Mounting criticism for going too soft on the financial services industry under Trump has not stopped new Consumer Financial Protection Bureau Director Kathleen Kraninger from putting her own enforcement stamp on the agency.

“There may be a misimpression that the CFPB is lax when, in fact, it is not; it’s a very active Bureau,” says Anthony DiResta, a partner at Holland & Knight. “They’ve been looking at many players in the financial services industry—banks, lenders, credit-repair organizations, debt collectors.”

They’re also paying attention to a broad range of consumer protection issues—from unfair and deceptive practices to failing to honor consumer requests and much more.

Kraninger, appointed by Trump to succeed Acting Director Mick Mulvaney in December 2018, joined the CFPB at a very trying time for the agency, which faces some tough questions about not only its enforcement record—or lack thereof—but also whether the very structure of the agency itself is unconstitutional. While such criticisms surrounding the CFPB are not new, some new developments have thrust these issues back into the spotlight.

On Oct. 16, the House Financial Services Committee published a 333-page report, finding the number of enforcement actions taken by the CFPB have “declined dramatically” under the Trump administration. During Mulvaney’s 12-month tenure, the CFPB announced just 11 enforcement actions, compared to 37 in 2017 and 42 in 2016 under the Obama administration, the report stated.

The report was further critical of the “inadequate” and declining amount of consumer relief obtained by the CFPB resulting from these actions. The CFPB has ordered $12 million in consumer relief during Kraninger’s first six months (Dec. 11, 2018, to June 11, 2019) compared to $200 million in consumer relief under the Obama administration covering the six months between Oct. 1, 2016, and March 31, 2017.

Prudent compliance officers should take the lull in CFPB enforcement numbers with a grain of salt. In remarks before the House Financial Services Committee on Oct. 16, Kraninger indicated she is only just warming up. In fiscal year 2019 (Oct. 1, 2018-Sept. 30, 2019), the Bureau announced 22 public enforcement actions and settled six previously filed lawsuits, resulting in over $777 million in consumer relief and nearly $186 million in civil money penalties. “I note these figures not as a measure of accomplishment, but to underscore the fact that the Bureau continues to appropriately utilize its enforcement tool,” she said.

“There may be a misimpression that the CFPB is lax when, in fact, it is not; it’s a very active Bureau.”

Anthony DiResta, Partner, Holland & Knight

Civil Investigative Demands

For compliance officers and corporate counsel, where attention should really be focused is in the way the CFPB continues to exert its investigative authority under the Dodd-Frank Act, specifically its Civil Investigative Demand (CID) authority. Authorized under the Consumer Financial Protection Act (CFPA), a CID is a subpoena the CFPB issues to a company when it launches an investigation.

Example: Bank of America CID

Below are the details of a Sept. 17 decision published by CFPB Director Kathleen Kraninger responding to a petition by Bank of America (BofA) to set aside or modify a Civil Investigative Demand (CID) that was issued to the bank on March 1:


The CID contained 11 requests for information and documents—including proof of electronic or hard-copy authorizations and e-mails from dozens of custodians—to help the government determine whether BofA opened unauthorized consumer credit cards. BofA argued that the CID should be set aside or, alternatively, modified, for the following reasons:


1. The CID is unnecessary. First, Bank of America argued the CID should be set aside because “further investigation is unnecessary and redundant” and imposes undue burdens, because information BofA earlier provided to the Bureau showed “no systemic sales misconduct issue at the Bank.” Kraninger answered, however, that an administrative subpoena is unduly burdensome as a matter of law only where “compliance threatens to unduly disrupt or seriously hinder normal operations of a business” and that BofA “has not even suggested that the CID imposes that sort of burden.”


Kraninger’s reply went on to state that, as the Bureau recently explained in the April 25 FastBucks Holding CID, “an order on a petition to modify or set aside a CID ‘is appropriately addressed only to the limited question whether the petition has identified legal grounds to set aside or modify’ a CID.” In this case, because BofA’s objections “relating to what it believes it has already established do not raise a ‘legal ground’ to set aside the CID, I decline to set aside the CID on that basis.”


2. The CID is unduly burdensome. In her response to BofA’s argument the CID is “unduly burdensome,” Kraninger noted BofA “did not ‘meaningfully engage’ in the meet-and-confer process described in the Bureau’s rules, 12 C.F.R. § 1080.6(c), to raise its burden objections.” Kraninger explained that, although BofA “generally raised burden concerns with Bureau investigators, it provided no specifics about the burden that the CID posed, which prevented Bureau investigators from meaningfully considering modifications that could minimize burden while still enabling the Bureau investigators to get the information they need.” Thus, Kraninger reasoned the bank’s failure to meaningfully engage in the meet-and-confer process is, alone, sufficient grounds to reject the burden arguments raised in its petition.


3. The CID should be modified. As an alternative, BofA requested the Bureau modify the CID in several respects, including narrowing the applicable period for which the CID requests information to be within the five-year statute of limitations period under the Fair Credit Reporting Act and the three-year statute of limitations under both the Consumer Financial Protection Act and the Truth in Savings Act. Kraninger denied this request, clarifying the three-year limitations period under the CFPA begins on “the date of discovery of the violation.” Here, BofA made no arguments the CFPB has “discovered” any violations that would cause the limitations period to begin running, she said.


BofA’s petition was denied on July 19. However, consistent with the CFPB’s recent policy announcement, the Bureau took the additional step of modifying the Notification of Purpose in the CID “to provide even more information about the nature of the conduct under investigation and the applicable provisions.”


