On June 25, 2013, the Consumer Financial Protection Bureau (CFPB) issued Bulletin 2013-06 identifying "responsible business conduct" that may impact the exercise of its "enforcement discretion." The Bulletin specifies the following four broad categories of conduct that the CFPB "may favorably consider":
- Self-policing: The entity’s investment in a "robust compliance system" that "facilitate[s] early detection of potential violations," including how the conduct was detected, procedures in place to prevent, identify or limit the identified wrongful conduct, whether executives and others high up in the chain of command knew of or participated in that conduct, and whether there were any deficiencies in compliance procedures more generally.
- Self-reporting: The entity’s "prompt and complete" reporting to the CFPB and other regulators as well as to impacted consumers of all violations or even potential violations.
- Remediation: The entity’s efforts to provide "full redress" for impacted consumers, implement procedures to prevent recurrence, and change future conduct. The CFPB will consider how long it took the entity to stop the offending conduct and begin remediation after the conduct was identified, whether there were any consequences for responsible individuals, whether the remediation addressed all monetary and non-monetary harm to impacted consumers, and whether there were any improvements to policies and procedures.
- Cooperation: The entity’s interactions with the CFPB once the CFPB becomes aware of a potential violation must go "above and beyond what the law requires" to receive credit. The CFPB will consider whether the entity undertook a thorough review of the misconduct, promptly made the results of that review available to the CFPB, created a "complete and thorough written report detailing the findings of its review," and voluntarily disclosed of material information not requested by the CFPB.
What’s Really Going on Here?
The CFPB has received criticism about the heavy-handed use of its enforcement authority. Regulated entities and others have raised concerns about the use of enforcement actions to establish policy and the lack of notice about significant new approaches to interpreting the law – particularly for alleged unfair, deceptive and abusive acts and practices. Observers also have noted that enforcement actions do not help establish a "level playing field," something that Congress expressly sought to create with the establishment of the CFPB, by granting it authority over nonbanks.
The CFPB’s stated goal is to "encourage activity that has concrete and substantial benefits for consumers." The CFPB might have been able to further this goal and address concerns raised by regulated entities had it sought public comment and incorporated those comments into its guidance. Instead, the CFPB issued a bulletin that speaks in generalities and creates large carve-outs in a way that may limit the effectiveness of the guidance.
What’s the Ask?
The very general criteria identified by the CFPB are similar to the factors relied on by other agencies, such as the SEC and FINRA, in evaluating corporate conduct in the enforcement context. The FDIC and the OCC apply many of these factors in evaluating whether to impose a civil money penalty and, if so, the amount of any such penalty.
However, unlike those regulators, the CFPB is a new agency with a short enforcement track record that does not provide much of an explanation that regulated entities can use to understand the nature of the violation or the basis for the amount of penalties imposed or restitution ordered. CFPB Director Richard Cordray has consistently indicated that the CFPB will not issue rules to define the parameters of the CFPB’s UDAAP authority, and instead will define that authority through enforcement.1 This is unfortunate in light of industry’s requests for CFPB rulemaking to provide a detailed framework of proscribed conduct rather than requiring regulated entities to try to understand that framework based on the fact patterns presented by enforcement actions.
The Bulletin, like the CFPB’s enforcement actions so far, reflects an assumption that we know it when we see it, not only for violations, but also for "potential violations." It reflects the same assumption regarding the scope of appropriate remediation, including redress for possible non-monetary harm.
It is clear that the CFPB emphasizes early, direct, and thorough action with respect to known and potential violations as well as the need for all involved personnel, including senior executives, to take responsibility and to discipline or correct any such behavior. But the Bulletin does not provide specifics to assist regulated entities in executing on these goals. Identification of actual or potential violations requires complex judgments and analysis of products and procedures that may have been in place for several years. There is nothing straightforward or simple about these decisions.
The same is true for decisions about how to provide full financial remediation. The CFPB has not weighed in on a number of open questions that continue to vex regulated entities, such as the inclusion of interest on any refunded fees or charges and crediting accounts versus sending checks. Nor has the CFPB provided even general guidance on what it means by "additional meaningful remedies" and how an entity might begin to assess, much less address, harm that "goes beyond the amounts the victims may have paid."
What’s the Upside?
In the Bulletin, the CFPB puts "special emphasis" on self-reporting, explaining this category is "worth special mention." The CFPB emphasizes repeatedly in the Bulletin, though, that it is "not adopting any rule or formula, or making a promise to any person," and that there is "no consistent formula" that can be applied to enforcement actions or the determination of civil money penalties. The CFPB further explains that there may be circumstances where "the misconduct is so egregious or the harm inflicted so great, that no amount of cooperation or other mitigating conduct could justify a decision not to bring an enforcement action, or even to forgo seeking the imposition of a civil money penalty." A regulated entity will have to weigh these uncertain benefits with the very significant risks in evaluating whether to self-report.
What’s the Impact?
Despite its lack of specifics, the Bulletin is the CFPB’s first official statement of factors that may result in favorable treatment. These factors create possible bases on which regulated entities can argue against a public enforcement action or for limits on the amount of sanctions or penalties. Presumably, the flip side also is true, meaning the CFPB may be more likely to pursue an enforcement action and may impose higher penalties in the absence of these factors.
So what should regulated entities do? Each institution will have to decide what actions it will take if it sees potential issues as part of its compliance program, and particularly whether it will self-report to the CFPB. Institutions would be well advised to consider the specific matters identified in the Bulletin and how those matters fit within their overall compliance programs.