB Supervision and Examination Guidance on its website –  This material is geared for Bureau examination staff, it provides a good overview of the ways enforcement staff may approach an investigation. 

In particular, the available guidance includes examples from federal enforcement actions and provides insight into practices that have been alleged to be unfair, deceptive or abusive by other regulators and may inform the Bureau’s determinations.  However, an enforcement action may require the Bureau to clarify particular laws and regulations under its jurisdiction as applied to specific facts.  Although the Bureau has broad rulemaking authority to add clarity to the law, the Bureau may not want to wait until it can initiate and conclude a rulemaking before bringing an enforcement action to highlight particular conduct it would view as problematic.

The Bureau has yet to demonstrate where or when it will intervene in the specific actions of a company or seek to set an example for others through enforcement actions.  Conduct changes and financial penalties aimed at specific companies are likely not the only goal of the CFPB.  Another result is that it may promote better compliance within given markets and careful development of compliant goods and services along the way.

Investigatory Process

The CFPB is authorized to conduct investigations to determine whether any person is, or has, engaged in conduct that violates federal consumer financial law.  The Bureau drew heavily on the procedures used by the FTC, the Securities and Exchange Commission, and existing banking regulators for guidance in developing its investigatory rules.  Here are some highlights:

  • Investigations may be conducted jointly with other federal and state regulators, and may include subpoenas or civil investigative demands (“CIDs”) for testimony, responses to written questions, documents, or other materials.
  • The Assistant Director of the Division of Enforcement is empowered to negotiate and approve the terms of compliance with CIDs and grant extensions for good cause.  Further, CID recipients may seek an order to modify or set aside a CID, which will be ruled upon by the Bureau Director.  If an agreement cannot be reached, the Bureau may initiate an action to enforce a CID in federal court.  In addition, the Bureau may seek civil contempt or other appropriate relief in cases where a court order enforcing a CID has been violated.
  • Persons may withhold material responsive to a CID.  The rules require that they assert a privilege by the production date and, if so, as directed in the CID, submit a detailed schedule of the items withheld.  The rules also provide protection for inadvertently disclosed privileged information.
  • Investigations generally are non-public.  However, a Bureau investigator may disclose the existence of an investigation to the extent necessary to advance the investigation, and information obtained in an investigation may be shared with other federal and state agencies.

Key Steps to Responding to an Investigation

A recipient of a CFPB CID needs to move quickly to assess the scope of the CID, retain counsel, and be prepared to proactively discuss compliance issues.  Here are some key steps:

1. Review the CID – A review of the CID, among many things, will identify the purpose of the investigation, the assigned staff enforcement attorneys, the production deadline (e.g., 30 days from issuance), the definitions, instructions, and interrogatory and document requests.

2. Establish a Response Team – When a CID is received, the recipient should establish a response team comprised of in-house legal counsel, compliance staff, business staff, and IT staff.  This group, along with others within the company, and the support of outside counsel, will be needed to help with gathering documents and answering interrogatory questions, ensuring compliance with legal obligations, maintaining confidentiality, assessing whether responsive information is privileged, taking proper steps to preserve responsive materials (e.g., implementation of a document preservation policy), avoiding liability, and preventing future claims and damage to the company.  In addition, a recipient of a CID will need to decide whether public disclosure is required pursuant to other applicable legal and regulatory obligations.

3. Assess the CID for Possible Modification Requests – Once the team is assembled, legal counsel needs to determine the scope and timing of the CID response and whether any modifications are needed.  The scope of the Bureau’s authority in issuing the CID also needs to be determined.  Questions to ask include:

  • What information is the Bureau seeking?
  • What information do we have?
  • How difficult will be it be to identify and gather the information? 
  • Would compliance with the CID violate other legal requirements?
  • Does the CID overlap with supervision and examination authority the Bureau has, or will likely have in the future?

4. Meet and Confer with Bureau Enforcement Attorneys – Bureau CID’s that we are familiar with have had an instruction providing for the opportunity to have an early “meet and confer” meeting with Bureau staff on issues relating to the scope of the CID and document production matters.  The practice has been that the meet and confer is within 10 days after receipt of the CID.  Preparation steps for the meet and confer and ensuing follow-up include:

  • Identify specific definitions, instructions, and requests that may pose a burden.
  • Quantify the burden to the company (e.g., use of all IT resources for several weeks).
  • Propose alternative options that address the same subject matter.
  • Demonstrate commitment to full and frank discussion regarding limitations and availability of information, including database and IT matters, document retention policies, and organizational structure of company.
  • Identify and propose a production timeline that is reasonable and takes into account the ease with which information can be provided.

