The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) recently entered into several public enforcement settlements that had the collateral effect of emphasizing the importance of the standards provided in the CFPB’s so-called “Responsible Conduct Bulletin,” (the “Conduct Bulletin”). The Conduct Bulletin describes how the CFPB may bestow benefits upon CFPB-regulated entities that comply with its guidelines after discovering and self-reporting violations of consumer financial protection laws. As demonstrated in a series of recent enforcement actions, these benefits include elimination of or reduction in civil money penalties (“CMPs”), as well as the protection of the identity of a cooperating entity from being named in an enforcement action.
Considering the potential benefits to a CFPB-regulated of adhering to the Bureau’s articulated “responsible conduct,” the CFPB appears to be raising a significant issue that boards of directors of CFPB-regulated entities should consider with respect to their duty of care to a CFPB-regulated entity—to make informed and reasonable business decisions—as well as their duty of loyalty—to always act in the best interest of the entity and its shareholders. Specifically, if directors and officers of a regulated entity fail to consider the CFPB’s “responsible conduct” guidance, and the regulated entity’s conduct ultimately results in fines and/or reputational damage, such conduct potentially raises an issue as to whether the directors fulfilled their fiduciary duties to the regulated entity. Moreover, taken to the extreme, it could be possible that prudential regulators could use the Conduct Bulletin to impose personal liability under Section 8 of the FDI Act against a director (and, in some cases, an officer) for a breach of fiduciary duty to a depository institution or its holding company.
I. Directors Owe a Fiduciary Duty of Care to Their Entities
Fiduciary duties are derived primarily from common law and specific state laws. In general, directors—and, in certain states, officers—must make informed and reasonable business decisions, fulfilling their duty of care, and act primarily in the interests of the corporation, fulfilling their duty of loyalty. To fulfill their obligations under the duty of care, directors and officers must inform themselves “of all material information reasonably available to them” before making a business decision. Aside from these primary fiduciary duties of care and loyalty, the scope of directors’ and officers’ fiduciary duties is flexible; as such, courts have broadly recognized various other fiduciary responsibilities, as necessary to protect a business entity and its shareholders.
Courts afford broad discretion to officers and directors under the so-called “business judgment rule,” which presumes that directors—and in certain states, officers—make informed decisions, in good faith, and with the belief that the decision was made in the best interest of the business entity. However, this presumption is rebuttable by showing that directors and officers made a decision in breach of their duty of care, loyalty, or good faith. If this breach can be proven by a preponderance of the evidence, then directors and officers could lose the protection of the business judgment rule. Where there is a breach and the business judgment rule is not applied, a court will consider whether a business decision was “entirely fair” to the entity and its shareholders, a more stringent standard of review.
II. The CFPB’s So-Called Responsible Conduct Bulletin
Through the Conduct Bulletin, the CFPB seeks to impose standards of conduct on regulated entities that discover possible violations of consumer protection laws, outlining various factors the CFPB will “consider,” in exercising its vast prosecutorial discretion to hold a regulated entity liable for any such violations. While compliance with the Conduct Bulletin does not automatically preclude a CFPB enforcement action, as discussed below, recent enforcement actions provide examples of how engaging in “responsible conduct” can produce tangible benefits for CFPB-regulated entities.
The Conduct Bulletin notes that the CFPB considers a number of general factors in determining whether to proceed with an enforcement action against an entity. These factors include the nature, extent, and severity of the violations; the actual or potential harm resulting from the violations; whether the entity has a history of past violations; and the entity’s effectiveness in addressing any such violations. The Conduct Bulletin further lists four specific factors that the CFPB uses to evaluate whether, in the Bureau’s view, a regulated entity has acted responsibly: (1) self-policing, (2) self-reporting, (3) remediation, and (4) extraordinary cooperation, but this list is not exhaustive. The weight given to each factor by the CFPB will depend on the circumstances of each factual scenario.
According to the CFPB, a regulated entity must be proactive in seeking to prevent violations and detecting violations as early as possible. Self-policing is analogous to self-monitoring. At a minimum, self-policing activity will require an entity to implement a “robust compliance management system appropriate for the size and complexity of a party’s business.” The CFPB acknowledges that self-policing will not always prevent violations, but notes that it should facilitate early detection of potential violations. The appropriateness of an entity’s compliance program will depend on several factors, including whether the entity’s self-monitoring functions previously have been subject to regulatory examination, the pervasiveness of the violation, the method or manner of detecting the violation, and—most notably—whether the entity has a “culture of compliance” that has been instilled from the top of the entity down throughout the organization.
