Enforcement, Corrective Action, and Self-Reporting Issues
Coauthored By: Laura Pringle and Lynn Pringle
July 15, 2013
When the Consumer Financial Protection Bureau (“CFPB”) issued CFPB Bulletin 2013-06 on June 25, 2013, many issues were raised not only for those financial institutions and others regulated by the CFPB, but for all financial institutions as well. Long established expectations of proper preparation for examinations and for response to self-indentified violations of law that could lead to enforcement action(s) were put into question. This article will overview that Bulletin and will also highlight several related issues for all financial institutions to help put this Bulletin in perspective.
CFPB Bulletin on Self-Policing, Self-Reporting, Remediation, and Cooperation
In the CFPB’s Bulletin, the CFPB strongly encouraged “responsible conduct” that the CFPB may, within its discretion, take into consideration in determining whether and what sort of enforcement action to take and which sanctions may be imposed, if any. The CFPB stated that it considers many factors in the exercise of its enforcement discretion which include, “for example: (1) the nature, extent and severity of the violations identified; (2) the actual or potential harm from those violations; (3) whether there is a history of past violations; and (4) a party’s effectiveness in addressing violations.” The CFPB explained that the guidance in this Bulletin is being provided to inform those subject to the Bureau’s enforcement authority that in addition to these and other factors, there are activities they can engage in both before and after the conduct in question has occurred that the CFPB may favorably consider in exercising its enforcement discretion. The CFPB went on to state as follows:
Specifically, a party may proactively self-police for potential violations, promptly self-report to the Bureau when it identifies potential violations, quickly and completely remediate the harm resulting from violations, and affirmatively cooperate with any Bureau investigation above and beyond what is required. If a party meaningfully engages in these activities, which this bulletin refers to collectively as “responsible conduct,” it may favorably affect the ultimate resolution of a Bureau enforcement investigation.
The CFPB emphasizes that each case will be evaluated on its own facts and circumstances and also stated that these factors and others may not alleviate the level or type of enforcement action taken and the CFPB states as follows:
Indeed, there may be circumstances where the misconduct is so egregious, or the harm inflicted so great, that no amount of cooperation or other mitigating conduct could justify a decision not to bring an enforcement action, or even to forgo seeking the imposition of a civil money penalty. In short, the fact that a party may argue it has satisfied some or even all of the elements set forth in this guidance will not foreclose the Bureau from bringing any enforcement action or seeking any remedy if it believes such a course is necessary and appropriate.
While the CFPB identified four categories of conduct which it principally will consider, the CFPB stated that in some situations other sorts of activity which the CFPB decides is “both substantial and meaningful” may be taken into consideration; however, the CFPB did not expand upon what sort of activity that may be in this Bulletin. Instead, the CFPB reiterated the four categories of conduct several times and provided clear definitions of each of these four activities. That is, the CFPB stated that it principally considers these four categories of conduct when evaluating whether some form of credit is warranted in an enforcement investigation: (1) self-policing, (2) self-reporting, (3) remediation, and (4) cooperation during the CFPB’s enforcement investigation. The explanations and the specific questions the CFPB will consider for each of these four categories of conduct are detailed in this Bulletin and briefly explained in this article below in the context of our experience of avoiding enforcement actions for all financial institutions.
“Self-policing” is a familiar concept for all financial institutions and, consistent with implementation of a “robust compliance management system” appropriate for its size and complexity, preventative steps to detect violations through auditing have long been part of the process to prepare for examinations and to avoid repeat violations. Prioritizing areas of law to be audited to be certain that such areas where violations have previously occurred, changes have been made in the law, and areas of high risk are addressed by qualified auditors has likewise long been identified as necessary to achieve an effective compliance management system. In this Bulletin the CFBP also reemphasizes the importance of the “tone at the top,” that is, the need to give value to those who provide and/or are the resources for these compliance efforts and not to ignore or “turn a blind eye” to indicia of “misconduct or deficiencies in compliance procedures.” We have long found that setting the tone of the importance of compliance with the Board of Directors and senior management and giving commendations for effective “self-policing” provides valuable support for this factor in any financial institution examination or defense of any financial institution which otherwise may be the target of an enforcement action or in civil litigation.
