I. INTRODUCTION
The Consumer Financial Protection Bureau (CFPB) has issued a series of bulletins and announcements on various and sundry issues affecting the institutions which they supervise. Set forth below are summaries of the most recent CFPB bulletins/announcements.
II. SERVICE PROVIDERS/CFPB BULLETIN 2012-03
The CFPB has indicated that it expects supervised banks (large insured depository institutions) to oversee their business relationships with service providers (any person that provides a material service in connection with the offering or provision of a consumer financial product or service) in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm.
A. Service Provider Relationships
The CFPB recognizes that the use of service providers is often an appropriate business decision for supervised banks and acknowledges that they may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment.
However, the mere fact that a supervised bank enters into a business relationship with a service provider does not absolve the supervised bank of responsibility for complying with Federal consumer financial law to avoid consumer harm. A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement these requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship. Depending on the circumstances, legal responsibility may lie with the supervised bank as well as with the supervised service provider.
B. The CFPB’s Supervisory Authority Over Service Providers
The CFPB is authorized to examine and obtain reports from supervised banks for compliance with Federal consumer financial law and for other related purposes and also to exercise its enforcement authority when violations of the law are identified. The CFPB also has been granted supervisory and enforcement authority over supervised service providers (service providers to supervised banks and service providers to a substantial number of small insured depository institutions), which includes the authority to examine the operations of service providers on site. The CFPB will exercise the full extent of its supervision authority over supervised service providers, including its authority to examine for compliance with prohibition on unfair, deceptive, or abusive acts or practices.
C. The CFPB’s Expectations
The CFPB expects supervised banks to have an effective process for managing the risks of service provider relationships. To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers. The steps that should be taken by supervised banks should include, but are not limited to:
• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
• Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
• Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
III. CFPB TO PURSUE DISCRIMINATORY LENDERS
The CFPB has announced that it will use all available legal avenues, including disparate impact, to pursue lenders whose practices discriminate against consumers. The CFPB will equip consumers with the information they need to spot the warning signs of discrimination.
The CFPB has also reaffirmed in a Compliance Bulletin its commitment to enforcing the Equal Credit Opportunity Act (ECOA), by recognizing the disparate impact doctrine. Disparate impact occurs when a lender’s practices or policies are facially neutral but have discriminatory effects.
Banks under CFPB supervision will be monitored for potential fair lending violations including practices with unlawful discriminatory effects. The Compliance Bulletin discussed in more detail below, applies to all institutions under the CFPB’s jurisdiction and applies to credit products including mortgages, credit cards, student loans, and auto loans.
A. CFPB Bulletin 2012-04 (Fair Lending)
The CFPB Bulletin 2012-04 is designed to provide guidance about compliance with the fair lending requirements of the ECOA and its implementing regulation, Regulation B.
The ECOA makes it illegal for a creditor to discriminate in any credit transaction against any applicant because of race, color, religion, national origin, sex, marital status, age (if the applicant is old enough to enter into a contract), receipt of income from any public assistance program; or the exercise in good faith of a right under the Consumer Credit Protection Act.
In 1994, the Interagency Task Force on Fair Lending released the Policy Statement on Discrimination in Lending (Policy Statement). The Policy Statement notes that the courts have recognized the following methods of proving lending discrimination under the ECOA:
• Overt evidence of discrimination;
• Evidence of disparate treatment; and
• Evidence of disparate impact.
The CFPB has indicated that it concurs with the Policy Statement. As a result of the foregoing, the CFPB in exercising its supervisory and enforcement authority, will consider evidence of the disparate impact doctrine as one method of proving lending discrimination under the ECOA and Regulation B.
IV. RESPONSIBLE BUSINESS CONDUCT: SELF-POLICING, SELF-REPORTING, REMEDIATION AND COOPERATION/CFPB BULLETIN 2013-06
The Consumer Financial Protection Bureau (CFPB) considers many factors in the exercise of its enforcement discretion. These include, for example: (1) the nature, extent, and severity of the violations identified; (2) the actual or potential harm from those violations; (3) whether there is a history of past violations; and (4) a party’s effectiveness in addressing violations. The CFPB has issued guidance to inform those subject to the CFPB’s enforcement authority that in addition to these and other factors, there are activities they can engage in both before and after the conduct in question has occurred that the CFPB may favorably consider in exercising its enforcement discretion. Specifically, a party may proactively self-police for potential violations, promptly self-report to the CFPB when it identifies potential violations, quickly and completely remediate the harm resulting from violations, and affirmatively cooperate with any CFPB investigation above and beyond what is required. If a party meaningfully engages in these activities, which this bulletin refers to collectively as “responsible conduct,” it may favorably affect the ultimate resolution of a CFPB enforcement investigation.
