We’ve Only Just Begun – Lessons From the CFPB’s First 35 Enforcement Cases

Few agencies have generated as much controversy as the Consumer Financial Protection Bureau. [1] The brainchild of Senator Elizabeth Warren when she was still a professor and the product of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the agency is charged with being the cop on the beat for consumers much like the SEC is the cop on the beat for investors. Among its goals are preventing consumers from being subject to “deceptive,” “unfair,” and “abusive” practices and holding alleged wrongdoers accountable by bringing enforcement cases against those the CFPB believes have violated consumer financial protection laws. Consumers have flooded it with over 300,000 complaints since the agency began operations less than three years ago, and those have already proven to be a fertile source of information for its examination and enforcement programs.

The CFPB’s permit is vast. It has supervisory authority over banks, thrifts and credit unions with over $10 billion in assets, as well as many nonbank consumer financial services providers, such as mortgage lenders and servicers, student lenders and servicers, payday lenders and certain participants in the debt collection and consumer reporting markets. Its total budget in 2013 was $541 million, up from $300 million in 2012.  Other than “Centralized Services,” the largest part of its budget is for “Supervision, Enforcement, and Fair Lending,” which includes enforcement. This unit’s budget grew from $83 million in 2012 to $132 million in 2013 to $165 million in 2014, and now makes up 33 percent of the Bureau’s total budget.  During the same period, the number of budgeted full-time employees in the unit grew from 422 to 563 to 731 – a 72 percent increase in just two years.

As is true with the SEC, a former prosecutor heads the CFPB. His credentials put the rest of us to shame. A Marshall Scholar at Oxford, editor-in-chief of the University of Chicago Law Review, clerk for not one but two United States Supreme Court Justices, Attorney General for the State of Ohio, and, most impressively of all (he says it helped persuade his wife to marry him), five-time Jeopardy! champion, Richard Cordray is an exceptionally capable lawyer on a mission to protect consumers and crack some heads along the way. As Attorney General for Ohio, he filed lawsuits seeking and obtaining billions of dollars from major financial institutions, and explained, “There’s a belief here that Wall Street is a fixed casino and it’s back in business, and we’re left holding the bag.” His 2009 Ohio Attorney General Report had a section titled “Holding Wall Street Accountable,” which stated that under Mr. Cordray Ohio had taken the lead role in eight major securities class actions. The New York Times called him the “pinstriped avenger.”

Mr. Cordray has exceptionally free reign in carrying out his mandate. Unlike SEC Chair Mary Jo White, he stands atop the CFPB all by himself rather than as part of a five-member commission, and, unlike the SEC, the CFPB is not dependent on Congress for its funding. While many of the agency’s procedures are patterned on the SEC’s, its penalty authority is more draconian than the SEC’s, its ability to order restitution is greater than the SEC’s, and its focus on corporate governance remedies is far more intrusive than the SEC’s. Also, there is a surprise for those who thought there could be nothing more vague than the “manipulative or deceptive device or contrivance” language of the securities laws—the consumer protection statutes employ language like “unfair” and “abusive” that is even more vague and open to interpretation and subject to fewer limiting precedents. No wonder that shortly after President Obama’s recess appointment of Mr. Cordray in January 2012, the Economist wondered, “[W]ho, in the end, will be found to be more abusive: the firms Mr. Cordray attacks, or the bureau he has been appointed to run.”

We explore below two important aspects of the CFPB’s enforcement actions to date. In Part I, we look briefly at the numbers—everything from the number of cases, to how many are brought administratively versus in court, to the frequency with which individuals are named, to the nature of the products involved, to the alleged violations, to the statutes allegedly violated, and to how often the cases settle. In Part II, we explore in detail the nature of the remedies/sanctions imposed as a cost of resolving the actions. These remedies/sanctions are important precedents that will likely guide future resolutions as well. Finally, we conclude with nine observations about the current program.

I.  Key Characteristics of CFPB Enforcement Cases
1.  The Numbers. Our unofficial tally is that between July 2012 (when it reported filing its first enforcement action) and February 2014 (when it filed its most recent action), the CFPB filed 39 enforcement actions. We will call it 35, however, because six of the actions are better viewed as two actions against multiple affiliates of the same firm for the same conduct.

