The Consumer Financial Protection Bureau (the Bureau) was created to ensure that financial institutions became more focused on their compliance with federal consumer protection law. In less than three years, the Bureau has succeeded in meeting this goal. However, while the CFPB's enforcement actions and regulations have received the most attention in the media, the heart of the Bureau's success has been in the more prosaic and private work of supervision and examination. This article describes the CFPB's examination authority and activities and the legal issues raised by this new examination legal regime.
CFPB Examination Authority and Process
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), the CFPB has the authority to conduct examinations of: (1) banks, savings associations, and credit unions with assets of over $10 billion ("large depository institutions"); (2) consumer mortgage companies, payday lenders, and private education lenders; (3) any "larger participant" in a market for consumer financial products or services; and (4) anyone who engages in "conduct that poses risks to consumers with regard to the offering or provision of consumer financial products and services." While the first two categories are largely self-explanatory, the identification of "larger participants" and "conduct that that poses risks to consumers" are left to the Bureau's definition.
The examination process to which these financial entities are subject is markedly similar to that of the traditional bank regulators. As the Bureau's Supervision and Examination Manual makes clear, the CFPB will generally:
- provide 30-60 days of notice prior to the on-site examination;
- request documents before, during, and after the examination;
- interview key employees;
- close the examination by providing an examination report accompanied by a compliance rating from one (highest) to five (lowest); and
- communicate supervisory concerns that require correction, and in some cases may form the basis for an enforcement action.
CFPB Supervision and Examination Manual 2.0 (Oct. 31, 2012), available at http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf.
This process is familiar to banks - but quite foreign to many of the nonbanks supervised by the Bureau.
However, the focus of CFPB examinations is quite different from traditional bank examinations. The CFPB's focus is on the consumer experience, rather than safety and soundness. As Director Cordray himself explained:
We have a somewhat different approach here. . . . We are now examining institutions for how they treat consumers. It's not about the institution itself. It's about the impact on consumers. It's almost as though you take your traditional examination mode and you take that examiner and turn them around 180 degrees to look back at the public and how they're affected rather than solely at the potential impact on the institution.
This consumer-centered approach is reflected in the CFPB's Examination Manual, which explains the CFPB "will focus on an institution's ability to detect, prevent, and correct practices that present a significant risk of violating the law and causing consumer harm."
Not only do CFPB examinations have a new focus, but they involve building new relationships between Bureau examinations and the financial institutions they examine. In an ongoing supervisory relationship, both the regulator and the regulated become familiar with each others' policies and processes. Similar relationships will grow over time between CFPB examiners and the financial institutions they supervise. In the meantime, however, most Bureau examinations have started with a blank slate, and therefore may involve questions or criticism of practices that have long been known and accepted by the prudential regulators.
Bureau examinations pose a risk of regulatory overload at financial institutions, which may be required to respond to multiple examinations. The Dodd Frank Act recognized this issue, and requires that the CFPB coordinate its supervisory activities with the supervisory activities of the prudential regulators and the state bank regulatory authorities. Such coordination includes consultation regarding examination schedules, as well as the Bureau's use of existing examination reports and public information "to the fullest extent possible." In keeping with that statutory mandate, the CFPB has entered into a Memorandum of Understanding (MOU) with the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the National Credit Union Administration addressing the coordination requirements of the Dodd-Frank Act. Memorandum of Understanding on Supervisory Coordination (May 16, 2012), available at http://files.consumerfinance.gov/f/201206_CFPB_MOU_Supervisory_Coordination.pdf.
The MOU includes guidelines for the coordination of simultaneous examinations, and processes for inter-agency information sharing, including:
- the designation by the CFPB and prudential regulators of a point of contact for purposes of information sharing and coordination;
- the coordination of supervision of institutions on both an ongoing and point-in-time basis;
- the sharing of drafts of reports of examination and related supervisory information prior to issuing final reports of examination; and
- consideration by the CFPB and the prudential regulators of any concerns raised by the other agency during the covered examination.