The guidance is designed to encourage activity that has concrete and substantial benefits for consumers and contributes significantly to the success of the CFPB’s mission. Depending on its form and substance, responsible conduct can improve the CFPB’s ability to promptly detect violations of the federal consumer protection laws, increase the effectiveness and efficiency of enforcement investigations, enable the CFPB to pursue a larger number of worthy investigations with its finite resources, provide important evidence in enforcement investigations and cases, and help more consumers in more matters promptly receive financial redress and additional meaningful remedies for any harm they experienced.
Depending on the nature and extent of a party’s actions, the CFPB has a wide range of options available to properly account for responsible conduct in enforcement investigations. For example, the CFPB could resolve an investigation with no public enforcement action, treat the conduct as a less severe type of violation, reduce the number of violations pursued, or reduce the sanctions or penalties sought by the CFPB in an enforcement action. It must be emphasized, however, that in order for the CFPB to consider awarding affirmative credit in the context of an enforcement investigation, a party’s conduct must substantially exceed the standard of what is required by law in its interactions with the CFPB.
In the CFPB’s consideration of a party’s conduct in these areas it must be stressed that what best protects consumers is ultimately central to the CFPB’s exercise of its enforcement discretion. Self-policing, self-reporting, remediation, and cooperation with the CFPB’s investigation are unquestionably important in promoting the best interests of consumers, but so too are vigorous, consistent enforcement of the law and the imposition of appropriate sanctions where the law has been violated.
In addition, this guidance, and its description of activities that may warrant favorable consideration, is not adopting any rule or formula, or making a promise to any person about any specific case. The CFPB is not in any way limiting its discretion and responsibility to evaluate each case individually on its own facts and circumstances. There is no consistent formula that can be applied to all enforcement actions to accomplish the goal of protecting consumers. Similarly, there is no formula that can be applied to account for cooperation based on a party’s actions related to the activities set forth above. Indeed, there may be circumstances where the misconduct is so egregious, or the harm inflicted so great, that no amount of cooperation or other mitigating conduct could justify a decision not to bring an enforcement action, or even to forgo seeking the imposition of a civil money penalty. In short, the fact that a party may argue it has satisfied some or even all of the elements set forth in this guidance will not foreclose the CFPB from bringing any enforcement action or seeking any remedy if it believes such a course is necessary and appropriate.
A. Factors Used to Evaluate and Acknowledge Responsible Conduct
The CFPB principally considers four categories of conduct when evaluating whether some form of credit is warranted in an enforcement investigation: self-policing, self-reporting, remediation, and cooperation during the CFPB’s enforcement investigation. However, if a party engages in another type of activity particular to its situation that is both substantial and meaningful, the CFPB may take that activity into consideration.
Listed below are some of the factors the CFPB will consider in determining whether and how much to take into account self-policing, self-reporting, remediation, and cooperation. This list is not exhaustive, and some of the factors identified may relate to more than one category of responsible conduct. Finally, the importance of each factor in a given case, and the way in which the CFPB evaluates each factor, will depend on the circumstances.
1. Self-policing:
This concept, which can also be described as self-monitoring or self-auditing, reflects a proactive commitment by a party to use resources for the prevention and early detection of potential violations of consumer financial laws. The CFPB recognizes that a robust compliance management system appropriate for the size and complexity of a party’s business will not always prevent violations, but it will often facilitate early detection of potential violations, which can limit the size and scope of consumer harm. Questions the CFPB will consider in determining whether to provide favorable consideration for self-policing activity that detects violations or potential violations of federal consumer financial laws include:
a. What is the nature of the violation or potential violation and how did it arise? Was the conduct pervasive or an isolated act? How long did it last? Was the conduct significant to the party’s profitability or business model?
b. How was the violation or potential violation detected and who uncovered it? What compliance procedures or self-policing mechanisms were in place to prevent, identify, or limit the conduct that occurred and to preserve relevant information? In what ways, if any, were the party’s self-policing mechanisms particularly noteworthy and effective?
c. If the party’s self-policing functions have previously been the subject of supervisory examination by the CFPB or other regulators, what have been the results of such examination? How, if at all, has the party changed its self-policing following such examination? If the party’s self-policing functions have not previously been the subject of supervisory examination, how do those functions measure up to customary supervisory expectations?
d. If the party is a business entity, what was the “tone at the top” of the business about compliance? Was there a culture of compliance? How high up in the chain of command did people know of or participate in the conduct at issue? Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct or deficiencies in compliance procedures?