2.  The Pace of Filings. The pace of filings has increased over time. It took the CFPB a year to file its first enforcement action (in July 2012). It took five more months (to December 2012) for the CFPB to get to a total of six enforcement actions. By December 2013, however, it filed six cases in a single month. The CFPB has set as a goal filing or settling enforcement actions within two years of opening its investigation if it believes an enforcement action is warranted.

3.  Court vs. Administrative Hearings. The CFPB may file an action in court or before an administrative law judge even though the CFPB does not have its own administrative law judges. For a litigated administrative proceeding, the CFPB will request the SEC to assign one of the three SEC administrative law judges to preside over the CFPB administrative proceeding. Those who have practiced before the SEC will find much similarity between CFPB administrative proceedings and SEC administrative proceedings. Indeed, the CFPB’s release adopting its Rules of Practice for Adjudication Proceedings references SEC rules 66 times. 

In terms of cases brought to date, they are split almost equally between actions filed in court and administrative actions. The alleged deceptive credit card add-on product cases have been filed administratively; the alleged deceptive debt collection/modification cases have been filed principally in court; and the alleged mortgage kickback/referral fee cases have sometimes been filed in court and sometimes been filed administratively.

4.  Settled vs. Litigated. All but two of the CFPB administrative enforcement actions were filed as settled actions. Of the two that were not, one of the actions settled soon after filing and the other is being aggressively litigated. More than half of the court cases were also filed as settled actions, but a number of the court cases are being litigated. Incidentally, kudos to the CFPB for including the following language in its press releases about unsettled enforcement actions: “The Bureau’s complaint is not a finding or ruling that the defendant has actually violated the law.”  The SEC could learn from this. And more kudos to the CFPB for not publishing its Notice of Charges until ten days after the respondent is served with the Notice. 

5.  Individuals Named or Not Named. Roughly one-third of the cases named individuals. In most of those cases, however, the individual named was the owner of the company or the principal alleged wrongdoer.  The CFPB did not name individuals when it sued large companies, although there is no assurance that practice will continue. On the other hand, as discussed in Part II below, the CFPB is aggressive in imposing responsibility on board members for taking steps to ensure there are no further violations.

6.  Products at Issue. Almost half of the CFPB cases involved mortgages. The next highest category is credit cards. Alleged debt collection/debt relief abuses make up the third largest category of enforcement actions.   Auto loans, loans to service members, student loans, and reporting violations are the subject of a smaller number of the early enforcement actions.

7.  Alleged Misconduct in Connection with Mortgages. With regard to mortgages, the most common allegation was that a service provider paid or received referral fees/kickbacks in violation of the Real Estate Settlement Procedures Act. The largest case, however, was not a kickback case.  It involved allegations of widespread misconduct in connection with mortgage servicing and resulted in $2 billion in principal reduction to underwater borrowers on loans not even owned by the defendant and $125 million to persons who lost their homes to foreclosure. Another large case, involving roughly $35 million in restitution, alleged that a bank charged higher prices for mortgage loans to African-Americans and Hispanic borrowers than to similarly creditworthy white borrowers. A third case involved allegations that a bank paid its loan officers bonuses for steering borrowers to more expensive loans.

8.  Alleged Misconduct in Connection with Credit Cards. With regard to credit cards, the most common allegation was that telemarketers misled consumers in the sale of add-on products—for example, not adequately disclosing the costs of or limitations on such products or charging for services before the add-on services began. In other instances, vendors for the credit card issuer characterized credit cards as interest free when they were not or failed to provide all the benefits promised. In one case, the CFPB alleged that the credit card company failed to provide Spanish language information to Puerto Rico investors, and in another case alleged that the credit card company improperly used age in its credit scoring. The CFPB also alleged that a credit card company led customers to believe that paying off their delinquent balances would be reported to credit agencies and help improve their credit ratings even when the delinquencies were too old to have that effect.

