Have the CFPB’s Recent Rewards for So-Called “Responsible Conduct” Created a New Consideration for Officers and Directors Seeking to Meet Their Fiduciary Duties?
The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) recently entered into several public enforcement settlements that had the collateral effect of emphasizing the importance of the standards provided in the CFPB’s so-called “Responsible Conduct Bulletin,” (the “Conduct Bulletin”).
Considering the potential benefits to a CFPB-regulated of adhering to the Bureau’s articulated “responsible conduct,” the CFPB appears to be raising a significant issue that boards of directors of CFPB-regulated entities should consider with respect to their duty of care to a CFPB-regulated entity—to make informed and reasonable business decisions—as well as their duty of loyalty—to always act in the best interest of the entity and its shareholders. Specifically, if directors and officers of a regulated entity fail to consider the CFPB’s “responsible conduct” guidance, and the regulated entity’s conduct ultimately results in fines and/or reputational damage, such conduct potentially raises an issue as to whether the directors fulfilled their fiduciary duties to the regulated entity. Moreover, taken to the extreme, it could be possible that prudential regulators could use the Conduct Bulletin to impose personal liability under Section 8 of the FDI Act against a director (and, in some cases, an officer) for a breach of fiduciary duty to a depository institution or its holding company.
I. Directors Owe a Fiduciary Duty of Care to Their Entities
Fiduciary duties are derived primarily from common law and specific state laws.
Courts afford broad discretion to officers and directors under the so-called “business judgment rule,” which presumes that directors—and in certain states, officers—make informed decisions, in good faith, and with the belief that the decision was made in the best interest of the business entity.
II. The CFPB’s So-Called Responsible Conduct Bulletin
Through the Conduct Bulletin,
The Conduct Bulletin notes that the CFPB considers a number of general factors in determining whether to proceed with an enforcement action against an entity. These factors include the nature, extent, and severity of the violations; the actual or potential harm resulting from the violations; whether the entity has a history of past violations; and the entity’s effectiveness in addressing any such violations. The Conduct Bulletin further lists four specific factors that the CFPB uses to evaluate whether, in the Bureau’s view, a regulated entity has acted responsibly: (1) self-policing, (2) self-reporting, (3) remediation, and (4) extraordinary cooperation, but this list is not exhaustive. The weight given to each factor by the CFPB will depend on the circumstances of each factual scenario.
According to the CFPB, a regulated entity must be proactive in seeking to prevent violations and detecting violations as early as possible. Self-policing is analogous to self-monitoring. At a minimum, self-policing activity will require an entity to implement a “robust compliance management system appropriate for the size and complexity of a party’s business.” The CFPB acknowledges that self-policing will not always prevent violations, but notes that it should facilitate early detection of potential violations. The appropriateness of an entity’s compliance program will depend on several factors, including whether the entity’s self-monitoring functions previously have been subject to regulatory examination, the pervasiveness of the violation, the method or manner of detecting the violation, and—most notably—whether the entity has a “culture of compliance” that has been instilled from the top of the entity down throughout the organization.
A factor on which the CFPB places “special emphasis” in its analysis of responsible conduct is self-reporting. The CFPB notes that this factor substantially advances the CFPB’s protection of consumers and reduces the resources the agency must expend to identify potential or actual significant violations by making such resources available for other significant matters. This is important because it suggests that it is not necessary to self-report every single violation, but rather only those that might be “significant.”
The Conduct Bulletin provides that the Bureau will consider the steps a regulated entity has taken to remediate an identified violation. Remediation entails a determination of whether consumers who have been harmed by a violation or potential violation have been made whole, and whether the entity has changed its compliance procedures to prevent similar future harm. When analyzing this factor, the CFPB will consider whether the entity has taken action against those responsible for the misconduct, how quickly and effectively the entity identified consumer harm, how consumers were made whole, and whether the entity resolved any incentives for harmful future behavior.
D. Extraordinary Cooperation
The most important but also most challenging factor in the Conduct Bulletin is the requirement for cooperation with the Bureau. The CFPB emphasizes that ordinary cooperation will not suffice, but rather a regulated entity must demonstrate “substantial and material steps above and beyond” the level of responsiveness to the CFPB required by law. The CFPB specifically notes that this factor requires a regulated entity to cooperate promptly and completely, undertake thorough reviews of compliance issues, disclose material information related to the potential law violation not specifically requested by the CFPB, and direct its employees to cooperate with the Bureau. To date, the CFPB has not required the waiver of legal privileges, such as attorney-work product, or the ability to discuss potential disagreements over evidence as an element of cooperation. Such a required waiver is particularly unlikely in light of the significant criticisms garnered by the so-called U.S. Department of Justice (“DOJ”) Thompson Memorandum, in which the DOJ suggested that corporations must waive privileges in order to be deemed cooperative during an investigation.
III. CFPB’s Enforcement Settlements Implementing the Bureau’s Conduct Bulletin
In the context of several enforcement settlements since the Conduct Bulletin was issued, the CFPB has referenced “responsible conduct.” In matters formally resolved, the CFPB has rewarded “responsible conduct” by reducing or eliminating the assessment of civil penalties on a regulated entity. More recently, “responsible conduct” was used to shield the identity of an entity that identified and cooperated with the Bureau with respect to a self-reported violation.
