In a previous post, we reviewed the CFPB’s Civil Investigative Demand (CID) authority. Because of the remarkably short response period and very broad demands, companies have had a great deal of difficulty with CIDs. The CFPB’s website publishes companies’ petitions to modify or set aside CIDs and the CFPB’s responses. It isn’t pretty.

Our advice in the previous post was to be prepared for a CID ahead of time. And as we explained last month, there is simply no time to waste in “getting your ducks in a row.” In today’s post, we list steps a finance company can take to line up the ducks.

The first step is to implement a strong “culture of compliance” by adopting a compliance management system. Doing so will mitigate systemic compliance deficiencies, and a comprehensive compliance management system will be the first thing the CFPB expects to see. The best defense to a CID is a good offense.

Step two is to designate a committee of company employees who will supervise the CID response. This group needs to include high-level decision makers from different departments, for example, from the board of directors or management, IT, compliance, and human resources. Companies should also preemptively designate outside parties such as compliance counsel or document management companies. Most importantly, before the company ever receives a CID, each member of the committee must know his or her role and be “on call.”

Step three is to design a response plan and litigation hold policy. There is no way of knowing exactly what a CID will request. However, companies can and should script the relevant questions and issues that the response committee will need to discuss at the initial meeting. For example, the committee should evaluate the financial and operational burdens of compliance, production timelines, staff allocation and whether the company will challenge or try to negotiate the CID with the CFPB.

A litigation hold policy establishes procedures to freeze normal document destruction. The CFPB (or a judge in a lawsuit) will not look favorably on a company that destroys relevant information once the company receives a CID (or notice of a lawsuit), even if the destruction is unintentional or in the ordinary course of business.

The final step is to test the system. Running a CID “fire drill” is good practice for the response committee and it helps establish a comfort level if and when a CID arrives. Companies should consider holding a trial-run “day one” meeting with a mock CID.

When dealing with CFPB CIDs, preparation is the name of the game. Taking these steps ahead of time is smart business. Make sure your ducks fly together.