9.  Alleged Misconduct in Connection with Student Loans. In a recent and perhaps its most novel enforcement action, the CFPB has charged a provider of post-secondary technical education with misleading students about their future job prospects and pressuring students to take out “predatory” loans.

10.  Alleged Failure to Adequately Supervise Third-Party Vendors. At least half a dozen CFPB enforcement actions involve alleged violations involving third-party vendors, such as telemarketers. In those cases, the CFPB charged the respondent with deficient oversight of the service providers and required the respondent to ensure that its third-party vendors cease and desist from continuing to engage in the alleged misconduct.

11.  Other Alleged Misconduct. The CFPB also brought actions for a wide range of other alleged misconduct—“Robo-signing” (signing documents without sufficient due diligence), discrimination in auto loan interest rates, violating requirements for loans to service members, charging illegal up-front fees for debt-relief services, making inaccurate promises in connection with such services, making false promises in connection with mortgage loan modifications, violating state law interest rate caps on loans, and making large-scale mortgage data reporting errors.

12.  Guidance Related to Alleged Violations. In a number of cases, the CFPB had issued or subsequently issued guidance related to the underlying conduct in enforcement proceedings—including bulletins on 1) unfair, deceptive, or abusive acts or practices in the collection of consumer debts, 2) marketing of credit card add-on products, 3) payment of compensation to loan originators, 4) lending discrimination, 5) compliance with the Equal Credit Opportunity Act in connection with auto lending, 6) supervisory responsibilities over third-party service providers, 7) responsibilities in connection with mortgage servicing transfers,  and 8) compliance with the Home Mortgage Disclosure Act reporting requirements.

13.  Statutes Allegedly Violated. The statute of choice for the CFPB is the Consumer Financial Protection Act of 2010. The CFPB alleges violations of that act, usually Sections 1031 and 1036, in roughly two thirds of its enforcement cases. Sections 1031 and 1036 authorize the CFPB to bring actions for any “unfair, deceptive, or abusive act or practice” involving consumer financial products or services. The language resembles the language in Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

The Real Estate Settlement Procedures Act of 1974 (RESPA) shows up in approximately one quarter of the CFPB enforcement cases. Among other things, RESPA prohibits kickbacks between lenders and third-party settlement servicers in real estate transactions.

The CFPB has also sued for alleged violations of the Truth in Lending Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Federal Trade Commission Act, the Home Mortgage Disclosure Act, the Military Lending Act, and the Interstate Land Sales Full Disclosure Act.

14.  Joint Actions with Other Government Agencies. In nearly one third of the cases, the CFPB has brought actions jointly with other government agencies, or other government agencies have obtained their own relief at the same time for overlapping misconduct. Those agencies include the Department of Justice, the Federal Reserve, the FDIC, the OCC, and the states. One reason it may join with other agencies is that its authority to pursue certain claims arising from conduct prior to the CFPB’s creation could be disputed.

15.  Defenses Raised. Apart from arguing that their conduct did not violate the relevant statutes, defendants in CFPB cases have also argued that the action is barred in whole or part by the statute of limitations, the conduct was undertaken in good faith based on and in conformity with applicable interpretations of the relevant statutes at the time of the conduct, and that the laws allegedly violated are void for vagueness.

II. Relief in Settled Cases
The CFPB orders often contain far more detailed and onerous provisions on the relief imposed than SEC orders.  In fact, the section of the orders on the relief is often far longer than the sections setting forth the facts and alleged violations. While there are exceptions, the relief typically consists of a combination of, or sometimes all of, the following:

  1. Orders prohibiting the continuing and future violation of consumer laws, including cease and desist orders in administrative proceedings and injunctions in court proceedings.
  2. Governance and a comprehensive review of the areas involved in the alleged violations, including a review of the compliance program associated with the allegedly flawed product or services and enhancement of procedures to prevent future violations. This often includes a requirement to retain outside consultants and to provide reporting to the board and CFPB.
  3. Restitution to consumers harmed by the violations, which may include a third-party review of the restitution plan and reporting to the CFPB.
  4. Payment of a civil money penalty.

The stipulations of settlement may require signatures of each of the company’s board members, and sometimes contain language requiring the board members to take “full responsibility” for ensuring that appropriate policies and procedures are in place to prevent future violations. 

