The Consumer Financial Protection Bureau (“CFPB”) has investigations underway that span the full breadth of the Bureau’s enforcement authority over providers of financial products and services and their vendors.  If your company is the recipient of a civil investigative demand (“CID”) from the CFPB the process is not an easy one.  You have to issue a record retention notice, negotiate the scope of the CID, collect responsive information and materials, respond to the CID, and then wait for the CFPB to make decision on whether it will bring an enforcement action or close the investigation. 

All of this can be challenging, especially since the CFPB is still in the process of rolling out regulatory reforms and articulating its positions.  On top of this, for many nonbanks, the CFPB has or will be able to exercise supervision authority and launch examinations of business practices.  (For depository institutions with assets over $10 billion the CFPB already has supervision authority).  As a result, there is likely no escaping additional CFPB scrutiny in the future—even after the investigation is concluded.

When the CFPB launches an investigation, it operates under its procedures for investigating whether persons have engaged in conduct that violates federal consumer financial law.  The CFPB’s investigation rules are somewhat similar to those used by other regulators, such as the Federal Trade Commission, and they establish the procedures the CFPB follows when conducting investigations.  CFPB investigations generally will not be made public by the Bureau until a public enforcement action is filed or consent order is issued.

While the CFPB has the power to compel information in an investigation, the CFPB’s investigatory process is not self-executing.  Accordingly, when a CID is received, the recipient first must decide whether to (1) petition the CFPB for an order modifying or setting aside the CID, or (2) negotiate the scope of the CID.  These decisions must be made quickly.  The CFPB’s rules require the CID recipient and the CFPB to meet and confer within 10 days on the terms of compliance with the CID, including appropriate limitations on the scope of the request, issues related to electronically stored information (“ESI”), issues related to privilege and confidential information, and a reasonable time for compliance.  Moreover, the CFPB rules allow only for a short window—20 days—to petition the CFPB for an order to modify or set aside the CID. 

Accordingly, a CID recipient must decide quickly on an approach and overall strategy to navigate the investigation and identify long- and short-term goals.

 Petition to Modify or Set Aside the CID

The Consumer Financial Protection Act (“CFPA”) provides a mechanism whereby the recipient of a CID may challenge a CID by filing a petition with the CFPB Director seeking a petition to modify or set aside the CID altogether.  When deciding whether or not to file a petition, the recipient of a CID must balance many factors.  For instance, while the investigation itself is nonpublic, a petition to modify or set aside the CID is made public by the CFPB.  On the other hand, under FTC precedent, the failure to file a petition could result in the waiver of any objections to the CID. 

The CFPB’s regulations relating to petitions to modify or set aside a CID impose the following requirements:

  • Timing.  A petition must be filed within 20 days after service of the CID.  However, if the return date on the CID is less than 20 days after service, the petition must be filed prior to the return date. 

  • Requests for Extension of Time.  The Assistant Director of the Division of Enforcement may grant a request for an extension of time to file a petition (although such requests are disfavored).

  • Substance.  The petition must set forth all assertions of privilege or other factual and legal objection to the CID, including all appropriate arguments, affidavits, and other supporting documentation.

To date, the CFPB has issued only one decision in response to a petition to modify or set aside a CID.  In this order, the CFPB Director denied the request and ordered the recipient to comply with the CID.  The Director cited the CFPA and the broad latitude in the use of investigative subpoenas afforded to administrative agencies in order to advance the government’s duty to enforce the law.  As a result, the decision process on whether to petition the CFPB or negotiate can feel like a catch-22 situation that is setup to result in cooperation.

 Negotiating the Scope of CID Request

The key to successfully negotiating a CID is preparation and working quickly.  The CFPB typically will not grant a modification to a CID request unless the justification for the modification is both legitimate and specific.  The more details you provide the CFPB to support your rationale for seeking the modification and substantiate claims of burden—especially with respect to any technical burden imposed on the company—the greater likelihood you will succeed.  It also is advisable to offer specific alternatives and suggestions for responding to the requests instead of simply asserting that the requests are too broad. 

