The Consumer Financial Protection Bureau (“CFPB”) was created to enforce the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank”) and various consumer finance laws (e.g., Equal Credit Opportunity Act, Fair Credit Reporting Act, Fair Debt Collection Practices Act, Home Mortgage Disclosure Act of 1975, and Truth in Lending Act).2
The CFPB has authority over any “covered person,” which is defined as “any person [or entity] that engages in offering or providing a consumer financial product or service.”3 CFPB is authorized to prevent a “covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with any transaction with a consumer for a consumer financial product or service.”4 “Financial product or service” is broadly defined as any of the following:5
Extending credit and servicing loans;
Extending or brokering certain leases of personal or real property;
Providing certain real estate settlement services or appraisals of real or personal property;
Engaging in deposit-taking activities, transmitting or exchanging funds, or acting as a custodian of funds or any financial instrument for use by a consumer;
Selling, providing, or issuing certain stored value or payment instruments;
Providing check cashing, collection, or guaranty services;
Providing payment or other financial data processing products or services to a consumer by any technological means;
Providing financial advisory services;
Collecting, analyzing, maintaining, or providing consumer report information;
Collecting debt related to any consumer financial product or service; and
Such other financial product or service as may be defined by the CFPB.
This article provides an overview of the CID process, what to expect when you receive a CID, and tips for responding to a CID.
I. Overview of CID Requests:
As mentioned above, the CFPB may issue a CID requiring a recipient to:
The CFPB has exclusive supervisory authority over depository institutions and credit unions with over $10 billion in assets, including their subsidiaries, affiliates, and service providers.6 Additionally, the CFPB has authority over service providers to smaller depository institutions and may send examiners “on a sampling basis” to those smaller institutions in order to “assess compliance with the requirements of Federal consumer financial law.”7
If the CFPB has reason to believe that a person or entity is in possession, custody, or control of documents or tangible things, or other relevant information related to an alleged violation, the CFPB may issue that person or entity a civil investigative demand (“CID”), requiring the production of certain documents and/or information.8
Produce documents for inspection, copying, or reproduction in the form requested;
Submit requested tangible items;
Submit written reports or answers to questions;
Provide oral testimony concerning documentary material, tangible things, or other information; or
Furnish any combination of material, answers, or testimony.9
The CFPB is required to describe the “class” of documents, reports, tangible things, or information “with such definiteness and certainty as to permit such material to be fairly identified[.]”10 The CID will also provide the deadline by which the recipient must comply in providing the requested documents and information. Although the regulations require that the CFPB provide a “reasonable period of time” for compliance, the return date is usually relatively short. Therefore, the recipient must begin steps to respond to the CID immediately upon receipt.
Request for Documents or Other Tangible Things:
A CID requesting the production or inspection of documents requires the recipient to locate and produce documents relevant or “responsive” to a particular topic or subject matter. Generally, the CFPB words document requests broadly in order to capture the greatest number of potentially relevant documents. For example, document requests may ask for documents “related to” or “concerning” a particular topic. In addition, the CID will generally require the production of relevant hard copy documents as well as those maintained in electronic form.
Request for Written Reports or Answers to Questions:
A CID that requests a report generally seeks a compilation of certain data or other information from the recipient. This may require the recipient to gather data and information that it has in its possession (electronic or otherwise) and convert it into a new format, such as an electronic table, for the CFPB’s later use. Depending on the scope of the request, the manner in which the data is kept in the ordinary course of business, and the amount of data involved, a request for a report can involve a significant amount of time.
A request for answers to questions is similar to an interrogatory in civil litigation. That is, the CFPB issues written questions that the recipient must respond to in writing. Among other things, the requests generally ask the recipient to describe its business practices that the CFPB is investigating. Often, before a recipient can fully respond to such a request, the recipient must conduct interviews of key personnel and gather relevant information, which can be time intensive.
Request to Provide Oral Testimony:
In some instances, a CID may request the recipient to provide oral testimony. Depending on the request, the testimony may be provided by means of an informal interview or through more formal means, like a deposition. Regardless of the form, the CFPB will have the opportunity to ask the recipient oral questions and obtain oral responses from the recipient, which responses may be recorded or transcribed.
Certificate of Compliance:
Every response to a CID must be made under a sworn certificate, by the recipient if a natural person or, if an entity, then by the entity’s representative with knowledge related to the facts and circumstances surrounding the production, stating that the recipient is providing all material required by the CID that is in the recipient’s possession, custody, or control. 11
II. Responding to a CID:
Contact Your Lawyer:
Except in extremely rare instances, the first thing a recipient should do upon receiving a CID is contact their lawyer. A lawyer familiar with the CFPB and the CID process can help guide the recipient through the process and assist in developing an appropriate response to protect the recipient’s interests. The later an attorney is brought into the process, however, the more difficult it is for them to assist the recipient effectively, so this should be done as soon as practicable upon receipt of the CID.