“Remediation” is also a familiar concept for all financial institutions in their efforts to take all necessary corrective action in a timely fashion and to properly document that corrective action as appropriate to provide to regulators during examinations. We note that several areas of law establish specific timelines which are triggered by the discovery of a violation of law, such as the Truth in Lending Act and the Truth in Savings Act. Time for investigation, if a violation is discovered during an examination or as a result of a complaint or error-resolution process, is allowed under such statutes; we also note that applicable statutes of limitations for civil litigation can be expected to be one of the considerations in the scope of the investigation to expedite the steps necessary to make reimbursement or to otherwise effectively take corrective action. However, these sorts of considerations were not the focus of the CFPB Bulletin; instead the focus seems to be more directed toward remediation of misconduct. Thus, areas of law such as fair lending or actions such as aggressive marketing efforts or other efforts to improperly increase fee income or earnings through imposing higher rates to those in protected classes as well as removing “harmful incentives,” e.g. compensation that may encourage such misconduct, may be more of a concern to the CFPB. Certainly, the emphasis on the establishment of business practices as well as policies and procedures to encourage proper compliance with laws is consistent with regulatory concerns of all financial institution regulators and any sort of willful violation would be expected to be the subject of an enforcement action regardless of corrective actions taken by any financial institution.
“Cooperation” likewise is an important part of taking corrective action generally in that if any violation of law surfaced in an investigation involving criminal activity reporting would be required and facilitating the further investigation would be expected of the financial institution. While the CFPB in its Bulletin does focus its guidance for “cooperation” on such reporting to the CFPB as well as “other appropriate and law enforcement bodies,” the scope of the cooperation in providing evidence including even to facilitate “enforcement actions against others who violated the law” seems to be an expectation of broader reporting than would otherwise be applicable.
“Self-reporting” is a concept in this CFPB Bulletin which also seems to be a broader sort of guidance than would otherwise be applicable to financial institutions. Also, the CFPB states that the CFPB “places special emphasis on this category in its evaluation of a party’s overall conduct.” Thus, rather than simply concentrating on finding, investigating, and correcting violations and taking preventative steps to avoid further or repeat violations prior to upcoming examinations, the self-reporting to theCFPB appears to be expected well prior to an examination. In addition, if there is any delay in reporting or a failure to promptly report to the CFPB or to affected consumers “within a reasonable period of time” or only reporting if discovery “was likely to happen anyway,” negative impact in the determination of the level of enforcement action and/or sanctions may be expected from the CFPB.
Implementation of CFPB Bulletin
The CFPB specifically referenced this Bulletin in an order released the same week as Bulletin 2013-06, i.e., the CFPB’s order to U.S. Bank and one of its nonbank partner companies, Dealers’ Financial Services, to end deceptive marketing and lending practices and specifically requiring reimbursement of $6.5 million for failing to disclose all fees charged and for misrepresenting the true cost and coverage of financed add-on products. CFPB website June 27, 2013 and http://files.consumerfinance.gov/f/ 201306_cfpb_enforcement-order_2012-0340-02.pdf. The CFPB press release stated as follows:
Earlier this week, the Bureau released a Bulletin discussing its expectations regarding “responsible conduct” by those subject to Bureau enforcement actions. By proactively altering problematic aspects of the MILES program and readily working with the Bureau to provide refunds to servicemembers harmed by this conduct, both companies in this action engaged in the sort of conduct the CFPB expects from companies found to have violated consumer financial laws. This was one of several factors the Bureau considered when choosing not to impose a civil money penalty in this matter.
The Consent Order issued in this matter with U.S. Bank stated that the CFPB had “conducted a target review” of the automobile loan program which the bank “helped develop and for which it is the primary lender.” Truth in Lending Act violations as well as violations of the Consumer Financial Protection Act’s prohibitions on deceptive acts or practices were cited. Although civil money penalties were not accessed in this order, the “Redress Plan” required reimbursement of $3,200,000 to consumers and, if not fully paid to consumers, the payment of the remainder of the funds must be disgorged to the U.S. Treasury. Action was also taken against a nonbank partner, Dealers Financial Services, to return approximately $3,300,000 to servicemembers related to the costs of add-on products. Not only the service provider in this case but other lenders and related parties could also be subject to regulatory actions and civil liability.