If a covered institution prefers, it may request that examinations by the CFPB and prudential regulators be conducted separately. The institution must provide adequate notice regarding its request. Such requests will remain in effect until the next time the CFPB and the applicable prudential regulator plan a simultaneous exam, unless the institution requests a longer time period.
The MOU also provides for the CFPB and bank regulators to separately execute confidentiality MOUs, and that the CFPB and bank regulators will share material supervisory information (including supervisory letters, supervisory actions, reports of exam, and other material supervisory information). However, the MOU also provides that "in accordance with Section 1025(a)(3) of the Dodd-Frank Act, and for purposes of minimizing regulatory burden, the CFPB will, to the fullest extent possible, use reports pertaining to a Covered Institution that have been provided or required to have been provided to a Federal or State agency, and information that has been reported publicly."
Legal Issues in the Examination Process
Unsurprisingly, the Dodd Frank Act did not resolve every legal issue relating to the CFPB's examination authority. One open legal issue is the scope of the CFPB's authority to require the production of documents. The Dodd Frank Act granted the CFPB the authority to "require reports and conduct examinations" on covered entities to "(1) assess compliance with consumer financial laws; (2) obtain information to assess compliance systems or procedures; and (3) detect risks to consumers and markets for consumer financial products or services." This language appears to indicate that the CFPB's authority is limited to documents that bear on consumer financial laws and related concerns.
However, the Bureau has taken the position that it has essentially unlimited access to documents held by a regulated entity. In a January 4, 2012, Guidance Bulletin, the Bureau noted that the Bureau exercises its examination authority only for the "certain purposes" listed above, but explained that those purposes did little to limit its authority:
The supervisory process is based on the supervisor's full and unfettered access to information, and the supervisor is entitled - indeed, duty bound - to ensure that it thoroughly understands the institution in question and has access to all information that, in its independent judgment, may bear on its supervisory responsibilities.
CFPB Bulletin 12-01, The Bureau's Supervision Authority and Treatment of Confidential Supervisory Information (Jan. 4, 2012).
In the same Guidance Bulletin, the Bureau make clear that it alone will determine whether a document request is within its authority:
Once the Bureau has issued a request that it has determined serves one or more purposes, supervised institutions are required to provide all documents and other information responsive to the request. Supervised institutions may not selectively withhold responsive documents based on their judgment that such materials are not necessary to the Bureau's execution of its responsibilities or that other materials would be sufficient to suit the Bureau's needs.
As for any entity that resists a Bureau demand for documents, the Bureau notes:
Failure to provide information required by the Bureau is a violation of law for which the Bureau will pursue all available remedies. See 12 U.S.C. §§ 5536(a)(2), 5565.
A related legal issue was posed by the question of whether documents subject to the attorney-client privilege would remain privileged if they were shared with the CFPB during an examination. The Bureau has consistently taken the position that no such waiver would occur. However, this position was problematic because, inter alia, the CFPB was not included in the provisions of the Federal Deposit Insurance Act (12 U.S.C. §§ 1821(t) and 1828(x)) preserving privilege for materials provided to, or shared among, banking regulators. Indeed, the American Bar Association took the position that the absence of such statutory language left open the prospect of a waiver. See American Bar Association Letter, In Re: Bureau of Consumer Financial Protection Proposed Rule on Confidential Treatment of Privileged Information; Docket No. CFPB-2012-0010; RIN 3170-AA 20, 77 Fed. Reg. 15286 (Mar. 15, 2012), American Bar Association (Apr. 12, 2012).
This risk of waiver was particularly high for nonbank financial institutions. The Bureau's argument for non-waiver relied in part on the Bureau inheriting the non-waiver protection that existed between bank regulators and banks. However, there was no pre-existing waiver protection for the Bureau to inherit when it came to nonbanks.