Determine the Nature and Scope of the CID:
Next, it is important to identify the nature and scope of the requests. For instance, it is useful to try to identify what the CFPB is investigating (e.g., the type of alleged offense, the consumers involved, the business practices at issue, and whether the issue is isolated or ongoing). Doing so will help guide your internal investigation and response. Among other things, identifying what the CFPB is probing will help identify possible custodians (or people who may have relevant information or documents), sources of relevant information, and locations where relevant documents may be located. In addition, identifying the nature and scope of the CID at the early stages will help inform whether the recipient is capable of gathering relevant information and documents on its own or whether outside assistance may be necessary (e.g. IT vendors). Further, the earlier the true nature and scope of the CID is identified and, more specifically, what the CFPB is investigating, the sooner the recipient can begin formulating a strategy not only to respond to the CID, but also to prepare a defense and institute necessary remedial measures.
Develop and Implement a Hold:
Once the nature and scope of the CID has been determined, the recipient should immediately develop and issue a “litigation hold” related to all of the documents and information that may be relevant to the subject matter of the CID. The litigation hold should be issued to all personnel who may have relevant documents and information and should instruct those individuals to preserve (and expressly not to destroy) all documents, text messages, e-mails, etc., related to the CID, regardless of where or how they are kept (in hard copy or in electronic form). Further, the litigation hold should set forth not only the subject matter of the documents and information at issue, but also provide more specific examples of the types of documents and information that might exist and should be preserved. In addition, all auto destruction processes (such as systems permitting the overwriting of e-mails and other electronic documents or information) should be halted to ensure that no relevant documents and information are inadvertently destroyed.
Communicate with the CFPB:
The recipient’s next step is to communicate with the CFPB about a CID and, more importantly, the recipient’s response thereto. Communicating with the CFPB is not only important, it is required. That is, the regulations require that a recipient “meet and confer” with the CFPB within 10 days of receiving the CID.12 The recipient must “make available at the meeting personnel with the knowledge necessary to resolve any issues relevant to compliance with the demand.”13 As such, the recipient should consider including personnel with knowledge related to the (i) substantive issues being investigated by the CFPB; (ii) recipient’s records managements system (including electronically stored information); and (iii) the recipient’s organizational structure.14 It is important to involve all of these relevant personnel in the “meet and confer” process, because failure to do so may be viewed by the CFPB as a failure to “meaningfully engage” in the process, preventing later challenges to the CID and investigation.15
In addition to providing an opportunity for the CFPB to ensure the recipient’s ability to comply with the CID, the conference also provides the recipient an opportunity to discuss the nature and scope of the CID, as well as to make any objections the recipient has (burdensome, vagueness, statutory, constitutional, etc.). A failure to object to the requests at the “meet and confer” may be deemed a waiver, if the recipient later attempts to challenge the CID. Consequently, it is important that the recipient have a thorough understanding of the nature and scope of the requests, as well as any possible challenges or difficulties the recipient may have in collecting and producing the requested documents and information prior to the meet and confer.
A key issue is often the scope and burden (both time and expense) related to collecting and producing electronically stored information (“ESI”), such as electronic documents and communications. Thus, the recipient should take this opportunity to discuss those issues at the meet and confer. If the recipient is concerned that it cannot comply with the CID by the deadline, then a request for an extension should also be discussed at the conference. However, requests for modifications or extensions of time are not automatically granted and, by rule, are disfavored.16 As a compromise, the recipient should consider requesting the opportunity to produce documents on a “rolling basis” as the relevant documents are collected.
Decide whether to Petition for Modification or to Set Aside the CID:
If the recipient believes the CID is objectionable in that it violates a provision of 12 U.S.C. § 5562, or a constitutional or other right or privilege, the recipient may file a petition for an order modifying or setting aside the CID.17 The petition must be filed no later than 20 days from the date of service of the CID or any time prior to the response deadline, whichever is earlier.18
A petition must “set forth all factual and legal objections to the [CID], including all appropriate arguments, affidavits, and other supporting documentation.”19 The petition must be signed by the attorney for the recipient who is objecting to the CID.20 In addition, the petition must contain a signed statement that the recipient met with CFPB counsel and made a good faith effort to resolve the objections prior to filing the petition.21 The purpose of that certification is to assist the CFPB in determining whether the recipient waived any objections by failing to raise them during the “meet and confer” process.22 Filing a petition has the effect of staying the recipient’s response obligations while the petition is pending.23
Before filing a petition, however, careful consideration of the possible ramifications should be considered. For instance, the Director of the CFPB reviews and issues decisions on petitions, which decisions and related petitions may be published for the public to view, absent a showing of “good cause” as to why they should not be published.24 If the issues the CFPB is investigating are sensitive and could have an overly negative effect on the recipient if the public learns of the investigation, then the recipient may not want to petition for a modification of the CID. On the other hand, failing to petition for a modification or set aside could have severe repercussions as well. For instance, failing to object to the CID may be considered a waiver if the CFPB later files an action to enforce the CID. Further, a petition may be necessary if the recipient and the CFPB are unable to resolve legitimate disputes during the “meet and confer” process.
