chevron-down Created with Sketch Beta.


Saber-Rattling or Fair Warning: CFPB Director Rohit Chopra Signals Intent to Bring Enforcement Actions Against Executives and Employees of Large Banks

John R. Coleman

Saber-Rattling or Fair Warning: CFPB Director Rohit Chopra Signals Intent to Bring Enforcement Actions Against Executives and Employees of Large Banks

The Consumer Financial Protection Bureau (CFPB) has never brought a claim against an executive, officer, or managerial employee of a large bank alleging that the individual participated in unlawful conduct. Over a quarter of the CFPB’s more than 300 public enforcement actions to date have included claims against individuals. Almost without exception, however, these cases involve small entities—typically those operating on the fringes of the consumer financial services market.

This may be about to change. CFPB Director Rohit Chopra has long been critical of the perceived practice—both at the Federal Trade Commission (FTC) and at the CFPB—of bringing claims against individuals only when associated with small entities, and he has repeatedly expressed his commitment to name individual officers and employees who are alleged to have directed or participated in unlawful conduct at larger institutions. As an FTC Commissioner, he dissented from the decision to settle with a large technology company, in part, because he believed the FTC should have investigated whether the company’s executives violated the law. As he said at the time, “it is appropriate to charge officers and directors personally when there is reason to believe that they have meaningfully participated in unlawful conduct, or negligently turned a blind eye toward their subordinates doing the same.” In congressional testimony soon after taking over at the CFPB, he expressed his “commitment that when it comes to large financial institutions, if there is evidence to suggest that individuals were involved in directing lawbreaking, we will look to determine whether to name them.” And in subsequent remarks accompanying a report on overdraft practices, he stated that  the agency will “seek to uncover the individuals who directed any illegal conduct.”

Institutions and their executives who prepare now for this apparent shift in CFPB enforcement policy will be best positioned to avoid becoming subject to such investigations or to mitigate, to the greatest extent possible, the negative consequences of such investigations.

The CFPB’s Authority to Name Individuals for Violations of Federal Law

Although naming the executives of large banks would be a departure from past practice, the legal authority the CFPB would rely upon has not changed. An examination of past actions is therefore instructive of what claims the CFPB is likely—and not likely—to bring against bank officials.

The Enforcement Framework

The CFPB has broad authority to bring a civil action against any “person” alleged to have violated “Federal consumer financial law,” and to seek “any appropriate legal or equitable relief,” including consumer redress, broad injunctive relief (including industry bans), and civil money penalties topping out at over $1 million for each day that a violation continues. The CFPB also has authority to bring administrative proceedings against those it believes have violated the law and may seek the same remedies available to it in judicial proceedings. Although the CFPB has rarely brought contested administrative proceedings in the past, more may be on the horizon: the CFPB recently amended the procedural flexibility.”

The alleged violations the CFPB has pursued to date against individuals fall into three buckets: (1) violations of laws that existed when Congress enacted the CFPB’s organic statute, the Consumer Financial Protection Act of 2010 (CFPA), and that the newly created agency was authorized to enforce; (2) direct violations of the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices (UDAAPs) by individuals who are “covered persons,” “related persons,” or “service providers” directly subject to the prohibition; and (3) violations of the CFPA’s prohibition on knowingly or recklessly providing “substantial assistance” to those engaged in UDAAPs. For reasons discussed below, claims against executives and officers of large banks are most likely to fall into the third bucket.

Violations of Preexisting Laws – the Alphabet Soup

When Congress enacted the CFPA, it authorized the CFPB to enforce a body of existing laws (known as “enumerated consumer laws”), as well as certain preexisting rules promulgated by the FTC, against any “person” subject to its authority. These laws include the Truth In Lending Act (TILA), the Real Estate Settlement Procedures Act (RESPA), the Fair Debt Collection Practices Act (FDCPA), and the FTC’s Telemarketing Sales Rule (TSR).

