The Consumer Financial Protection Bureau is attracting criticism for launching investigations that are overly broad and give companies too little time to respond.

In theory, the CFPB's civil investigative demand (CID) authority should hew closely to similar efforts long-deployed by other agencies, including the Securities and Exchange Commission and the Federal Trade Commission. In practice, however, the new bureau's approach has drawn criticism for aggressive investigative tactics and broad requests for information that have led to considerable uneasiness among those who find themselves in its crosshairs.

“When we are told by a client that they are about to get a CID from the Bureau, the first thing out of our mouth is ‘fire drill,'” says Joe Lynyak, a partner with the law firm Pillsbury Winthrop Shaw Pittman. “What they are asking for can go back years and years and you are left wondering where you are going to get this stuff. Electronic discovery can be an unbelievable nightmare. The expense is mind-boggling.”

A CID is an investigatory tool through which the bureau can request documents, testimony, or data based on suspicion that an entity or individual may have engaged in an illegal activity or violated consumer protection laws and regulations. The challenge for those who have received one from the CFPB is that those investigations have tended to be broader and faster-paced than they are accustomed to, say enforcement attorneys.

“A lot of former Federal Trade Commission people joined the CFPB,” explains Stephanie Jackman, an associate at the law firm Ballard Spahr. “You would think that the way they did things and approached investigations would translate, but this is a new agency with a different mandate.”

With a short history of cases, companies and their lawyers also don't have lots of precedent to know what to expect from the agency, which opened its doors in July 2011. “People don't know what's coming and they don't necessarily know what the process is, so that naturally breeds insecurity about what the CFPB is interested in,” Jackman says. “The CIDs usually seek information on the entire scope of a company's operations, and that makes it difficult to pin down what specifically the Bureau is interested in. It seems more like a very broad investigation than a targeted enforcement action on a perceived issue.”

The CFPB's broad approach to CIDs presents “significant compliance difficulties,” says Lynyak. “They say, ‘please deliver the kitchen sink,'” he says.

Except for civil investigative demands issued by the FTC, financial service companies have infrequently encountered CIDs, Lynyak says, explaining that the predominant form of federal oversight was through federal banking agencies with direct examination and supervision authority over FDIC-insured institutions. This authority permitted them to examine most books and records without the need to issue a CID.

With the creation of the CFPB, however, “the landscape for aggressive consumer-related investigations by the federal government changed dramatically,” Lynyak says. The Dodd-Frank Act, which created the Bureau, gives it the authority to require a targeted company or individual “to prepare or submit virtually any document, report, or other company-related information deemed even peripherally of interest to investigators.”

“All of a sudden anyone dealing in the retail consumer space could receive one of these,” Lynyak says. “They are time-consuming, expensive, and very disruptive of operations.”

The CFPB may be seeking a vast amount of information “because they don't quite know what they need” as they initially dig into operations, says Jonice Gray Tucker, a partner with the law firm BuckleySandler, who represents corporate and individual clients in federal and state enforcement agency investigations. “They are concerned about leaving stones unturned, so they are requesting a comprehensive set of information," she says.

“The CIDs usually seek information on the entire scope of a company's operations, and that makes it difficult to pin down what specifically the Bureau is interested in.”

—Stephanie Jackman,

Associate,

Ballard Spahr

Too Little Time

Not only can the CFPB demand a lot of information, it provides very little time to turn it over. A company must “meet and confer” with representatives of the CFPB within 10 days of receipt of a CID. “These time limitations are barely sufficient for large companies to begin to identify locations of records and files,” Lynyak says.

This initial deadline is crucial because the CFPB will not consider any request to modify a CID for issues that are not first raised during this initial consultation. A petition to amend or set aside a CID must be filed within 20 days of the initial notification.

“They want companies to show up and be ready for a meaningful, detailed discussion about where documents are located,” Tucker says. “What can be turned over quickly? What could take longer? They want to talk about what objections a company may have based on process, breadth, or for other reasons. That is a very different execution than what we have seen with many other agencies.”

Benjamin Olson, former deputy assistant director for the Office of Regulations at the CFPB, joined BuckleySandler as an attorney late last month. In his opinion, the Bureau operates with a tight deadline because it wants to protect consumers from scams. “It views its mission as protecting consumers and ensuring that the laws that are on the books are complied with. Consequently, if Bureau staff is concerned about the possibility of consumer harm, they want to resolve the issue as quickly as possible."

FINAL RULE ON CFPB INVESTIGATIONS

The following is from a final rule that describes the CFPB's procedures for investigating whether persons have engaged in conduct that violates federal consumer financial law. It establishes authority to conduct investigations, including the procedures for issuing civil investigative demands.

The Final Rule neither imposes any obligations on consumers nor is expected to have any appreciable impact on their access to consumer financial products or services.

The Final Rule imposes certain obligations on covered persons who receive CIDs in Bureau investigations. Specifically, as described above, the Final Rule sets forth the process for complying with or objecting to CIDs for documentary material, tangible things, written reports or answers to questions, and oral testimony. Most obligations in the Final Rule stem from express language in the Dodd-Frank Act and do not impose additional burdens on covered persons.

To the extent that the Final Rule includes provisions not expressly required by statute, these provisions benefit covered persons by providing clarity and certainty. In addition, the Final Rule vests the Bureau with discretion to modify CIDs or extend the time for compliance for good cause. This flexibility benefits covered persons by enabling the Bureau to assess the cost of compliance with a civil investigative demand in a particular circumstance and take appropriate steps to mitigate any unreasonable compliance burden.

Moreover, because the Final Rule is largely based on section 20 of the FTC Act and its corresponding regulations, it should present an existing, stable model of investigatory procedures to covered persons. This likely familiarity to covered persons should further reduce the compliance costs for covered persons.

The Final Rule provides that requests for extensions of time to file petitions to modify or set aside CIDs are disfavored. This may impose a burden on covered entities in some cases, but it may also lead to a more expeditious resolution of matters, reducing uncertainty.

Source: ConsumerFinance.gov.

In a problematic twist for companies that do lodge a formal protest, the CFPB has said that such objections allow it to make the otherwise confidential investigatory process public. ““The company is in a difficult  situation,” Tucker says. “If they disagree with the CFPB as to matters related to the CID, and they really feel they have to petition for modification, they are not just making a decision about whether or not they think the petition is going to be successful, they are making a decision on whether or not they want to make an otherwise confidential investigation a public matter.”

Jackman's advice for companies facing a CID is to take a cooperative approach. “Try to be as open as you can and try to answer their questions as quickly and as efficiently as possible,” she says. “It gives the government their answers and saves you on time and effort.”

If a demand for information is unreasonable, those burdens should be comprehensively documented.  “If you just say it is burdensome, I don't think that they are going to accept that,” she adds. “If you can show them it is burdensome for specific reasons—cost, location, or data is old, outdated, or archived, something that they can understand—we've found them to be very cooperative in most instances. They are willing to work with you in narrowing requests and extending the time you have to respond when there is a legitimate need for it. When you demonstrate good faith, we've seen it reciprocated.”

Olson also stresses the importance of having the IT department involved at the earliest stages of a CID. “Investigators have a natural inclination to get past the lawyers and directly to the people who are in possession of the information they need, and increasingly those are the IT people,” he says. “It is important for anybody responding to this kind of a request that they are talking to their IT people first and foremost.”

Websites

We are not responsible for the content of external sites

Topics