A factor on which the CFPB places “special emphasis” in its analysis of responsible conduct is self-reporting. The CFPB notes that this factor substantially advances the CFPB’s protection of consumers and reduces the resources the agency must expend to identify potential or actual significant violations by making such resources available for other significant matters. This is important because it suggests that it is not necessary to self-report every single violation, but rather only those that might be “significant.” While the CFPB does not provide guidance as to how it determines what kind of violation is significant, it appears some compilation of the general factors determines when the CFPB may take action. Thus, if a regulated entity determines that it has committed a significant violation, self-reporting requires prompt and complete disclosure of the identified law violation to the CFPB. The Bureau will then consider the completeness and timeliness of the disclosure (reporting delays may be acceptable where justifiable), as well as whether harm to potential or actual harm to consumers has been mitigated.
The Conduct Bulletin provides that the Bureau will consider the steps a regulated entity has taken to remediate an identified violation. Remediation entails a determination of whether consumers who have been harmed by a violation or potential violation have been made whole, and whether the entity has changed its compliance procedures to prevent similar future harm. When analyzing this factor, the CFPB will consider whether the entity has taken action against those responsible for the misconduct, how quickly and effectively the entity identified consumer harm, how consumers were made whole, and whether the entity resolved any incentives for harmful future behavior.
D. Extraordinary Cooperation
The most important but also most challenging factor in the Conduct Bulletin is the requirement for cooperation with the Bureau. The CFPB emphasizes that ordinary cooperation will not suffice, but rather a regulated entity must demonstrate “substantial and material steps above and beyond” the level of responsiveness to the CFPB required by law. The CFPB specifically notes that this factor requires a regulated entity to cooperate promptly and completely, undertake thorough reviews of compliance issues, disclose material information related to the potential law violation not specifically requested by the CFPB, and direct its employees to cooperate with the Bureau. To date, the CFPB has not required the waiver of legal privileges, such as attorney-work product, or the ability to discuss potential disagreements over evidence as an element of cooperation. Such a required waiver is particularly unlikely in light of the significant criticisms garnered by the so-called U.S. Department of Justice (“DOJ”) Thompson Memorandum, in which the DOJ suggested that corporations must waive privileges in order to be deemed cooperative during an investigation.
III. CFPB’s Enforcement Settlements Implementing the Bureau’s Conduct Bulletin
In the context of several enforcement settlements since the Conduct Bulletin was issued, the CFPB has referenced “responsible conduct.” In matters formally resolved, the CFPB has rewarded “responsible conduct” by reducing or eliminating the assessment of civil penalties on a regulated entity. More recently, “responsible conduct” was used to shield the identity of an entity that identified and cooperated with the Bureau with respect to a self-reported violation.
One of the first public settlements involving “responsible conduct” involved an auto lender and its service provider that allegedly violated a consumer financial protection disclosure law and the prohibition against deceptive acts and practices. The CFPB noted that these entities proactively altered problematic aspects of their program and readily worked with the Bureau to remediate consumer harm. As a result, in accordance with the Conduct Bulletin, the Bureau did not assess a civil money penalty in the settlement of the matter.
The CFPB also relied on tenets of the Conduct Bulletin in two other enforcement settlements. In the first, the CFPB took action against a bank for deceptive marketing and illegal discrimination. While the bank was required to pay civil money penalties of $3.5 million in connection with the deceptive marketing action, the CFPB explained that it would not require penalties for the bank’s discriminatory conduct because the bank self-reported the violation to the CFPB, instituted its own remediation plan to compensate consumers, and cooperated effectively with regulators.
In another settlement, the CFPB suggested that it favorably considered a mortgage lender’s self-reporting, admission of liability, and cooperation throughout the investigation in the agency’s assessment of an $83,000 CMP for a Real Estate Settlement Procedure Act (“RESPA”) violation. Presumably, the CFPB-imposed CMP would have been significantly larger if the mortgage lender did not exhibit “responsible conduct.”