Important Legal Privileges
Properly providing information regarding violations of law to financial institutions’ regulatory agencies has been the subject of significant concern for financial institutions, their regulators, and their legal counsel for many years. Section 607 of the Financial Services Regulatory Relief Act of 2006 included a provision addressing the disclosure of information to supervisory agencies; specifically, Section 1828x of Title 12 of the United States Code was amended to address concerns regarding the waving of privileges in responding to examination and other requests or otherwise providing information to federal and state regulators. Then, effective December 20, 2012, this subsection was amended to add the CFPB as an agency to which information may be submitted without waiving any applicable privilege. State laws also create similar protections for compliance reviews and audit but the scope of those protections varies from state to state. The sharing of this privileged information with other federal agencies is addressed in this statute, but no other sharing by the CFPB and other federal regulatory agencies of depository institutions to non-protective parties, e.g., state attorney generals, is covered. Other regulators have issued extensive guidances over the years to instruct examiners and others on how to best protect applicable privileges; however, these privileges were not mentioned in this recent CFPB Bulletin but should be discussed with legal counsel in every situation involving corrective action and self-reporting.
Other Issues Involved in Corrective Action
The factor which the CFPB refers to as “remediation” and as more generally called “corrective action” raises other significant issues which are important for consideration by all financial institutions and their legal counsel when violations of law come to their attention either through auditing, a consumer complaint, error resolution processes, or otherwise. For example, some violations of law cannot be corrected by redisclosure and/or reimbursement, e.g., disclosures which are not timely given such as early mortgage disclosures, flood determinations, electronic disclosures, and so on, so that effective corrective action requires other sorts of activities which should be discussed with legal counsel and properly documented. Another example is the fact that some legal violations trigger penalties and/or referrals for which the primary federal regulator has no discretion, e.g., a pattern or practice of discrimination requiring a referral to the U.S. Department of Justice, or to HUD if home loans are involved, and penalties if flood insurance violations have occurred.
Other issues arise if individuals could be subject to enforcement action and records belonging to the Bank are needed to defend such an action for civil money penalties or a removal action. Training regarding employee handling of documents when violations may have occurred also include the potential of criminal liability if documents are altered or otherwise not properly retained. Other risks besides legal risks can quickly arise and investigation periods allowed by statutes may not be sufficient depending upon the type and scope of the violations. These and other issues as well, which involve substantive legal concerns, require timely and accurate responses and advice of legal counsel and careful management of all ethical responsibilities. Thus, we emphasize that this article provides a beginning point for careful consideration and larger discussions of these issues.
Our experience has been that the factors of self-policing and remediation are important to all of the financial institution regulators in determining whether an enforcement action is necessary or appropriate and also are important to controlling risks of potential litigation. Likewise, we have long observed that cooperation in investigations and the “culture” of compliance including good attitudes and diligence efforts to understand and meet the requirements of consumer protection laws is well received during examinations. However, self-reporting raises a number of significant issues for consideration by legal counsel for financial institutions as does the element of “cooperation” as explained by the CFPB in this Bulletin to include providing “evidence” to the CFPB regarding the self-reporting and facilitating “enforcement actions against others who violated the law.”
We encourage those financial institutions which are subject to the enforcement jurisdiction of the CFPB to study carefully this Bulletin and the information presented by the CFPB for their consideration. We also encourage all financial institutions to review this information and related issues with their primary regulators and with legal counsel; keeping in mind that, even with respect to those financial institutions over which the CFPB does not have direct enforcement ability, the CFPB may include its examiners in examinations by an institution’s prudential regulator and, when the CFPB “has reason to believe” that the institution “has engaged in a material violation of a federal consumer financial law”, federal law provides that the CFPB “shall notify the prudential regulator in writing and recommend appropriate action to respond.” 12 USC 5516 (c) and (d).
This Article was also published at Wolters Kluwer’s Compliance Headquarters™ website: www.complianceheadquarters.com.