1.  Neither Admit Nor Deny. All but one of the CFPB settlements have been settled without admitting or denying the alleged misconduct. The order resolving the case will typically recite that the company has consented to the order “without admitting or denying any findings of fact, violations of law or regulations” or “without admitting or denying any wrongdoing.” A number of the stipulations to the consent orders state that the order “shall not be an evidentiary admission of liability for any of the specific practices that are the subject of the Consent Order.”

There is one recent exception, however, to this practice.  On February 24, the CFPB filed a settled administrative proceeding against a mortgage lender that self-reported a RESPA violation (paying unearned fees to a hedge fund that previously had financed its mortgages) and agreed to pay an $83,000 penalty. In contrast to the stipulations in other settled matters, the stipulation contained a statement that the respondent was “admitting the findings of fact and conclusions of law” in the order. Unfortunately, the CFPB could discourage self-reporting in the future if it comes at the cost of admitting the findings of fact and conclusions of law in a subsequent consent order.

2.  Typical Cease and Desist Language. The following is an example of CFPB cease and desist language used in an order to resolve a CFPB administrative proceeding:

IT IS HEREBY ORDERED that [the Company] and its officers, agents, servants and employees immediately cease and desist from engaging in violations of Sections 1031 and 1036 in connection with its activities as a service provider in [the Company’s] marketing or sales of the credit card add-ons that are the subject of the [Company’s] Consent Order.

In a case focused on alleged deceptive practices by the Company’s service providers, the cease and desist language included the following:

IT IS HEREBY ORDERED that [the Company], its officers, agents, servants and employees immediately cease and desist, and that [the Company] manage its business relationships with Service Providers in a manner that ensures that its Service Providers immediately cease and desist from engaging in violations of Sections 1031 and 1036 in connection with the marketing, sales, and administration of [the particular products] and from engaging in violations of Regulation V in connection with the marketing, sales, and administration of [the particular products].

Because the penalties for violating a cease and desist order can be severe, it is important for counsel to negotiate language that is linked to the particular conduct at issue and not simply an open-ended commitment never to violate the statute again. Even the most diligent companies may find themselves in repeat violation situations where the CFPB staff takes the position that they have again engaged in “unfair” or “deceptive” or “abusive” practices. Indeed, the CFPB has already brought multiple actions against a single group of affiliated companies.

3.  Typical Injunction Language. The CFPB may seek an injunction in court that is similar to an administrative cease and desist order. For example, in one recent case a company was subject to the following injunction:

The Company and its officers, agents, and employees, whether acting directly or indirectly, are permanently enjoined from paying compensation to a Loan Originator in violation of 12 C.F.R. § 1026.36(d) as it exists now or at any time after the Effective Date.

In a number of cases involving debt relief companies accused of misleading consumers, the injunction barred the company from participating in the business going forward. For example,

IT IS HEREBY ORDERED that Defendants, whether acting directly or through any other person, are permanently restrained and enjoined from: Advertising, marketing, promoting, offering for sale, or selling any debt-relief product or service.

That type of business prohibition injunction, however, is the exception rather than the rule.

4.  Governance and Procedures to Prevent Future Violations. The going-forward governance provisions of CFPB orders can be onerous.  We describe and quote from one of the more onerous orders below.

a. Commitment to Eliminate Violations. “The Bank shall take all action necessary to eliminate all violations of Sections 1031 and 1036. In addition, the Bank shall take all necessary steps to effect and maintain future compliance with Sections 1031 and 1036 as described more particularly herein.”

b. Compliance Program Changes. “The Bank shall review, revise, develop and/or implement, as necessary, a sound risk-based Compliance Risk Management Program including a comprehensive written compliance program to ensure that its activities comply with Sections 1031 and 1036 and otherwise ensure compliance with all Consumer Protection Laws to which the Bank is subject.” The language then specified the minimum requirements for the new compliance risk management program.