Through recent enforcement actions, the CFPB demonstrated that adherence to its expected “responsible conduct” standards may result in an entity avoiding being named in an enforcement action altogether. Specifically, in three recent settlements, financial institutions were alleged to have violated the RESPA prohibition against kickbacks in real estate transactions, with contrasting results based on the level of “responsible conduct” exhibited by each institution. One institution was lauded for complying with the CFPB’s “responsible conduct” standards and, as a result, the CFPB neither publicly named nor assessed any civil penalties against this financial institution. While the CFPB did not detail regarding the specific “responsible conduct” demonstrated by the institutions but the Bureau did indicate that the institution “self-reported” the potential law violations, terminated the employee(s) involved in the alleged unlawful activity, cooperated with the Bureau, and instituted its own remediation plan. With respect to the other institutions, the CFPB assessed more than $24 million in CMPs and required more than $11 million in restitution. This “disparate” treatment raises the question—if the other two institutions had demonstrated the requisite “responsible conduct,” could they have avoided the substantial fines ultimately borne by their shareholders?
IV. Do Directors Have an Obligation to Consider the CFPB Conduct Bulletin?
The consequences imposed on two large banks assessed CMPs apparently for not meeting the CFPB’s “responsible conduct” criteria in addressing a violation of consumer financial laws raises a significant question for CFPB-regulated entities. At the heart of the issue is whether and to what extent the guidelines set forth in the Conduct Bulletin must be considered in evaluating whether a director of regulated entity is satisfying his or her fiduciary duty of care.
The Conduct Bulletin is an attempt by the CFPB to impose regulator-mandated best practices when a violation of consumer law is identified. While the CFPB appears to be seeking a standardized methodology for consumer finance providers to address self-identified violations of law, the voluntary nature of the Conduct Bulletin is different from a mandate to comply with a legal obligation, such as under the Sarbanes-Oxley Act or as proposed with respect to the Bank Secrecy Act and anti-money laundering requirements contemplated by the New York Department of Financial Services (“DFS”).
These recent CFPB enforcement actions demonstrate, however, that there are clear financial and reputational benefits, including reduced penalties and more favorable enforcement outcomes, to satisfying the CFPB criteria set forth in the Conduct Bulletin. Directors’ compliance with the Conduct Bulletin is voluntary; however, directors of a regulated entity should ensure that the regulated entity’s policy for addressing any self-identified consumer protection violations includes consideration of the CFPB’s Conduct Bulletin. Even if directors do not seek to comply fully with the Conduct Bulletin, the existence of a strong and effective compliance program could act to insulate a regulated entity’s board of directors from allegations that the board failed to act in accordance with its fiduciary duty of care vis-à-vis a violation of consumer law. Similarly, even with a meaningful compliance program in place, directors should make a well-informed and well-documented decision about how to address a self-identified consumer law violation, with full knowledge of the possible risks associated with not fully adhering to the guidelines in the Conduct Bulletin.
The strong presumption of the business judgment rule has not been eviscerated by the Conduct Bulletin and remains a doctrine that is not easily rebutted. Nonetheless, examination of the impact of recent enforcement actions by the CFPB apparently exempting or reducing penalties against regulated entities deemed in compliance with CFPB “responsible conduct” criteria, while imposing significant civil money penalties on entities that do not, warrants the attention of directors and officers of regulated entities in the event that consumer financial law violations are identified.
V. Action Plan The broad nature of the Conduct Bulletin—as well as the CFPB’s own statement that there is no “consistent formula” an institution may follow to demonstrate compliance with its guidance—creates significant challenges for regulated entities seeking to adopt “responsible conduct” policies and procedures. Entities subject to CFPB enforcement authority should create an action plan to address each of the components of the Conduct Bulletin to ensure they have, at a minimum, the following:
- a compliance system that attempts to meet the CFPB’s description of appropriate self-policing;
- a system for prompt and effective remediation of harm caused by potential compliance lapses, as appropriate;
- an appropriate policy to document whether identified compliance issues should be self-reported and handled in accordance with the CFPB’s Conduct Bulletin; and
- a strategy for appropriately engaging and cooperating with CFPB staff when seeking to apply the Responsible Conduct Bulletin to an identified violation.
A key consideration in crafting such an action plan is the CFPB’s stance that mere compliance with the law and Bureau requests will not be considered favorably in the exercise of the CFPB’s enforcement discretion. Rather, the CFPB expects that an entity must significantly surpass the standards set by law in its compliance systems and engagement with regulators in order to mitigate the consequences of potential violations. Notwithstanding the CFPB’s “responsible conduct” factors set forth in the Conduct Bulletin, the CFPB cannot eliminate the obligations of boards of regulated entities to act only after evaluating and considering their duties of care and loyalty to their regulated entities and their shareholders.