Many of the prohibitions contained in these laws apply only to “persons” (including both natural individuals and artificial entities) engaged in specifically defined conduct. For example, many of the provisions of TILA apply only to “creditors,” the FDCPA applies generally only to “debt collectors,” and most provisions of the TSR apply only to “sellers” or “telemarketers.” The CFPB has brought claims against individuals for violating each of these laws, premised on allegations that their conduct satisfies the defined term. However, executives and officers of large banks are unlikely to engage in conduct that satisfies these definitions; it would be very unlikely, for example, for the Bureau to allege (or a court to hold) that an individual bank executive—as opposed to the bank itself—is a “creditor” for purposes of TILA.

The CFPB has also brought claims against individuals for violating provisions of these laws that apply generally to “persons,” but proscribe very specific conduct. For example, the CFPB has brought claims against individuals for violating RESPA’s prohibition on giving or receiving kickbacks in exchange for the referral of real estate settlement service business, the Fair Credit Reporting Act’s prohibition on obtaining consumer reports without a permissible purpose, and TILA’s prohibition on paying loan originators compensation that varies with the terms of a mortgage loan. Even if such conduct occurs at a large bank, the scale of such organizations makes it unlikely that top executives will be directly involved.

Accordingly, while not impossible, it is unlikely that an executive of a large bank will become subject to a claim for violating one of the enumerated consumer laws.

Direct Liability for UDAAPs— Uneven Treatment of Bank and Non-Bank Officials

The CFPA makes it unlawful for a “covered person” or “service provider” “to engage in any unfair, deceptive, or abusive act or practice.” Given its breadth and flexibility, the UDAAP prohibition is a staple of CFPB enforcement actions, and the claim most frequently asserted against both institutions and individuals. It only applies to a “covered person”—defined as “any person that engages in offering or providing a consumer financial product or service”— or a “service provider”—defined generally  as a person who “provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” The CFPB has only rarely alleged that an individual directly satisfies one of these definitions.

Instead, the CFPB has relied on a curious provision of the CFPA that defines the  term “related person” and deems it “to mean a covered person for all purposes of any provision of Federal consumer financial law.” Courts have held that this provision allows the CFPB to enforce the UDAAP prohibition against any “related person.”  A “related person” who can be directly liable for engaging in UDAAPs includes: (1) “any director, officer, or employee charged with managerial responsibility for, or controlling shareholder of, or agent for” a covered person; (2) “any shareholder, consultant, joint venture partner, or other person, as determined by the Bureau (by rule or on a case-by-case basis) who materially participates in the conduct of the affairs of” a covered person; and (3) “any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in any violation” of law or breach of a fiduciary duty at a covered person.

The CFPB has brought dozens of actions against individuals alleged to be “related persons” who have engaged in UDAAPs. But the CFPA does not permit the CFPB to use this authority with respect to bank officials. By its terms, the “related person” definition does not apply with respect to individuals associated with a bank holding company, credit union, or depository institution.

Substantial Assistance Liability— Aiding and Abetting UDAAPs

Given the limitations described above, if the CFPB pursues actions against individual bank officials, it will likely rely on a provision that makes it unlawful for “any person to knowingly or recklessly provide substantial assistance to a covered person or service provider in violation of the provisions of [the UDAAP prohibition], or any rule or order issued thereunder.” A person deemed to have violated this provision “shall be deemed to be in violation [of the UDAAP prohibition] to the same extent as the person to whom such assistance is provided.”

This “substantial assistance” provision is similar to a provision in the Securities and Exchange Act of 1934, and courts have looked to precedent regarding the Exchange Act’s provision when interpreting the CFPA’s substantial assistance prohibition.  Consistent with this precedent, courts have identified three elements to a substantial assistance claim:

(1) a primary violation of the UDAAP prohibition; (2) required scienter— knowledge or, at a minimum, recklessness regarding the UDAAP; and (3) substantial assistance.

The first element is often, though not always, a separate claim in the same case, and therefore courts will often have addressed that element, in substance, before actually turning to the substantial assistance claim.  With respect to the minimum standard of scienter, reckless conduct is not “mere negligence” but consists of “conduct that is highly unreasonable and represents an extreme departure from the standards of ordinary care.”  Precedent interpreting the parallel provision of the Exchange Act suggests that the government need not prove that individuals were aware of a legal violation, but that they were generally aware of their “overall role in the primary violator’s scheme.”  