c. Requirement of Third-Party Consultant. The order required the bank to retain a third-party compliance consultant, acceptable to the CFPB’s Regional Administrator, to assist in the development, revision, review, and implementation of the compliance program. The consultant was required to provide, on a monthly basis, a detailed written report to the board regarding the bank’s adherence to the compliance program, and the board itself was required to conduct a full and complete review of the report.

d. Requirement of Third-Party Compliance Staffing Consultant. The order required the bank to retain an independent third-party compliance staffing consultant, acceptable to the CFPB’s Regional Administrator, to assess the bank’s compliance staffing and determine if additional personnel were needed. The staffing consultant also had to provide a detailed written report to the board, and the board had to conduct its own full and complete review of the report.

e. Board Oversight and Responsibility. The order required the board to “participate fully in the oversight” of the bank’s compliance risk management program and “be responsible for the approval of sound policies and objectives and for the supervision of all the bank’s compliance-related activities,” with the proviso that the role should be “consistent with the role and expertise commonly expected for directors of banks of comparable size and complexity and offering comparable banking products and services.”

f. Compliance Committee & Staffing. The order required the board to maintain a compliance committee to meet monthly, “allocate resources that are commensurate with the level of complexity of the Bank’s operations,” and “include specific procedures to ensure the bank’s compliance with all Consumer Protection Laws.” The committee was also required to “ensure that the Chief Compliance Officer and all individuals with compliance oversight responsibilities receive ongoing training, sufficient time, and adequate resources to effectively oversee, coordinate, and implement” the bank’s compliance and risk management program.

g. Oversight of Service Providers. The CFPB order required the bank to develop policies “to maintain effective monitoring, training, record-keeping and audit procedures to review each aspect of the Bank’s agreements with its Service Providers and the services performed for the Bank pursuant to these Agreements.” For example, prior to allowing the service providers to use marketing and solicitation materials, the bank had to approve the materials. The compliance committee was required to report to the board, on a quarterly basis, whether the service providers were in compliance with the relevant agreements.  

h. Retention of Qualified Management. The CFPB order required the bank to retain a third-party management consultant, acceptable to the CFPB Regional Director, to provide a detailed study of the bank “to determine whether existing Bank management has the resources, skills and experience” to return the bank to a satisfactory compliance position. After receiving the management study, the board had to adopt a plan to implement any recommendations or explain in a writing signed by all board members why a particular recommendation was not being implemented.

i. Independent Audit Program. The CFPB order required the bank to schedule independent audits of the business to be conducted at least annually to ensure compliance with consumer protection laws. The order set forth minimum requirements for the audit.

j. Progress Reports and Certification of Compliance to the CFPB. The order required the bank to submit quarterly progress reports to the CFPB that confirmed that the company was in compliance with all provisions of the order or listed the provisions with which it was not in compliance, provided an explanation of the reasons, and stated when the bank would be in compliance. 

5.  Restitution. The Consumer Fraud Protection Act gives both courts and administrative law judges in CFPB proceedings authority to order “restitution,” “disgorgement or compensation for unjust enrichment,” “refund of moneys or return of real property,” and “payment of damages or other monetary relief”—remedies that vastly exceed the SEC’s authority in its securities enforcement cases to award “disgorgement” but not damages.

Most of the CFPB settlements require payment of restitution. In many cases, at the time of settlement the amount is only an estimate because the full mechanics of the restitution remain to be determined. Moreover, depending on the claim process, which often permits any excess funds to be returned to the respondent, the ultimate amount paid may be more or less than the estimate.

Some of the headline restitution settlements include the following. The CFPB, in an action joined by 49 states, obtained an agreement from a mortgage service provider to provide $2 billion in principal reduction to underwater borrowers for loans that the defendant did not even own because of the provider’s alleged violations in servicing subprime and delinquent loans. In actions brought by the CFPB and the OCC, a bank was ordered to refund $309 million to consumers who bought creditor monitoring products that the CFPB claimed were sold in violation of consumer protection laws. A similar action brought against another card issuer required the issuer to pay $200 million to consumers who purchased credit card add-on products. And yet another credit card add-on product case required a $140 million refund. In an action alleging discriminatory mortgage pricing, a bank agreed to refund $35 million, and in an action involving so-called “Robo-signing,” a lender agreed to refund $14 million.

