A trend is being spotted in the enforcement activity of the Consumer Financial Protection Bureau (CFPB or Bureau). That is the vigorous cooperation as between the CFPB and other prudential bank regulators working together to protect consumers. This trend gives new life to the old adage that two is stronger than one, and a three (four or five for that matter) fold accord is not easily broken. The trend also suggests a stronger and more fortified financial stability oversight body, one that no longer looks at safety and soundness, and compliance with consumer financial laws as two separate silos. But is this trend here to stay? Will the regulators seize this opportunity? Such collaboration is unusual, and particularly challenging as between multiple agencies due to their respective mandates, manpower, budgets, priorities and jurisdiction. But now armed with a mandate to cooperate in supervisory activities, the prudential regulators and the CFPB can assist each other with spotting areas of non-compliance that may have been overlooked or beyond reach in times past. This article briefly explores this trend, its impact, and its staying power.
Quick Overview of Power to Enforce & Supervise
Congress, in enacting Title X of the Dodd Frank and Consumer Protection Act (Title X), granted the CFPB primary enforcement authority over large banks1 concerning Federal consumer financial law.2 As such, a prudential regulator’s ability to enforce compliance with Federal consumer financial law is limited to the “backup and enforcement procedures” described in Section 1025(c), Title X.3 Importantly, however, Title X did not usurp a prudential regulator’s (e.g. FDIC, OCC or Board of Governors), power to impose a civil penalty against an insured depository institution or institution-affiliated party for a violation of other laws or regulation.4 Section 5 of the Federal Trade Commission Act, (FTC Act), is one of those other laws.5
In addition to the enforcement authority, the CFPB was given exclusive supervisory authority to require reports and conduct examinations for several purposes, including “assessing compliance with the requirements of Federal consumer financial laws.”6 Significantly, the CFPB considers its supervisory responsibility, in particular, its assessment of compliance management systems employed by financial institutions one of its “most important responsibilities.”7 However, its grant of power is not without checks and balances. Per Section 1025(c), Title X, and the facilitating Memorandum of Understanding on Supervisory Coordination, (MOU), dated May 2012, the CFPB must coordinate with prudential regulators to avoid conflicts with regards to their supervisory responsibilities. This includes coordination in examinations of covered institutions concerning covered supervisory activity.8 Per the MOU, covered supervisory activity, includes, but is not limited to, compliance with Federal consumer financial laws, Section 5 of the FTC Act and other Federal laws that are not Federal consumer financial laws.9 At bottom, prudential regulators have supervisory power to ensure compliance with the FTC Act, and other laws, and the CFPB has the power to supervise and enforce UDAAP and all other Federal consumer financial laws, but as evidenced by the MOU and as highlighted herein, there are clear points of convergence as between them.
In addition to the above, the respective mandates of the CFPB and the prudential regulators also differ. Generally, prudential regulators’ focus is the safety and soundness of the depository institutions, whereas the CFPB is tasked with administering, implementing and enforcing Federal consumer financial law. But note, while their respective mandates differ, they too converge at times such as in the area of compliance management systems, and coordination on those points of convergence, at least so far, appear effective.
How is this all going to play out in the days ahead?
If the recent Discover Bank10 and American Express11 enforcement actions, have taught us anything, it is that the cohesive and coordinated activities are effective and in full swing. The result of which appears to be higher penalty costs, with tighter board oversight and compliance mandates. But are these cohesive and coordinated activities here to stay? Both the Discover Bank and American Express actions started with investigations by the prudential regulators prior to the transfer of consumer financial protection functions, per Section 1061, Title X. 12 Whether the prudential regulators remain as active in the CFPB’s enforcement actions in days ahead remains to be seen. But one thing is clear, if effective over time, the collaboration will ultimately change the covered industry.
The Discover Bank Enforcement Action
On September 24, 2012, the Federal Deposit Insurance Corporation (FDIC) and the CFPB announced their joint public enforcement action against Discover Bank, related to alleged deceptive telemarketing and sales tactics in the sale of four credit card add-on products.13 The joint action concluded with a Consent Order requiring Discover Bank to refund $200 million to 3.5 million customers and to pay a civil penalty in the amount of $14 million. Concerning the civil monetary penalty, $7 million will go to the U.S. Treasury, and $7 million will go to the CFPB’s Civil Penalty Fund. The settlement also required Discover Bank to take certain corrective actions with respect to its compliance management systems. Furthermore, the Consent Order expressly provides that Discover Bank must pay the civil monetary penalty itself, and expressly prohibits any indemnification from a third party.
Interestingly, this action into the alleged deceptive practices first began with the FDIC as early as 2011, who then worked closely with the CFPB in the investigation. It also followed an action that was first filed by the Minnesota Attorney General, who sued Discover Bank in December 2010, for actions related to its telemarketing practices, (e.g., related to its service providers).14 In brief, the Minnesota Attorney General action looked at practices from 2009 and claimed that Discover Bank and its affiliated processing company made “aggressive, misleading and deceptive” telemarketing calls to sign up people for products.15 In contrast, the FDIC’s and CFPB’s joint action covered a much larger span of time, e.g., December 1, 2007 through August 31, 2011. The joint enforcement action also marked the second time the CFPB had worked closely with a prudential regulator to address what it perceived as deceptive marketing of credit card add-on products, and the second time it pursued enforcement related to service providers.16 The first, was the joint enforcement action between CFPB and the Office of the Comptroller of the Currency (OCC) against Capital One Bank, (USA), N.A., (Capital One) which resulted in $210 million in restitution and civil monetary penalties, which, as in the case of Discover Bank, cannot be paid by any other party.17
The Discover Bank Consent Order18 states that the FDIC and the CFPB determined that Discover Bank engaged in deceptive acts and practices in violation of Section 5 of the FTC Act and in violation of Sections 1031 and 1036, Title 10. Of particular note is that the FDIC further determined that Discover Bank had also engaged in unsafe or unsound banking practices.19 This determination of unsafe and unsound practices hints of a convergence of interests as between the FDIC and the CFPB. More than that, it is a clear sign to supervised entities that the FDIC will remain vigilant in looking at these types of violations as part of its coordinated review of covered supervisory activities in days ahead. Certainly for supervised entities, this suggests that the days of viewing safety and soundness, and compliance with Federal consumer financial law, Section 5 of the FTC Act and the like as two distinct compliance silos are gone.
