Earlier this week, the Consumer Financial Protection Bureau (CFPB) issued CFPB Bulletin 2013-06 (the Bulletin), entitled Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation. The Bulletin identifies four categories of “responsible conduct” on the part of potential targets of enforcement action by the CFPB that may “favorably affect the ultimate resolution” of that enforcement action:
Proactive Self-Policing for Potential Violations, which focuses on self-monitoring and self-auditing through an institution’s compliance systems, and will involve an assessment of the nature, scope and significant of the violation; how the violation was detected; how the institution’s compliance systems match with current regulatory expectations and how well they reflect past supervisory recommendations; and the institution’s “culture of compliance.”
Prompt Self-Reporting of Potential Violations, which focuses on the completeness, effectiveness and timeliness of the disclosure to the CFPB, including the extent to which the disclosure was truly voluntary or motivated by other disclosure requirements or the likelihood of discovery by the CFPB or other parties. The Bulletin notes that the CFPB views self-reporting to be a “special” factor, both because it “represents concrete evidence of a party’s commitment to responsibly address the conduct at issue” and because it “reduc[es] the resources [the CFPB] must expend to identify potential or actual violations.”
Quick and Complete Remediation of any Resulting Harm, which includes redress to affected consumers, implementation of measures to prevent violations from occurring in the future, and potential consequences for individuals responsible for any violations. The CFPB’s assessment of this factor will include consideration of the timeliness and effectiveness of the remediation, the institution’s documentation of information related to the violations, and the CFPB’s confidence that misconduct is unlikely to recur.
Affirmative Cooperation with any CFPB Investigation, which requires “substantial and material steps above and beyond what the law requires,” including complete and prompt cooperation throughout the investigation; a thorough and objective internal review of any violations, with full reporting to the CFPB; provision of precise and specific information of all material information, including information not requested by the CFPB and information about other potential targets; and encouragement of employee cooperation with the CFPB.
These four categories of responsible conduct mirror factors the SEC (in its Seaboard Report) and the OCC (in its Enforcement Action Policy) have mentioned as relevant to their enforcement decisions.
The Bulletin indicates that the CFPB may reward such “responsible conduct” with various types of favorable treatment, including: (i) resolution of an investigation with no public enforcement action; (ii) treatment of subject conduct as a less severe type of violation; (iii) reduction in the number of violations pursued; or (iv) reduction in sanctions or penalties sought. However, the Bulletin notes there is no consistent formula that can be applied to the crediting of responsible conduct, and that satisfaction of some or all of the factors will not bar the CFPB from bringing any enforcement action or pursuing any remedy it believes appropriate in a given case. The Bulletin also states that there may be misconduct so egregious or harm so great that enforcement actions or penalties cannot be mitigated. Therefore, while the Bulletin provides useful guidance to companies who have uncovered possible violations or who are facing potential enforcement action (including factors to discuss in submissions under the CFPB’s Notice and Opportunity to Respond and Advise (NORA) process), it is not clear how the CFPB will actually apply these factors in exercising its enforcement discretion in a given action.