Terms of a particular restitution order included the following. The respondent was required to begin restitution within 90 days of the order and complete restitution within 150 days. The eligibility period covered consumers who purchased the product between December 1, 2007 and August 31, 2011. Eligible consumers who enrolled in the product for less than a year were entitled to a refund of the fees paid, while eligible consumers who enrolled in the product for more than a year were entitled to a refund of 90 days of fees. For open accounts, restitution could be posted by crediting the account. For closed accounts, restitution could be provided by mailing a certified check. If the aggregate amount ended up being less than $200 million, then the remainder would be used to increase the restitution paid to consumers who enrolled in the product for more than a year. The company had to submit to the CFPB Regional Director (and others) the proposed text of the letters to be sent to eligible consumers. The letter had to include the reason restitution was being provided, an explanation of the manner in which the amount was determined, and a statement that the restitution was paid in connection with the consent order. The company’s Audit and Risk Committee, or an equivalent committee, was required to send to the CFPB a detailed report explaining the processes and procedures by which the company identified eligible consumers and determined the applicable restitution amounts. The company also had to hire an independent auditor, acceptable to the CFPB Regional Director, to verify that the company had accurately identified the eligible consumers and the restitution amounts.

While that order did not provide for the possibility that funds would be returned to the bank, other orders have contained such provisions. For example, one order contained the following language on restitution:

The Bank shall make all restitution payments required by the Restitution Order, regardless of whether the total of such payments exceeds the Payment Floor. If the total of payments is less than the Payment Floor, the excess shall be returned to the Bank’s general funds.

6.  Civil Money Penalties. In addition to authorizing courts and administrative law judges to award restitution and similar monetary relief, the Consumer Financial Protection Act grants courts and administrative law judges authority to impose a “civil penalty” against any person that violates any provision of a federal consumer financial law. For non-culpable or negligent violations, the penalty may not exceed $5,000 “for each day during which such violation continues.” For reckless violations, the civil penalty may not exceed $25,000 for each day during which the violation continues. And for knowing violations, the civil penalty may not exceed $1 million for each day the violation continues.

With regard to mitigating the size of the penalty, the CFPB is required to take into account the entity’s (or person’s) financial resources, good faith, gravity of the violation, severity of the risks to or losses of the consumer, the history of previous violations, and “such other matters as justice may require.” In addition, on June 25, 2013, the CFPB issued a bulletin on “Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation.” The bulletin states that when parties engage in self-policing, self-reporting, remediation, and cooperation, “it may favorably affect the ultimate resolution of a Bureau enforcement investigation.” There have been three cases in which the CFPB cited the bulletin in connection with enforcement cases—in two cases it imposed no civil penalty and in the third it imposed a penalty of $83,000.

When the CFPB has imposed civil money penalties, the penalties have ranged from $1 to $27,500,000. The largest civil money penalties have been imposed in cases with the largest restitution orders, and the penalty amounts are usually smaller than the restitution amounts. For example, one firm was required to pay restitution of $85 million and a civil money penalty of $27.5 million for alleged improper practices in its credit card program; another firm paid $140 million in restitution and a $25 million civil money penalty in connection with the sale of credit card add-on products; a third company paid $309 million in restitution and a civil money penalty of $20 million in connection with the sale of credit card add-on products; a fourth company paid $80 million in restitution and an $18 million civil money penalty for allegedly charging higher auto loan interest rates to African Americans and other minorities; and a fifth company paid $200 million in restitution and $14 million in civil money penalties in connection with the sale of credit card add-on products. Four mortgage insurance companies that allegedly paid kickbacks paid a combined $15.4 million civil penalty.

Unfortunately, the CFPB orders contain no meaningful explanation of how the penalty amounts in those particular cases were determined. If they contain any language at all on the subject, it is boilerplate—for example, the penalty took into account “the financial resources and good faith of the Bank, the gravity of the conduct by the Bank, the severity of the risks to and losses of consumers, the history of previous conduct by the Bank, and such other matters as justice may require.”