Source: CFPB

If a company determines the investigative probe is improper for whatever reason, it can petition the agency to set aside or modify a CID—which is a lot easier said than done, particularly considering the new CFPB director has a consistent track record for denying such petitions. This signals to financial services firms the burden to modify a CID’s terms through the formal petition process will likely remain high.

Among 11 companies and individuals that challenged a CID within the first 10 months of Kraninger’s tenure, nine of them were denied on the merits. Those who challenged the CIDs argued, primarily, compliance would be “unduly burdensome” or had been issued for an improper purpose. (One recent case study—a denial against Bank of America concerning an ongoing sales practices investigation—is described in more detail in the sidebar accompanying this story).

In practical terms, these denials “should put companies on notice that just because there has been a change in administration or a change in leadership at the CFPB doesn’t mean that the protocols for CIDs or the decision-making on CIDs have necessarily changed substantially,” says Jenny Lee, a former enforcement attorney in the CFPB’s Field Litigation Team and now a partner at law firm Arent Fox.

Best practices

Dismissal of a CID is not impossible, however. DiResta, who has a track record for helping companies to close CIDs without the CFPB ultimately bringing an enforcement action, shares a number of steps a company can take to improve its own chances of closing a CID without an enforcement action.

“First, it’s essential right from the start for the company to develop a very trusted and open relationship with the government lawyers,” DiResta says. “I would recommend that they engage outside counsel who knows the rules of the road so that trust and openness can be gained.”

With a CID, the CFPB is going to be requesting lots of documents and information, sometimes dating back several years, and so it’s going to be very important for companies to be as transparent as possible in responding to these requests. “You have to be complete and accurate in your production, but you also have to be strategic,” DiResta says. “You don’t want to engage in a document dump.”

The documents and other information provided should be presented in such a way that it tells the company’s story, a strong narrative showing why and how the company’s compliance program is comprehensive and, more important, effective. Of course, that means the company should have a robust compliance program to begin with. “You want to show that there is a culture of compliance that starts at the top,” DiResta says. Not unlike a Department of Justice investigation, not having a compliance program can be fatal in any CFPB examination or investigation.

For a financial services firm to position itself favorably before the CFPB, rather than respond to a CID with broad-stroke generalizations, think about the specific facts and circumstances of the case at hand and the issues the Bureau has raised specific to the financial services firm itself and tell the organization’s story in that way, Lee says.

To provide further guidance around this process, the CFPB on April 23 announced it was revising its policy concerning CIDs by making the process more transparent to ensure the Bureau “provide[s] more information about the potentially wrongful conduct under investigation,” the agency said. For compliance officers and corporate counsel, the change in policy effectively results in an information gold mine, gifting them more clarity on how to more succinctly respond to CIDs and the Bureau’s stated concerns.

Another consideration in responding to a CID is that, when compliance deficiencies are uncovered, it’s prudent the financial services firm be proactive about immediately engaging in corrective action. “It shows, No. 1, that the company is willing to be responsible,” DiResta says. It also shows the government the company is acting responsibly in fixing the problem and, thus, the government is less likely to engage in a formal enforcement action, he says.

One other important consideration for a financial services firm that does lodge a formal protest is such objections permit the CFPB to make an otherwise confidential investigatory process public. That puts the firm in a difficult position in the sense compliance and legal must consider carefully not just the likelihood of the challenge succeeding, but also whether they want that issue in the public eye, potentially resulting in reputational harm.

“Most companies do not choose to file a petition, so the investigation remains confidential,” Lee says. That makes the CIDs that are public even more valuable to compliance officers and corporate counsel who want to get a better sense of how the Bureau might respond to other challenges like it.

Another important consideration is that the CFPB continues to seek sworn testimony, under oath, at investigational hearings. “When people think of a CID, they think of having to produce documents, but what is interesting here is that the CFPB also has the authority to compel companies to provide oral sworn testimony before a CFPB officer as part of the investigation,” Lee says. “The trend now is that the CFPB’s requests for sworn testimony in enforcement matters remain ubiquitous in investigations,” she says.

CFPB constitutional?

Compliance officers and corporate counsel in the financial services industry should not take the CFPB’s current turbulent times as signal they can be lax in their compliance efforts and get away with it. Specifically, the U.S. Supreme Court’s Oct. 18 decision to accept the case, Seila Law v. Consumer Financial Protection Bureau, challenging the constitutionality of the director’s removal provision isn’t expected to impact the Bureau’s enforcement efforts in any significant way.

Since the Bureau’s inception, critics have long argued the protection given to the CFPB’s director, who cannot be fired by the president without cause, violates the Constitution’s separation of powers. That argument, filed by law firm Seila Law, will finally have its day in the High Court.

In accepting the case, the justices posed this additional question: If the CFPB is found unconstitutional based on the separation of powers, can the section of the law on the president’s ability to fire the director be severed from the rest of the law? A decision is likely by the end of June.

“Litigation over this question continues to cause significant delays to some of our enforcement and regulatory actions,” Kraninger said in her Oct. 16 remarks before the House Financial Services Committee. “I believe this dynamic will not change until the constitutional question is resolved either by Congress or the Supreme Court.” Kraninger has since adopted the Department of Justice’s view that the structure of the CFPB is unconstitutional, effectively challenging her own authority.

From an enforcement standpoint, however, all signs point to Kraninger taking an even more aggressive posture than her predecessor.

“My position on this question will not stop the Bureau from fulfilling our statutory responsibilities,” Kraninger said. “We will continue to defend the actions that the Bureau takes now and has taken in the past.”