5. Petition to Modify or Set Aside the CID – The Bureau’s investigatory rules generally allow CID recipients to file a petition to modify or set aside an information request if the request is filed within 20 days of receipt of the CID unless an extension is granted by the head of the Office of Enforcement.  The Bureau’s rules require parties to engage in meaningful “meet and confer” sessions with enforcement staff before they file any petition to quash Bureau CID requests.  Within the CFPB context, we are not aware of any motions to modify or quash having been granted.  Indeed, in similar situations at the FTC, we find that it is frequently more effective and efficient to have detailed and ongoing conversations with the enforcement attorneys to limit the scope of particular CID requests.  While the Bureau staff may resist modifying the scope of the CID, any reduction that is allowed can be accompanied by a provision requiring parties to provide additional information upon the request of Bureau staff.  However, the timely filing of a petition for an order modifying or setting aside a CID will stay the time permitted for compliance with the portion challenged.

6. Electronically Stored Information – The identification, collection, review, and processing of electronically stored information, such as emails, poses certain challenges on most businesses.  The burden and cost continues to increase as the amount of electronically stored information that the average organization or custodian regularly maintains continues to rise.  Among the first steps that should be done when receiving a CID is to suspend any automatic deletion process for responsive electronically stored materials.  In addition, the recipient should work to identify relevant custodians for each request and attempt to reach agreement on ways to mitigate the burden of requests using the lists of custodians and other relevant methods.

7. Production – The CID instructions will cover specifics regarding production formats and logistics.  Generally the Bureau has required electronic production of responses and has not been hampered by legacy government IT systems or protocols.  Further, when responding to a CID, material that is withheld based on asserting a privilege is required to be identified on a privilege log.  This is a very significant step, as well as a source of burden and expense, so the instructions and any modifications to this process should be discussed with Bureau staff well in advance of the response deadline.

Once it is clear that an investigation is underway, careful consideration should be given to how best to advocate on behalf of the company in a proactive manner.  While presentations and white papers will not eliminate the need to respond to the CID, they can provide the company with an important opportunity to present its view of the facts.  In addition, detailed cover letters and other explanatory material may be useful.  Also, consider whether any remedial steps are needed, how the company may implement them, and how best to communicate any changes to the Bureau.

Careful thought should be given to how the investigation will affect the long-term relationship of the company with the Bureau.  This is especially important when the company is subject to automatic supervision and examination authority, may be considered by the Bureau to have engaged in activities that pose risks to consumers, or could be considered a larger player, or “larger participant,” in other markets, such as those included in an initial proposal on consumer reporting companies and debt collectors.  Importantly, a CFPB investigation may also impact state investigations and relationships with state regulators.  The specific considerations and consequences will not be the same for every investigation. 

Notice and Opportunity to Respond and Advise

According to a bulletin published in January 2012, before the Office of Enforcement recommends that the Bureau commence enforcement proceedings, the Office of Enforcement may give the subject of such recommendation notice of the nature of the subject’s potential violations and may offer the subject the opportunity to submit a written statement in response.

The Bulletin notes that “the decision whether to give such notice is discretionary, and a notice may not be appropriate in some situations, such as in cases of ongoing fraud or when the Office of Enforcement needs to act quickly.”  

The objective of the notice is to ensure that potential subjects of enforcement actions have the opportunity to present their positions to the Bureau before an enforcement action is recommended or commenced, according to the bulletin. 

Administrative Proceedings and Civil Actions

The CFPB may bring administrative enforcement proceedings or civil actions in Federal district court.   The Bureau can obtain “any appropriate legal or equitable relief with respect to a violation of Federal consumer financial law,” including, but not limited to:

  • Rescission or reformation of contracts.
  • Refund of money or return of real property.
  • Restitution.
  • Disgorgement or compensation for unjust enrichment.
  • Payment of damages or other monetary relief.
  • Public notification regarding the violation.
  • Limits on the activities or functions of the person against whom the action is brought.
  • Civil monetary penalties (which can go either to victims or to financial education).

The CFPB has no criminal enforcement authority.

If a positive and realistic resolution is not possible before the Bureau, a CID recipient may have to litigate against the agency.  In some cases, companies may need to weigh final settlement offers from the Bureau with the worst-case litigation scenario, including restrictive injunctive provisions and penalties. 

Seeking to Avoid a CFPB Investigation

For companies seeking to avoid a CFPB investigation, there are many steps that may be appropriate.  Among them, consider performing a risk assessment and gap analysis to determine where the attention of the compliance department and others may be needed, as well as record keeping.  Also consider a consumer financial protection compliance training program.  One goal of the program can be to train staff on how to spot certain basics as part of an overall compliance program.  Further, consult with experienced and skilled outside counsel to help navigate the nuances of consumer financial protection laws and how they may apply to specific situations.

For more information, please contact Jonathan Pompan at 202.344.4383 or

Jonathan Pompan is Of Counsel at Venable LLP in the Washington, DC office.  He represents nonprofit and for-profit companies in regulated industries in a wide variety of areas such as before the Consumer Financial Protection Bureau (“CFPB”), compliance with applicable federal and state regulations, and in connection with CFPB, Federal Trade Commission, and state investigations and law enforcement actions.

This article is not intended to provide legal advice or opinion and should not be relied on as such.  Legal advice can only be provided in response to a specific fact situation.