With regard to the civil money penalties (but not restitution), the orders typically state that the company may not apply for a tax deduction or tax credit for any federal, state or local tax, and may not seek or accept, directly or indirectly, reimbursement or indemnification for any penalty, including payment by an insurance carrier.

Since the CFPB has authority to award restitution, one might ask where the civil money penalties go. The answer is that the payments go into the CFPB’s Civil Penalty Fund. The Civil Penalty Fund can be used to reimburse consumers who were not fully reimbursed by restitution and other monetary relief or, if there are no such consumers (because the CFPB’s restitution order has fully compensated them), to pay for consumer education and financial literacy programs.

7.  Shareholder Notice. A few of the CFPB orders require companies to furnish shareholders a description of the consent orders or the actual orders. This is the exception, however, rather than the rule. 

Fortunately, not every enforcement case involves onerous sanctions. For example, in the first CFPB consent order entered this year, involving alleged RESPA violations, the entire order was only nine pages and included only an order that the respondents refrain from violating RESPA and other federal consumer financial law, pay $27,076 in disgorgement, and pay a civil money penalty of $54,000. Last May, the CFPB filed an action alleging RESPA violations against three respondents in which it ordered them to cease and desist from engaging in real estate settlement services, ordered disgorgement of $118,194, and ordered them to provide a copy of the order to any business related to settlement services that they controlled.  In a case filed in October 2013 for inaccurate reporting under the Home Mortgage Disclosure Act, the CFPB ordered the firm to cease and desist violating the act, to resubmit accurate data, to submit a compliance plan and provide compliance progress reports, and to pay a civil money penalty of $34,000.

We can draw a number of conclusions from the enforcement actions to date even though we are still in the early stages of the CFPB’s enforcement program.

First, to date the CFPB has focused principally on practices it regards as deceptive (especially in the credit card space) or in violation of RESPA (in the mortgage business referral space) or discriminatory, rather than bringing cases based on novel interpretations of the terms “unfair” and “abusive” in the Consumer Financial Protection Act. The major exception is the CFPB’s recent student loan action, which alleges that students were “unfairly” subjected to pressure to take out predatory loans and that the students were misled about their future job prospects.

Second, critics are right that the combination of extraordinarily vague language in the Consumer Financial Protection Act, the unusually expansive monetary relief that the CFPB can impose, and the creation of an agency with only a single Director at the top of the organization and no Congressional budget constraints, poses a danger of government overreach in enforcement cases. That criticism, however, is better directed at Congress than at the agency that is using the authority that Congress granted it.

Third, the CFPB has adopted a number of practices that other enforcement agencies should emulate. For example, when it files an unsettled case, it states in its press release that a mere complaint is “not a finding or ruling that the defendant has actually violated the law.” It does not publish the notice of charges until ten days after the notice is served on the respondents. At least in its early enforcement cases, it is less obsessed with naming individuals when it can obtain full relief by naming a company. With one exception, it has not abandoned the “neither admit nor deny” policy. Rather than seek cease and desist orders and injunctions against future violations of very broad, open-ended statutes, it generally seeks orders related to future violations involving the type of conduct at issue. It often issues bulletins providing guidance to the industry, on a going forward basis, regarding the CFPB’s position on the practices at issue in enforcement proceedings. Finally, it has shown a willingness to allow most (but not all) of the contested cases to be litigated in court rather than before administrative law judges where the CFPB has a number of advantages, including limited discovery rights for a respondent, limited motions practice, short deadlines for a respondent even though the CFPB will have had years to prepare its case, and ultimately an appeal to the same Director who authorized the case to be brought.

Fourth, the CFPB has brought both large and small enforcement cases. For example, it was one of the plaintiffs in a case that resulted in more than $2 billion of relief for underwater borrowers. But it also brought a reporting violation case involving $34,000 in monetary relief.

