The resignation of Richard Cordray as director of the Consumer Financial Protection Bureau (CFPB or Bureau) last November marks the end of an era at the often controversial—but never boring—consumer protection agency. Under Cordray's leadership, the CFPB hit the ground running in 2012 and quickly established a reputation as an aggressive regulator through high-profile enforcement actions and tough examinations of financial services providers. With Cordray's departure, and President Trump's appointment of Mick Mulvaney as acting director, it seems the Bureau's focus will shift, at least in the short term.
Even with change afoot, it's clear the Bureau's first five years changed the way consumer financial services providers think about compliance and consumer protection. And while the CFPB may be less aggressive in the near term, the Federal Trade Commission (FTC), banking regulators, and state attorneys general remain active in protecting consumers. The start of 2018 is a good time to review some of the key lessons of the Bureau's first five years. Even in a deregulatory environment, heeding these basic consumer protection lessons makes business sense and can help minimize potential enforcement risk.
1. Minimize Risk by Putting Consumers First
From the beginning, the CFPB pushed a "consumer first" approach that encouraged financial services providers to evaluate how they design, market, and provide services to consumers. The result was a shift, particularly from the compliance perspective, in the way that many companies interact with their customers.
The Bureau's emphasis on empowering consumers is perhaps best exemplified by its consumer complaint database, which allows members of the public to submit complaints through a CFPB portal. While the database remains controversial, and there are frequent calls by industry for it to be abolished, there is little doubt the database has become an integral part of most companies' internal compliance function. Today, well-run compliance departments monitor the database closely, respond to consumers in a timely manner, and use any lessons learned as part of a larger feedback loop used to identify and remediate compliance deficiencies.
Regardless of what happens to the Bureau, or to its complaint database, the lesson of putting consumers first is an important one that should remain a key part of every company's day-to-day operations. By considering the potential impact to consumers at every stage of a product's life cycle, from the design stage to the decision to discontinue a product offering, companies can help minimize risk of consumer harm, reduce consumer complaints, avoid costly investigations and enforcement actions, and build brand and customer loyalty.
2. Substantiation—Say What You Mean and Mean What You Say
The CFPB flexed its muscles in 2012 and 2013, when it filed a series of enforcement actions challenging the deceptive marketing of credit card "add on" products, such as credit monitoring and identity theft protection products. According to the Bureau, consumers were regularly misled about the nature, benefits, and costs of these products. These cases established a recurring theme that the Bureau would follow in almost every subsequent enforcement action: marketers of consumer financial services must provide consumers with clear, accurate, and truthful information.
On its face, this seems like an obvious and easy-to-implement concept. However, as the credit card "add on" product cases demonstrated, marketing representations that are conditional on certain factors or later-to-occur actions—even if technically truthful—can be considered deceptive. This means that those responsible for creating or approving marketing copy, including marketing scripts, must have a line of sight into fulfillment, billing, and other functions that could impact the veracity of a representation or a consumer's ability to utilize the service as it was marketed. The need for advertising to be truthful and substantiated, of course, is not unique to the CFPB, which is why companies should continue to design their products, services, and marketing carefully to avoid UDAAP risk. Even if the CFPB pursues a less aggressive enforcement agenda, the FTC, state attorneys general, and state regulators continue to scrutinize company marketing for false, misleading, or deceptive statements, particularly in the debt collection, lead generation, and lending industries.
3. Maintain a Robust Compliance Management System Across Your Business
Financial services providers have invested substantial resources in building and improving upon their compliance management systems (CMS), an area that the CFPB emphasized through its Cordray-era supervisory and enforcement activities. What now, with Cordray's departure and with the potential for deregulation, at least on the federal level?
Anecdotally, it appears that many providers—while optimistic that the Bureau will become more laissez-faire—are not rushing to dismantle their CMS programs. This may be attributable to the sheer capital investment they made to implement these systems, but additional factors likely are at play. As noted above, other regulatory agencies—state attorneys general, in particular—have rushed, even before Cordray's departure, to fill the perceived void created by a Cordray-less CFPB. These regulators tend to care just as much about compliance as the Bureau did with Cordray at the helm, and they have learned from the blueprint established by the CFPB over the past five years. And of course, class action lawyers have never retreated and will continue to survey the landscape for alleged abuses against consumers. In addition, maintaining a CMS, while expensive, also appeals to companies' bottom line: robust CMS assists corporate boards and other leaders and decision-makers with monitoring, understanding, and improving upon business operations and, frequently, the effectiveness of their corporate vendors and service partners.
4. Be Mindful of Risks Posed by Employee Compensation Programs
The CFPB under Cordray put a spotlight on incentive-based employee compensation programs and the risks they pose. Following the Great Recession, investigations and litigation focused on the lending practices of banks and mortgage originators, especially compensation plans that rewarded employees with commissions and bonuses based primarily on the number of loans they originated rather than the quality of those loans. The CFPB's Loan Originator Rule was designed to combat certain of these practices, including those that made compensation contingent on steering customers to certain types of mortgages.
Incentive programs remained a CFPB focus through 2016, with a shift in focus to "add on" products aggressively promoted by financial services providers. The Bureau emphasized that rewarding the risky behavior of employees with compensation risked running afoul of federal and state laws, and financial institutions that did not carefully monitor incentive compensation programs also risked "private litigation, reputational harm, and potential alienation of existing and future customers." CFPB, Production Incentives Bulletin (Nov. 2016). These risks have not vanished simply because Richard Cordray has left the Bureau.
Other agencies, including the Office of the Comptroller of the Currency (OCC), are also evaluating sales practices and are likely to take supervisory action to correct risky activities and improve processes surrounding whistleblower complaints. OCC, Office of Enterprise Governance and the Ombudsman, Lessons Learned Review of Supervision of Sales Practices at Wells Fargo (Apr. 19, 2017). And, as with other compliance-related risks, there are the state attorneys generals to contend with. For example, in November 2017, the New York Times reported that the New York Attorney General's office had launched an investigation into an investment firm's sales practices, including the firm's use of sales quotas and employee bonuses. This type of scrutiny is likely to continue, with or without an aggressive CFPB in the mix.
5. If You Lie Down with Dogs, You Get Up with Fleas
A final key lesson from the CFPB's first five years is that who you do business with matters. Whether it's a vendor, counterparty, or client, the CFPB made crystal clear that the legal and reputational risk of a transaction with a noncompliant person or entity is significant. In this regard, the Consumer Financial Protection Act gives the CFPB and state attorneys general extraordinary authority to pursue companies and individuals for legal violations committed by their service providers and other third parties. More recently, the OCC issued Bulletin 2017-21, which directs banks to perform rigorous oversight of their third-party relationships, including fintech companies, perceived by some to present higher risk.
As a result of these developments, companies have rolled out robust due diligence and audit programs to properly vet and manage third-party relationships. Regardless of how the CPFB, state attorneys general, and other regulators wield this authority in the future, prudent financial institutions will continue to perform diligence on their partners and condition the award of servicer bids or contracts on such partners' willingness and ability to comply with diligence and audit expectations.
* * * * *
For consumer financial services providers the Cordray era was a blur of heightened enforcement, aggressive supervision, and new expectations for compliance and prudent business practices. While the CFPB may be less aggressive moving forward, consumer financial services providers should remember the lessons they learned during the past five years—there are plenty of other regulators and private litigants that will remain aggressive in protecting consumers from unfair, deceptive, or abusive acts or practices.
This article was also published in InsideARM on January 25, 2018.