On June 25, 2013, the Consumer Financial Protection Bureau (CFPB or Bureau) issued CFPB Bulletin 2013-06 to announce its “Responsible Business Conduct” policies. The bulletin lays out, in very general terms, suggestions for how companies might curry favor with the Bureau’s Office of Enforcement by engaging in voluntary self-policing, self-reporting, remediation, and cooperation activities. The bulletin is available at [link to http://files.consumerfinance.gov/f/201306_cfpb_bulletin_responsible-conduct.pdf].
The policies described in the bulletin were clearly influenced by similar policies formalized by the Securities and Exchange Commission in recent years, as well as best practices embodied in the Federal Sentencing Guidelines, but as with any cooperation initiative, they will be successful in modifying behavior only if the Bureau can convince businesses that they will actually be treated considerably more leniently in return for their efforts and unsolicited confessions. Unfortunately, the strong disclaimers and high hurdles scattered throughout the bulletin tend to send the opposite message. For example, the bulletin provides:
[T]his guidance, and its description of activities that may warrant favorable consideration, is not adopting any rule or formula, or making a promise to any person about any specific case. The Bureau is not in any way limiting its discretion and responsibility to evaluate each case individually on its own facts and circumstances.
In short, the fact that a party may argue it has satisfied some or even all of the elements set forth in this guidance will not foreclose the Bureau from bringing any enforcement action or seeking any remedy if it believes such a course is necessary and appropriate.
[I]n order for the Bureau to consider awarding affirmative credit in the context of an enforcement investigation, a party’s conduct must substantially exceed the standard of what is required by law in its interactions with the Bureau.
In order to receive credit for cooperation in this context, a party must take substantial and material steps above and beyond what the law requires in its interactions with the Bureau. Simply meeting those obligations will not be rewarded by any special consideration.
The CFPB’s specific suggestions regarding what activities will demonstrate "responsible business conduct" are all fairly straightforward and intuitive. For example:
- Self-Policing: If a company identifies problems through self-auditing, the Bureau will consider how the violation or potential violation was detected, who uncovered it, and what compliance procedures or self-policing mechanisms were in place to prevent, identify, or limit such conduct.
- Self-Reporting: In deciding whether to give favorable consideration to parties that voluntarily inform the CFPB of their violations, the agency will evaluate whether the parties completely and effectively disclosed the conduct and whether they proactively self-reported or waited until discovery or disclosure was likely to happen anyway, due, for example, to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or pending investigations.
- Remediation: The Bureau will consider how potential violators responded after discovering their own misconduct — what steps they took, how long it took to implement an effective response, and whether there were any consequences imposed on the individuals responsible for the misconduct.
- Cooperation: The CFPB will evaluate whether violators cooperated completely throughout the course of regulatory investigations, identified additional related misconduct likely to have occurred, and provided sufficient evidence to facilitate enforcement actions against other violators.
While the bulletin identifies four avenues by which companies might avoid or mitigate enforcement action, it explicitly values self-reporting of potential violations far above the other three:
Of the four categories, however, prompt and complete self-reporting to the Bureau of significant violations and potential violations is worth special mention. … [T]he Bureau puts special emphasis on this category in its evaluation of a party’s overall conduct.
In fact, close analysis of the bulletin reveals that many of the activities discussed under the headings of self-policing, remediation, and cooperation are in reality just aspects of self-reporting.
Of course, voluntary self-reporting can be very risky, and therefore may be difficult to justify. The decision to self-report is a fact-and-circumstance-intensive one, and companies must weigh their degree of confidence in the Bureau’s likely level of leniency in light of the disclaimers and hurdles presented in the bulletin. Without more concrete commitments, the Bureau may not have much opportunity to demonstrate to businesses that simply remaining silent after fixing internally discovered problems is not their best course.