The first opportunity you likely will have to discuss the scope of the CID with the CFPB and negotiate the terms of compliance is during the mandatory meet and confer with the CFPB attorneys, which is supposed to take place within 10 calendar days after receipt of the CID.  In order to be prepared for the meet and confer, you must quickly assemble a legal team, assess the scope of the CID, consult with the relevant IT and business personnel, and outline, request-by-request, a proposal for modifying the CID.

There are many ways to push back on the scope of a CID, and all options should be put on the table in order to reach maximum results.  While each CID is different and highly dependent on the underlying legal issues and facts, there are several areas common to all CIDs that greatly affect the burden and cost of complying with a CID.  Below we provide an overview of these areas and some suggestions.

  1. Applicable Time Period.  Each CID includes a defined time period covered by the CID.  Typically the CFPB will seek information and materials going back several years, until “the date of full compliance with this CID.”  Although the CFPB may not agree to a blanket modification to the applicable time period, it may consider limiting the time period for select requests. 

  2. Definitions.  It is easy to overlook the Definitions section of the CID and go straight to the CID requests, but it is important to review the definitions carefully because they greatly affect the scope and burden of the CID.  For instance, the CFPB typically defines the term “company” broadly to include the CID recipient plus all entities affiliated with the recipient—even if those affiliates are in different lines of business than the recipient.  Depending on the company, this could significantly expand the scale of the document/data collection and review.  This is particularly true for larger entities with complicated corporate structures.    

  3. Redundant or Superfluous Documents.  Like other government investigators, the CFPB typically will phrase its requests as broadly as possible to capture all documents and information (using phrases such as “all documents relating to”).  Often times such requests require the production of numerous copies of materials that are, in all material respects, identical.  For instance, a request for all consumer contracts could potentially require the production of millions of contracts, all of which are identical except for the name and signature of the consumer.  Consider offering the CFPB models, templates, or samples of documents in lieu of a full production to reduce the overall burden and cost of the document production.  Further, companies that are publicly traded will have disclosed through filings with the Securities and Exchange Commission information that may duplicate information responsive to the CID.

  4. ESI Considerations.  The search, collection, and production of ESI are particularly daunting when dealing with a CID.  You should treat the issue of ESI here the same as you would in civil litigation.  At a minimum, you will need to (1) issue a records retention notice to ensure all potentially responsive ESI is preserved, (2) confer with your IT staff to identify potential sources, locations, and storage and retrieval mechanisms of ESI, and (3) work with the IT and business departments to determine the nature and volume of potentially responsive ESI.  Depending on the volume of potentially responsive ESI and the degree of difficulty of retrieving it, you may need to narrow the amount of ESI collected.  To do so, you will need to present to the CFPB information about the unavailability, inaccessibility, or excessive volumes of ESI.  In any event, the first step will be to understand where and what ESI is held by the company and how that fits with the requests of the CID.

  5. Privileged and Confidential Information.  The CID likely will require you to identify all materials withheld or redacted on the grounds of privilege.  The process of identifying privileged documentation and creating a privilege log may, depending on the nature of your business, be extremely time consuming and costly.  Consider ways to modify the scope of the CID to minimize this burden (for example, excluding the company’s lawyers from any custodian lists).   At the same time, it may be useful to consider whether privileged material would be useful to disclose and whether it can still be protected with causing waiver issues.

  6. Time for Compliance.  Regardless of what you ultimately negotiate with respect to the terms of compliance with the CID, you should consider requesting a rolling production of information and documents, in order to help manage the time and resources needed to respond to the requests.  Whether the CFPB will grant the request will depend upon the circumstances and if it’s a “win-win” for both parties.  Obviously, an extension and rolling production can allow the CFPB to receive some materials sooner, but also it can give recipients of a CID valuable time to collect and process other information that is potentially responsive to the request.

Responding to a CFPB investigation can be a difficult process.  A company that is the recipient of a CID will be better able to be successful if it understands and minimizes its risks and at the same time maximizes its opportunity for a successful long-term relationship as a regulated entity.  The decision to challenge a CID or to negotiate the terms of the CID, and that negotiation, is just the first step on this long road.