Fifth, the CFPB uses quite a few people in its examination program and for each enforcement action it brings. Consider the following comparison, which is not apples to apples but is nevertheless instructive because of the size of the disparity. In 2013, the CFPB brought approximately 25 enforcement actions, or roughly two per month. At that time, its Supervision, Enforcement and Fair Lending unit was budgeted to have 563 full-time employees. Assuming it was staffed at the budgeted level, it had roughly 22 full-time employees in the unit for every enforcement case it brought. By comparison, in FY 2013 the SEC brought 686 enforcement actions, or roughly 57 a month. At that time, its Enforcement Division was budgeted to have 1,302 full-time employees and its Compliance Inspections and Examinations Division was budgeted to have 916 full-time employees. Thus, if the two divisions combined were staffed at the budgeted levels, the SEC had roughly 3.2 employees for every enforcement case the SEC brought—or one-seventh as many employees in the relevant divisions per enforcement action. As the CFPB’s enforcement and examination programs continue to evolve, the CFPB is likely to become more efficient, which may result either in the deployment of people elsewhere in the Bureau or the filing of far more enforcement actions. We suspect the latter, especially since the number of employees in the unit is scheduled to increase from 563 in 2013 to 731 in 2014.

Sixth, and most importantly, the CFPB’s approach to restitution often provides a pure windfall rather than damages to consumers. For example, in the credit card add-on product cases, the CFPB seems to take the position that if some consumers may have reasonably misunderstood the product or services that they were buying, then all consumers purchasing the same product or services should get a refund regardless of whether they were misled. That is nothing more than a CFPB-mandated wealth transfer from owners/shareholders to consumers who were not hurt by the alleged misconduct. No consumer financial statute authorizes such a naked wealth transfer. One of the early criticisms of the CFPB (for example, by William Cohan in a September 30, 2010 New York Times opinion piece) was that the agency “gives us all yet another excuse to avoid taking responsibility for our own actions.” By providing a windfall to those who were not harmed by the alleged misconduct, the agency does precisely that. A better approach, but one the CFPB has eschewed except in one case, would be to set up an inexpensive expedited process for consumers to show they were harmed by the conduct at issue and to require reimbursement of those consumers but only those consumers.

Seventh, the CFPB’s approach to civil money penalties is unnecessarily mystifying. There is no reason it cannot do a better job explaining the basis for its penalty determination. The D.C. Circuit, in Rapoport v. SEC, 682 F.3d 98 (D.C. Cir. 2012), held that an agency needs to be consistent in applying its civil money penalty authority. But if the CFPB provides no meaningful information about how it calculates the penalty in its cases, courts will have difficulty determining the bona fides of penalties that are challenged. 

Eighth, in some of the cases the Staff seems to show an almost preternatural belief in the value of massive, detailed, prescriptive governance/process requirements. If massive reliance on process would ensure that there are no future violations, then the tradeoff might be worthwhile. But the reality is that overkill in the process/governance area has a high potential to be distracting, disruptive, and expensive while providing very limited value.

Finally, as is true in securities enforcement cases, almost all of the largest cases brought to date were filed as settled actions. For whatever reason, and firms may choose to settle for many reasons not necessarily tied the merits of a particular case, the largest defendants have chosen to settle even when the settlement terms have been onerous. Whether that trend continues remains to be seen and may depend, in part, on outcomes in cases that are litigated.


In short, the first 35 cases show that the CFPB will be an aggressive enforcer, which is what its backers wanted and expected. It has the luxury of relying on statutes that employ extraordinarily vague language, and it has authority to award “restitution” as well as civil money penalties. Its broad examination authority and 300,000 plus consumer complaints will provide a fertile pipeline for future enforcement actions. One hopes that as its enforcement program evolves and as courts issue decisions in contested cases, it will re-think some of its early positions—by providing fewer windfalls to consumers who were not harmed by the practices at issue, explaining the basis for its civil money penalty determinations, and avoiding overkill in its governance/process demands. At least for now, however, the first 35 cases provide the best window there is into what to expect from the program going forward.

[1] For a comprehensive retrospective on the CFPB’s first year, see “The Consumer Financial Protection Bureau: A First Year Retrospective by K&L Gates,” available at  http://www.klgates.com/files/Publication/31579106-ec83-4716-83bd-3ab8f8948f8e/Presentation/PublicationAttachment/cb3dc625-919b-4f2b-9088-3d9774c692e2/CFPB_Retrospective_Client_Alert.pdf