Substantial assistance can take many forms. Courts have held that the government is not required to prove that the defendant was the proximate cause of the harm. Rather, the government must prove “that the aider and abettor in some sort associated himself with the venture, that he participated in it as something he wished to bring about, and that he sought by his action to make it succeed.” The burdens to prove scienter and substantial assistance are related such that evidence of a higher degreeof knowledge will require less substantial assistance and vice versa.

Although untested, the CFPB could attempt to rely on this authority to bring cases alleging that bank executives, for example, directed or approved deceptive marketing, failed to direct subordinate staff to rectify systems or technological issues that they knew (or should have known) were causing consumers substantial injury, or directed or consciously permitted unfair, deceptive, or abusive debt collection practices. In addition, because the provision applies not just to the UDAAP provision itself but also to “orders issued thereunder,” the CFPB could seek to employ it to address individuals’ role in an institution’s alleged noncompliance with a prior CFPB consent order issued under the UDAAP provision.

Such claims would break new ground, but Director Chopra’s public statements suggest that the CFPB will be actively investigating individuals at large institutions, including large banks. Given the prevalence of UDAAP claims generally, the substantial assistance prohibition is a likely hook for such investigations.

Some Practical Considerations

Strong Compliance Program

Executives, directors, and employees of large companies subject to the CFPB’s authority should take steps to avoid possible enforcement actions by supporting, in tone and in substance, a strong compliance program. This includes not only the adoption of appropriate policies, but management’s commitment of the resources necessary to see that such policies are followed. Although corporate violations of Federal consumer financial law may still occur, the CFPB is less likely to pursue an individual executive, director, or employee if those individuals have devoted the appropriate time and attention to compliance matters—when they have not themselves engaged in wrongdoing and have not, to quote Director Chopra, “turned a blind eye toward their subordinates doing the same.”

Proactive Measures

To the extent an institution does engage in violations of Federal consumer financial law, including the UDAAP prohibition, the CFPB is also likely to consider the factors set forth in its Responsible Business Conduct Bulletin when determining whether to charge individuals. This Bulletin encourages institutions to continually assess their compliance with Federal consumer financial law, proactively report any violations to the CFPB, proactively address and remediate violations of law, and cooperate with any CFPB examination or investigation of the conduct. Although the Bulletin does not specifically mention individual liability, it does state that responsible business conduct will be given positive consideration in the exercise of the Bureau’s enforcement discretion, which certainly includes the discretion to name individual executives, directors, and employees—or not.

Review Indemnification Policies

Taking these steps will likely significantly decrease the risk that the CFPB pursue an individual in connection with a large institution’s alleged violation of Federal consumer financial law, but there are no guarantees. Accordingly, institutions should take the practical steps to prepare for and address any potential action against an individual executive, director, or employee. This includes reviewing the institution’s policies regarding indemnification of individuals, and related insurance policies.

According to OCC regulations for national banks and federal thrifts, governing state law may permit or require indemnification “for damages and expenses, including the advancement of expenses and legal fees,” that an individual executive, director, or employee may incur in relation to a CFPB enforcement action, as well as insurance policies covering these expenses.  Note in this respect that while CFPB settlements with individuals generally prohibit indemnification of any civil money penalty as a negotiated term, Federal consumer financial law does not provide the Bureau with express authority to prohibit indemnification payments by rule.

Separate Counsel

Finally, institutions that are under investigation, and their attorneys, should be mindful from the start of the role of specific officers, directors, or employees in the conduct under investigation, to assess whether the CFPB could potentially seek to hold any individuals personally liable. At some point, it may become necessary or prudent to obtain separate counsel for these individuals. Factors to consider in this respect include whether the CFPB has indicated any interest in the individual, the potential consequences of individual liability, and any potential conflicts of interest between the individual and the institution. Even if there is no apparent conflict of interest between the individual and the institution, it may be beneficial to engage separate counsel to ensure that the individual’s recollections regarding the events at issue are accurate and comprehensive.

This article was prepared by the Business Law Section's Banking Law Committee.