2. Self-reporting:
Each category of responsible conduct is important to the CFPB and can significantly affect the CFPB’s decision about whether a party should receive favorable consideration. Of the four categories of responsible conduct, prompt and complete self-reporting to the CFPB of significant violations and potential violations is worth special mention. While no substitute for effective self-policing, self-reporting substantially advances the CFPB’s protection of consumers and enhances its enforcement mission by reducing the resources it must expend to identify potential or actual violations that are significant enough to warrant an enforcement investigation and making those resources available for other significant matters. Prompt self-reporting of serious violations also represents concrete evidence of a party’s commitment to responsibly address the conduct at issue. For these reasons, the CFPB puts special emphasis on this category in its evaluation of a party’s overall conduct. Questions the CFPB will examine in determining whether to provide favorable consideration for self-reporting of violations or potential violations of federal consumer financial laws include:
a. Did the party completely and effectively disclose the existence of the conduct to the CFPB, to other regulators, and, if applicable, to self-regulators? Did affected consumers receive appropriate information related to the violations or potential violations within a reasonable period of time?
b. Did the party report the conduct promptly to the CFPB? If it delayed, what justification, if any, existed for the delay? How did the delay affect the preservation of relevant information, the ability of the CFPB to conduct its investigation, or the interests of affected consumers?
c. Did the party proactively self-report, or wait until discovery or disclosure was likely to happen anyway, for example due to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or the conduct of a CFPB investigation?
3. Remediation:
When violations of federal consumer financial laws have occurred, the CFPB’s remedial priorities include obtaining full redress for those injured by the violations, ensuring that the party who violated the law implements measures designed to prevent the violations from recurring, and, when appropriate, effectuating changes in the party’s future conduct for the protection and/or benefit of consumers. Remediation may be viewed positively even when the party believes that it may have identified a potential rather than an actual violation. Questions the CFPB will examine in determining whether to provide favorable consideration for remediation activity regarding violations of federal consumer financial laws include:
a. What steps did the party take upon learning of the misconduct? Did it immediately stop the misconduct? How long after the misconduct was uncovered did it take to implement an effective response?
b. If the party is a business, were there any consequences imposed on the individuals responsible for the misconduct?
c. Did the party take prompt and effective steps to preserve information, identify the extent of the harm to consumers, and appropriately recompense those adversely affected? In situations where the harm caused by the violation goes beyond the amounts the victims may have paid to the party, did the party identify and implement additional ways to completely redress the harm?
d. What assurances are there that the misconduct is unlikely to recur? By the time of the resolution of the CFPB matter, did the party improve internal controls and procedures designed to prevent and detect a recurrence of such violations? Similarly, have the party’s business practices, policies and procedures changed to remove harmful incentives and encourage proper compliance?
4. Cooperation:
Unlike self-policing and remediation, which may occur with or without CFPB involvement, cooperation relates to the quality of a party’s interactions with the CFPB after the CFPB becomes aware of a potential violation of federal consumer financial laws, either through a party’s self-reporting or the CFPB’s own discovery efforts. In order to receive credit for cooperation in this context, a party must take substantial and material steps above and beyond what the law requires in its interactions with the CFPB. Simply meeting those obligations will not be rewarded by any special consideration. Questions the CFPB will examine in determining whether to provide favorable consideration for cooperation in a CFPB investigation include:
a. Did the party cooperate promptly and completely with the CFPB and other appropriate regulatory and law enforcement bodies? Was that cooperation present throughout the course of the investigation? Did the actor identify any additional related misconduct likely to have occurred?
b. Did the party take proper steps to develop the truth quickly and completely and to fully share its findings with the CFPB? Did it undertake a thorough review of the nature, extent, origins, and consequences of the misconduct and related behavior? Who conducted the review and did they have a vested interest or bias in the outcome? Were scope limitations placed on the review? If so, why and what were they?
c. Did the party promptly make available to the CFPB the results of its review and provide sufficient documentation reflecting its response to the situation? Did it provide evidence with sufficient precision and completeness to facilitate, among other things, enforcement actions against others who violated the law? Did the party produce a complete and thorough written report detailing the findings of its review? Did it voluntarily disclose material information not directly requested by the CFPB or that otherwise might not have been uncovered? If the party is a business, did it direct its employees to cooperate with the CFPB and make reasonable efforts to secure such cooperation?
The CFPB intends and expects that this guidance will encourage parties subject to the CFPB’s enforcement authority to engage in more self-policing. When potential violations of the consumer financial laws arise, the CFPB intends and expects that parties will engage in more self-reporting to the CFPB, more prompt and complete remediation of harm to victimized consumers, and more cooperation with the CFPB in its enforcement investigations. Such an outcome, the CFPB believes, would benefit both consumers and providers of consumer financial products and services.