If a petition is filed, the Director of CFPB has authority to rule on it.25 Based on the published petitions, the petitions generally take several months to decide. In the meantime, although the recipient’s response obligations are stayed, the recipient should consider taking the time to voluntarily produce documents not subject to the petition and continue negotiating with the CFPB regarding the remaining issues. Cooperation often goes a long way.
Gather Requested Information and Documents:
In order to respond to the CID, the recipient must be able to identify all of the possible custodians or personnel who may have relevant documents or information. Each of those custodians must be interviewed to determine if they possess relevant information. Once relevant documents or information is identified then that information should be collected.
The method for collecting the information depends on a number of factors, including how the information is stored (e.g., personal knowledge, electronic form, or hard copy) and what the CID requests (e.g., written response or production of documents). For instance, if the information is simply possessed as personal knowledge by a custodian, then an internal interview of that custodian will be necessary to gather the information for later use in a response to a request for a written response. If, on the other hand, there is information stored in documents, then all electronic and hard copy documents containing that information must be collected. That may involve searching computer servers, e-mail systems, and other electronically-stored media. Regardless of the information or documents requested and how they are stored, the process to collect the information and documents must be thoughtful and thorough to ensure a comprehensive collection.
It is important to remember that depending on the size of the recipient’s company and the scope of the CID, the collection process may take a significant amount of time and effort. As a consequence, the recipient should ensure that the collection process begins as early as possible.
Provide the Response:
Once the recipient has gathered all relevant and responsive information requested by the CID, it must prepare the actual response for submission to the CFPB. As an initial matter, it is important to make sure that the response is timely and complies with applicable deadlines required by the CFPB. In addition, the production should comply with the CFPB’s “Document Submission Standards” (“DSS”), which sets forth the way in which electronic information should be produced (.pdf format, native, etc.). It is important to review these requirements early on in the process—long before the response deadline—to ensure the ability to comply with the DSS. For instance, small companies, without robust IT departments, may need to retain the services of an IT vendor early in the response process to help gather and produce documents and information in the required format. In addition to providing responsive documents and information, the recipient is also required to provide a detailed privilege log of all documents withheld, which log must contain (i) the type, subject matter, and date of the document; (ii) the names, addresses, positions, and organizations of all authors and recipients of the document; (iii) the grounds for claiming privilege; and (iv) the request to which the document is responsive.26
When responding to a CID, it is important to remember that the CFPB has wide discretion in how it pursues and prosecutes alleged violations. In exercising that discretion, the CFPB may consider the recipient’s level of cooperation in the bureau’s investigation.27 However, to receive favorable consideration for cooperation, the recipient’s level of cooperation “must substantially exceed the standard of what is required by law in its interactions with the [CFPB]. 28 Assuming the recipient meets that high burden, the CFPB can mitigate its actions against the recipient through a range of actions, such as resolving the investigation “with no public enforcement action, treat the conduct as a less severe type of violation, reduce the number of violations pursued, or reduce the sanctions or penalties sought by the [CFPB].”29
On the other hand, if a recipient fails to provide the CFPB with all requested information and otherwise fails to cooperate with the investigation, the CFPB will likely react harshly to that behavior. In addition to levying harsher penalties, the CFPB may also file an action in federal district court seeking an order compelling the recipient’s compliance.30 Such action may have additional consequences to the recipient in terms of negative publicity and cost of dealing with the investigation. Because the way a recipient ultimately responds to a CID can have a significant impact on the way the CFPB resolves the matter, thorough effort and thought should be given to coordinating an appropriate response.
2 12 U.S.C. § 5481(12)(A)–(R)
3 12 U.S.C. § 5481(6)
4 12 U.S.C. § 5531(a).
5 12 U.S.C. § 5481(15)(i)–(x).
6 12 U.S.C. § 5515(a)(1), (2)
7 12 U.S.C. § 5515.
8 12 U.S.C. § 5562(c); 12 C.F.R. § 1080.6(a).
9 12 U.S.C. § 5562(c)(1)(A)–(E); 12 C.F.R. § 1080(a)(1)–(4).
10 12 U.S.C. § 1080(a)(1)–(4).
11 12 U.S.C. § 5562(c)(10)--(13); 12 C.F.R. § 1080.6(a)(1)--(4)
12 12 C.F.R. § 1080.6(c).
13 12 C.F.R. § 1080.6(c)(1).
14 12 C.F.R. § 1080.6(c)(1),(2).
15 12 C.F.R. § 1080.6(c)(3).
16 12 C.F.R. 1080.6(e)(2).
17 12 U.S.C. § 5562(f)(1); 12 C.F.R. § 1080.6(e).
19 12 C.F.R. § 1080.6(e).
21 12 C.F.R. § 1080.6(e)(1).
22 12 C.F.R. § 1080.6(c)(3).
23 12 C.F.R. § 1080.6(f).
24 12 C.F.R. § 1080.6(g).
25 12 C.F.R. § 1080.6(e)(4).
26 12 C.F.R. § 1080.8.
27 CFPB Bulletin 2013-06, Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation,and Cooperation, June 25, 2013, available at http://files.consumerfinance.gov/f/201306_cfpb_bulletin_responsible-conduct.pdf.
30 12 U.S.C. § 5562(e)(1).