This sign was echoed by Richard Cordray, Director of the CFPB, who stated at the time the settlement was announced, “we are signaling as clearly as we can that other financial institutions should review their marketing practices to ensure that they are not deceiving or misleading consumers into purchasing financial products or services.”20 Covered persons have been taking note. For instance, it has been reported that Bank of America has stopped offering certain products to new customers, such as “Credit Protection Plus” and “Credit Protection Deluxe.”21 Further, Citigroup has reportedly paused its telephone sales of payment-protection products while it reviews its sales practices in light of the CFPB’s recent guidance on credit-card add on products,22 and J.P. Morgan Chase reportedly stopped offering payment protection to new customers in October 2011.23
The American Express Enforcement Action
On October 1, 2012, the CFPB, the FDIC, the OCC, the Federal Reserve and the Utah Department of Financial Services (UDFS), all issued press releases related to their own respective actions and settlements with one or more American Express related entities.24 The respective settlements arose from activities discovered by the FDIC and the UDFS during a routine exam of the American Express subsidiary, American Express Centurion Bank.25 That examination resulted in an investigation, which was transferred in part to the CFPB in 2011.26 Upon transfer of the investigation, the CFPB and FDIC jointly pursued the matter.27
In addition to the above, the CFPB also pursued two other entities that it had jurisdiction over, including American Express Travel Related Services Company, Inc., and American Express Bank FSB. Overall, the CFPB’s investigations, which covered a span of time from 2003 - 2012, identified violations of Federal consumer financial law covering a broad spectrum of customer contact, including shopping for cards, applying for cards, payment of charges and paying off of debt.28
Concerning American Express Centurion Bank, the CFPB and FDIC jointly stated that they had reason to believe that it “engaged in unsafe or unsound banking practices,” and violations of Section 5 of the FTC Act, Sections 1031 & 1036 of Title X, the Truth in Lending Act (TILA), as amended by the Credit Card Act, Regulation Z, the Fair Credit Reporting Act, the Equal Credit Opportunity Act and Regulation B.29 This joint statement is a potent example of how the convergence of mandates, when brought together in a cooperative effort can result in a substantial impact. Overall, the American Express entities will pay $27.5 million in civil monetary penalties and $85 million in restitution. Undeniably, the joint Consent Order, and the multi-agency resolution was a coordinated effort, and one that undoubtedly took tremendous effort.
That is not the end of the story. The CFPB’s Consent Orders are chock full of information intended to educate the covered industry, and for that reason a recommended read. Along those lines, several key take-aways should be noted. First, the CFPB Consent Orders with American Express Centurion Bank and American Express Bank, FSB, contain comprehensive compliance, management, internal audit and Board oversight requirements. For instance, there are multiple reporting requirements and directives to retain an independent management consultant, an independent auditor, and a compliance program consultant, just to name a few. Consequently, covered entities should, if not yet aware, familiarize themselves with the CFPB’s Supervision and Examination Manual which covers its expectations regarding compliance management systems.30 In there the CFPB compares its expectations to those of the Federal Reserve with regards to large banking organizations,31 and clearly connects an effective compliance management system with effective compliance with Federal consumer financial laws. This point was reiterated by the CFPB when it recently warned that, “[W]ithout such a system, serious and systemic violations of Federal consumer financial law are likely to occur.” This is another point of convergence as between the CFPB and prudential regulators, and one wherein the covered industry should expect to see more activity in the days ahead.
Further, as with the Capital One and Discover Bank enforcement actions, the CFPB again found violations of Sections 1031 and 1036, of Title X, in relation to the actions of a service provider.32 Specifically, the CFPB found that the American Express Travel Related Services Company, Inc., acting as a service provider to its subsidiary banks, engaged in deceptive debt collection and marketing practices.33 As part of its Consent Order American Express Travel Related Services Company was required to make restitution and pay a civil monetary fine. Moreover, as with the CFPB’s other Consent Orders, it may not seek or accept indemnification from a third party.
Time Will Tell
The American Express enforcement action was both the CFPB’s third enforcement settlement and the third time it acted jointly with other prudential regulators. It was a multi-layered, multi-party, comprehensive effort which all started from a routine exam by the federal and state prudential regulators. The successful resolution and magnitude of the action could not have been accomplished but for the collaborative and cooperative effort of the CFPB working together with the prudential regulators and vice versa. But is this trend here to stay? A few clues in the Consent Orders, such as the convergence of interests on multiple points combined with the broader reach of enforcement, and impact from restitution, and civil monetary penalties strongly hints to the conclusion that “yes,” it is here to stay. This conclusion is further supported by the MOU the CFPB entered into with the prudential regulators in May 2012, long after the CFPB had taken over certain investigation responsibilities in both the Discover Bank and American Express actions. But at the end of the day, as the other adage goes…only time will tell if this new level of cooperation and corroboration is here to stay.