The CFPB has a number of weapons in its arsenal that it can use to exercise supervisory authority.  Over the last few years, and especially recently, its favorite has been Civil Investigative Demands (CIDs) issued through its Office of Enforcement.

The purpose of this post is to review the CFPB’s CID power and how companies can prepare for a CID.    

What is a CID?

A CID is the primary fact-gathering tool of the CFPB, and CIDs can be issued to both banks and nonbank entities.  While the FTC has had the ability to issue CIDs for many years, the CFPB’s statutory mandate is more expansive.  Also, the manner in which the CFPB is using its CID power is particularly concerning for many in the industry.

The CFPB has the ability to request a significant amount of information regarding company practices.  Specifically, this includes documents, tangible items, written reports, answers to interrogatories and/or testimony.  Because of the broad list of items that can be requested, the CFPB uses its CID authority as the basis for determining whether to bring an enforcement action.

The CFPB generally uses its CID authority in two ways. The most common use occurs when the company receiving the CID is the target of an enforcement investigation.  Alternatively, the CFPB may issue a CID to a company if it believes that the company has information about another company under investigation. The CID need not indicate whether the company is the primary target, so every CID must be dealt with as if the company is under investigation.

Why are CIDs so disruptive to business?

The prospect of receiving a CID is particularly concerning because of the manner in which the CFPB is using this tool.

A CID is typically issued before a formal enforcement action, so the company may receive the CID with no prior notice.  This is compounded by the remarkably short timeframe in which a company must respond.  Typically, the CFPB requires an initial meeting, called a meet-and-confer, to discuss and attempt to resolve the CID within 10 days.  This means that if a company receives a CID on a Friday, it essentially has one week to prepare for the initial meeting with the CFPB.  It is extremely difficult to review and analyze enough information in such a short time period to be able to have a meaningful discussion with the CFPB. Extensions of these timeframes are disfavored, so the CFPB is unlikely to grant an extension.

Additionally, the scope of the CID may be very broad.  Federal law requires the CFPB to advise regarding the “nature of the conduct constituting the alleged violation that is under investigation and the provisions of law applicable to such violation”.  However, some companies that have received CIDs allege that the CFPB is using overly broad language in an effort to uncover as much information as possible.  For example, in the CID that AIG received in 2012, the notification of purpose was “[T]o determine whether mortgage lenders and private mortgage insurance providers or other unnamed persons have engaged in, or are engaging in, unlawful acts and practices in connection with residential mortgage loans…”  The CID will also specify the types of information that must be produced and a timeframe for producing the information.

Can a CID be challenged?

The law allows a company to challenge a CID, but winning the challenge is unlikely. Moreover, there are consequences to a challenge.

A company can petition the Director of the CFPB to modify or set aside a CID after engaging in the meet-and-confer process.  This poses three specific problems. First, the petition to modify or set aside must be filed within 20 days of receiving the CID, and the company must still go through the initial meet-and-confer process.  This means that a company has 10 days to analyze whether to comply or challenge the CID. This may not be long enough to truly consider the scope and potential impact of the CID. Second, the Director of the CFPB is the ultimate decision-maker, so he would have to second guess his enforcement staff to grant a petition to amend or modify.  Also, the appellate standard gives the CFPB enforcement staff significant discretion in issuing the initial CID.  Third, and most notably, while a CID is confidential, a petition to modify becomes public record unless the petitioner shows good reason why it should remain confidential.  So a company is forced to decide between keeping the information private from the general public or filing a petition to modify or set aside.  Not surprisingly, it appears that the CFPB has not yet granted a petition to modify or set aside.

It is worth noting that a CID is not self-executing, meaning that the CFPB would have to sue a company in federal court if the company refused to comply. That being said, we expect that most federal courts would not look favorably on a company that refuses to comply with a CID.

There is a silver lining.  While the CFPB is unlikely to agree to a petition to modify or amend, those who have been through the process have indicated that the CFPB is willing to compromise and negotiate over production schedules and the scope of information covered by the CID.  The key is to have a good reason, present a narrow request, and comply to the extent possible.

How can a consumer finance company prepare for and deal with a CID?

Preparation is the name of the game when it comes to dealing with a CID.  Because the initial response timeframes are so short, there is absolutely no time to waste in “getting your ducks in a row.” This means that if and when a CID arrives, the company must begin working on the response and collecting the information on day one.

The problem with being completely prepared is that there is no way to predict the scope of a CID; and, of course, the content will largely dictate the response.  However, a company should preemptively adopt CID response procedures which will establish the framework for dealing with a CID.