The Consumer Financial Protection Bureau (CFPB) was established just over four years ago but has already had a huge impact. The federal agency’s relentless focus on expanding its power and pursuing a host of enforcement actions has alarmed many in the financial services industry.
The breadth and severity of the CFPB’s enforcement actions are striking. Target entities include credit card issuers, mortgage loan originators and servicers, brokers and insurers, credit reporting agencies, settlement service providers, debt collectors, student lenders, and other payment processors. They range from heavyweights like Bank of America to a small Georgia law firm for allegedly operating a “lawsuit mill.” The amount these targets have had to pay out so far: $10.1 billion and counting.
The agency has interpreted Dodd-Frank expansively, primarily leveraging a provision prohibiting “unfair, deceptive, or abusive acts and practices.” Empowered by this broad mandate and by means of regulations that the CFPB itself created, the agency has targeted industry after industry for practices that sometimes do not otherwise expressly violate any federal statute or regulation.
Perhaps that’s why Republican Jeb Hensarling of Texas, chairman of the House Financial Services Committee, called the CFPB the “single most powerful and least accountable federal agency in all of Washington.”
The CFPB likewise designed enforcement procedures that afford it wide discretion and power. It can conduct informal or formal investigations without a court order, and these investigations can be time-consuming and expensive for corporate targets. It can also pursue an enforcement action without prior court approval (or even much notice to the target) and seek a host of penalties — fines, restitution, injunctions, monetary refunds, cancellation of contracts, monetary damages, and limits on the activities or functions of the target person or company within designated industries.
To defend itself, a corporate target faces the CFPB at a distinct disadvantage. It can try to negotiate with the agency regarding its demands, but the CFPB is in a far superior negotiating position. If the target does not accede to the CFPB’s demands, it faces an administrative hearing before an administrative law judge appointed by the CFPB director. If that hearing does not go well, the target’s recourse is appealing the decision to the very same CFPB director. After that, the target can bring its appeal to a federal court, but even there the CFPB director’s decision must be given substantial deference.
Admittedly, this process is not unusual for federal administrative agencies. But the results have been unusual, as one recent target learned the hard way. This target appealed an unfavorable ruling by an administrative law judge to the CFPB director, Richard Cordray. Not only did Cordray go beyond the administrative law judge’s ruling to identify additional violations under the statute, he also increased the target’s penalty by 17 times – from $6.4 million to $109 million.
How can a company protect itself against the CFPB? Of course, companies should be mindful of its rules and guidance, but identifying and eradicating practices that fall within the agency’s broader mandate to prosecute unfair, deceptive or abusive acts can be a real challenge. Nonetheless, there are steps to take.
First, be mindful of the CFPB’s stated goals and targets. Periodic reports and summaries about investigations and enforcement actions available on the CFPB website identify industries of focus for the CFPB, and companies and individuals within these industries should be particularly aware of the agency’s guidance regarding appropriate behavior. Often guidance can be best gleaned from the subject matter of past and pending enforcement actions pursued and consumer complaints posted by the agency.
Second, seek out appropriate insurance coverage. Companies may incur significant costs from the outset simply by responding to or defending against CFPB investigations or enforcement actions. Having to pay those costs can reduce a target’s leverage considerably. Certain insurance policies can cover the defense costs of formal regulatory investigations or enforcement actions. Such coverage may be available under directors and officers policies, errors and omissions policies, and perhaps even commercial general liability policies.
A word of caution: coverage terms in this arena vary widely, evolve frequently, and can be complicated. For example, some policies might only cover costs associated with the defense of individual corporate employees, not the corporation, even though the corporation is bearing the brunt of the costs and risks of the investigation or enforcement action. Other policies may cover formal investigations but not more “informal” investigations that are no less expensive.
Thus, any company obtaining such coverage should be careful to ensure that it understands the precise terms of the policies and that the policies are compatible with the company’s level of risk tolerance.
Robert Long is a partner and Courtney Quirós an associate with the law firm Alston & Bird.