Shortly before the Consumer Financial Protection Bureau (CFPB) revealed the details of its first enforcement action, a $210 million settlement with Capital One Bank on July 18, 2012, the Bureau announced that it had adopted broad rules outlining how it will investigate potential violations of consumer financial laws and regulations. These rules, which are expressly modeled on procedures that have been utilized previously by the Federal Trade Commission, the U.S. Securities and Exchange Commission and other bank regulators, have eight major components:
- Non-Public with a Caveat. Although CFPB investigations are generally non-public, they may be conducted jointly with other state and federal regulators. Regulated entities undoubtedly are concerned that information provided to the CFPB could be shared with states' attorneys general and eventually find its way to plaintiffs' lawyers and fuel class action litigation.
- CIDs. The basic tool used by the CFPB will be the "Civil Investigative Demand" or CID, a form of subpoena to require testimony, documents, responses to written questions, or other materials. CIDs must specify (a) the nature of the conduct constituting the alleged violation under investigation, (b) applicable law, (c) enforcement staff involved, (d) instructions for dealing with ESI (electronically stored information), and (e) the deadline for response, typically 30 days from issuance.
- "Meet and Confer" Procedures. Within 10 days after receiving a CID, the recipient must "meet and confer" with CFPB staff if the recipient wishes to discuss potential modifications. The recipient's basic strategies in this meeting will be to specify the portions of the CID that pose a special burden, quantify the nature of that burden, and propose alternative means of trying to address the subject matter covered by the problematic requests. Though not expressly addressed in the rules, standard procedures in other regulatory investigations dictate that recipients should also promptly issue a document retention notice and suspend any automatic deletion of ESI.
- Petitions to Modify or Set Aside. Within 20 days after receiving a CID, recipients may file a petition to modify or set aside the CID, addressing subjects discussed at the meet and confer but not resolved to the recipient's satisfaction. The CFPB rules expressly disfavor extensions to that 20-day deadline, making early and active negotiations crucial. Once filed, however, a petition to modify automatically stays the deadline for responding to the CID, pending a ruling. CFPB staff may respond to the petition without sharing that response with the petitioner and, ultimately, the CFPB's director resolves the issue. The rules contain no provisions for judicial review of the director's decision, leaving petitioners with no alternative apart from refusing to produce the required information and raising the objections in response to a subsequent CFPB motion seeking a court order to enforce the CID. One caveat is that the rules provide that the petitions are part of the public record unless the CFPB determines otherwise based on a showing of good cause at the time the petition is filed.
- Privilege Issues. Rather than raising privilege issues through a petition to modify, recipients must identify any documents withheld on grounds of privilege in a "privilege log." Inadvertent disclosure of privileged information results in no waiver of the underlying privileges, provided the recipient took reasonable steps in the first place to prevent the disclosure and to rectify the error once discovered, including notifying the CFPB investigator, who must return, sequester or destroy the inadvertently produced materials.
- Counsel's Role; Limited Rights to Object. While recipients may have counsel present for on-the-record testimony, the opportunity to confer with counsel and for counsel to make objections is limited to situations in which a "constitutional or other legal right or privilege, including the privilege against self-incrimination," is at stake. To the inevitable frustration of many parties and counsel, objections that a subject is beyond the scope of the investigation or otherwise irrelevant purportedly will not be permitted. Counsel may request, however, that the examiner permit the witness to clarify responses, and the witness may review and make changes to the transcript.
- CID Enforcement. If a recipient fails to comply with a CID, the CFPB may initiate federal district court enforcement proceedings in the district where the subject resides, is found or transacts business. The Bureau may seek contempt or "other appropriate relief" where a court order enforcing a CID has been violated.
- Notice of Potential Violations. If the CFPB decides to take enforcement action following an investigation, it may provide a "discretionary" notice of potential violations and allow a written response. The objective of this process is to give potential enforcement targets an opportunity to present their arguments and be heard before an action is formally approved or commenced. That opportunity for notice may be denied, however, in cases of ongoing fraud or in which the CFPB perceives a need to act quickly. The CFPB brings enforcement actions for violations in administrative proceedings or in state or federal court, and may also refer investigations to other federal, state or foreign agencies.
As the agency vested with primary authority to enforce federal consumer financial laws, the CFPB has broad enforcement powers, including the ability to collect civil money penalties ranging from up to $5,000 per day for "first tier" violations to $25,000 per day for reckless violations, and $1 million per day for knowing violations. The Bureau may also seek a range of other remedies, including rescission of contracts, refund of money, return of real property, restitution, disgorgement of profits or other compensation for unjust enrichment, damages, public notification of the violation, and "conduct" restrictions (i.e., future limits on the target's activities or functions). It has no criminal authority, but is required to notify the U.S. Attorney General if it finds evidence of criminal violations.
The expansive scope of the CFPB's jurisdiction and powers warrants that companies identify and promptly address areas of potential exposure through internal risk assessment, compliance procedures and training programs. Although the nature of a company's business and risk profile will dictate its specific compliance approaches, the CFPB has consistently made clear that its analysis will start (and likely end) with customer complaint data, and all regulated entities should be improving their systems for collecting, analyzing and responding to customer complaints.