One of the first public settlements involving “responsible conduct” involved an auto lender and its service provider that allegedly violated a consumer financial protection disclosure law and the prohibition against deceptive acts and practices.
The CFPB also relied on tenets of the Conduct Bulletin in two other enforcement settlements. In the first, the CFPB took action against a bank for deceptive marketing and illegal discrimination. While the bank was required to pay civil money penalties of $3.5 million in connection with the deceptive marketing action, the CFPB explained that it would not require penalties for the bank’s discriminatory conduct because the bank self-reported the violation to the CFPB, instituted its own remediation plan to compensate consumers, and cooperated effectively with regulators.
In another settlement, the CFPB suggested that it favorably considered a mortgage lender’s self-reporting, admission of liability, and cooperation throughout the investigation in the agency’s assessment of an $83,000 CMP for a Real Estate Settlement Procedure Act (“RESPA”) violation.
Through recent enforcement actions, the CFPB demonstrated that adherence to its expected “responsible conduct” standards may result in an entity avoiding being named in an enforcement action altogether. Specifically, in three recent settlements, financial institutions were alleged to have violated the RESPA prohibition against kickbacks in real estate transactions, with contrasting results based on the level of “responsible conduct” exhibited by each institution.
IV. Do Directors Have an Obligation to Consider the CFPB Conduct Bulletin?
The consequences imposed on two large banks assessed CMPs apparently for not meeting the CFPB’s “responsible conduct” criteria in addressing a violation of consumer financial laws raises a significant question for CFPB-regulated entities. At the heart of the issue is whether and to what extent the guidelines set forth in the Conduct Bulletin must be considered in evaluating whether a director of regulated entity is satisfying his or her fiduciary duty of care.
The Conduct Bulletin is an attempt by the CFPB to impose regulator-mandated best practices when a violation of consumer law is identified. While the CFPB appears to be seeking a standardized methodology for consumer finance providers to address self-identified violations of law, the voluntary nature of the Conduct Bulletin is different from a mandate to comply with a legal obligation, such as under the Sarbanes-Oxley Act
These recent CFPB enforcement actions demonstrate, however, that there are clear financial and reputational benefits, including reduced penalties and more favorable enforcement outcomes, to satisfying the CFPB criteria set forth in the Conduct Bulletin. Directors’ compliance with the Conduct Bulletin is voluntary; however, directors of a regulated entity should ensure that the regulated entity’s policy for addressing any self-identified consumer protection violations includes consideration of the CFPB’s Conduct Bulletin. Even if directors do not seek to comply fully with the Conduct Bulletin, the existence of a strong and effective compliance program could act to insulate a regulated entity’s board of directors from allegations that the board failed to act in accordance with its fiduciary duty of care vis-à-vis a violation of consumer law. Similarly, even with a meaningful compliance program in place, directors should make a well-informed and well-documented decision about how to address a self-identified consumer law violation, with full knowledge of the possible risks associated with not fully adhering to the guidelines in the Conduct Bulletin.
The strong presumption of the business judgment rule has not been eviscerated by the Conduct Bulletin and remains a doctrine that is not easily rebutted.
V. Action Plan
The broad nature of the Conduct Bulletin—as well as the CFPB’s own statement that there is no “consistent formula” an institution may follow to demonstrate compliance with its guidance—creates significant challenges for regulated entities seeking to adopt “responsible conduct” policies and procedures. Entities subject to CFPB enforcement authority should create an action plan to address each of the components of the Conduct Bulletin to ensure they have, at a minimum, the following:
a compliance system that attempts to meet the CFPB’s description of appropriate self-policing;
a system for prompt and effective remediation of harm caused by potential compliance lapses, as appropriate;
an appropriate policy to document whether identified compliance issues should be self-reported and handled in accordance with the CFPB’s Conduct Bulletin; and
a strategy for appropriately engaging and cooperating with CFPB staff when seeking to apply the Responsible Conduct Bulletin to an identified violation.
A key consideration in crafting such an action plan is the CFPB’s stance that mere compliance with the law and Bureau requests will not be considered favorably in the exercise of the CFPB’s enforcement discretion. Rather, the CFPB expects that an entity must significantly surpass the standards set by law in its compliance systems and engagement with regulators in order to mitigate the consequences of potential violations. Notwithstanding the CFPB’s “responsible conduct” factors set forth in the Conduct Bulletin, the CFPB cannot eliminate the obligations of boards of regulated entities to act only after evaluating and considering their duties of care and loyalty to their regulated entities and their shareholders.
Paul Hastings attorneys are actively working with clients to create policies and procedures to meet the guidelines set forth in the CFPB’s Responsible Business Conduct Bulletin.
Paul Hastings LLP
StayCurrent is published solely for the interests of friends and clients of Paul Hastings LLP and should in no way be relied upon or construed as legal advice. The views expressed in this publication reflect those of the authors and not necessarily the views of Paul Hastings. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions. Paul Hastings is a limited liability partnership. Copyright © 2015 Paul Hastings LLP.