Any lack of privilege protection for materials submitted to the CFPB also created concerns of inconsistent regulation across financial institutions. Smaller financial institutions were able to continue to share privileged materials with their consumer protection examiner without a risk of waiver, under 12 U.S.C. § 1828(x), while the larger institutions examined by the CFPB faced the uncertainty noted above.
In an effort to resolve the issue, on March 15, 2012, the CFPB issued a proposed rule providing that the submission by any person of information to the Bureau in the course of the Bureau's supervisory or regulatory processes would not waive or otherwise affect any privilege. The proposed rule also clarified that the Bureau's provision of privileged information to another federal or state agency would also not waive any applicable privilege. On July 5, 2012, the CFPB adopted the proposed rule. Nonetheless, concerns regarding the validity of the Bureau's position on privilege waiver remained until December 20, 2012, when President Obama signed legislation that added the CFPB as an enumerated agency under Sections 1821(t) and 1828(x).
However, this privilege waiver legislation did not address the baseline issue of whether the CFPB has the authority to require the production of privileged documents. The ABA letter noted above questioned the CFPB's assertion that it and the prudential regulators could require production of privileged documents. The letter also noted that although banks often produce privileged materials to banking agencies, "the ABA is not aware of any reported Federal appellate court case holding that Federal banking regulators - or any other Federal agencies - can require production of privileged materials, nor do the Federal banking statutes contain such authority." For its part, the Bureau continues to adhere to the position that it can compel privileged information pursuant to its supervisory authority.
While some have raised concerns that the CFPB will view the newly enacted privilege protections as an invitation to request privileged materials, the Bureau has made repeated assurances that it will take a careful approach to requesting privileged materials, including that it will:
- request privileged materials only when the underlying "information is material to its supervisory objectives" and only when it "cannot practicably obtain the same information from non-privileged sources;
- give "due consideration" to any "request to limit the form and scope of any supervisory request for privileged information;
- make only "supervisory requests" for privileged information to advance only "supervisory objectives," meaning that requests for privileged materials will not be made in enforcement contexts; and
- "not routinely share confidential supervisory information with agencies that are not engaged in supervision" and that it will "only in very limited circumstances" share such information "with law enforcement agencies, including State Attorneys General." Confidential Treatment of Privileged Information at 39619-21.
Going forward, the CFPB should also clarify unresolved questions, including
- when, if ever, it will request privileged materials reflecting the advice or work product of outside counsel in an adversarial proceeding, such as civil litigation; and
- when, if ever, it will seek materials relating to self-testing by supervised institutions.
There are additional reasons for the CFPB to consider limiting its requests for privileged material. First, the attorney-client privilege (and work-product protections) are designed to encourage institutions from seeking legal advice. Frequent requests by the CFPB for privileged materials could chill institutions from seeking the guidance of counsel, to the detriment of the institutions and consumers alike. Second, any overreaching by the CFPB with respect to privileged materials could lead to litigation that would force a court to decide whether the CFPB may compel the production of such materials.
Finally, the CFPB's examinations have also diverged from traditional bank examinations by including enforcement attorneys. While this practice is apparently intended to increase the agency's efficiency (by allowing examiners to understand the role of enforcement, and enforcement attorneys to understand the examination process), it has raised concerns that the presence of enforcement attorneys will have a chilling effect on the supervisory process by causing institutions to be less willing to share information freely with the agency.
In November of 2012, the CFPB Ombudsman noted concerns with this practice in its first annual report, and recommended that (1) the CFPB review implementation of the policy; and (2) until that review is complete, the CFPB should establish ways to clarify the Enforcement Attorney role in practice at the supervisory examination. To date, the CFPB has not responded to the report's recommendations.
The CFPB's examination authority has already succeeded in sharpening the focus of financial institutions on their compliance with consumer law. Indeed, that improvement has often occurred well before the CFPB examiners arrive, as banks and others subject to this new examination authority have re-examined their policies and procedures in an effort to anticipate any potential concerns. While the first few rounds of examinations have identified legal issues and the need for better communication and coordination, they have also begun the process of building constructive, long-term relationships between financial institutions and their new regulator.