Skip Page Banner  
Skip Navigation

The Identity Crisis at the Consumer Financial Protection Bureau

Tuesday, January 15, 2013

By Ronald L. Rubin,Hunton & Williams LLP

Like many youths, the Consumer Financial Protection Bureau's Supervision, Enforcement & Fair Lending Division doesn't quite know who (or what) it is.

One of Professor (now Senator) Elizabeth Warren's primary justifications for creating the CFPB (the “Bureau”) was that a new government agency with both supervisory authority and strong enforcement powers was necessary to enforce the federal consumer financial laws. On July 21, 2010, enactment of the Dodd-Frank Act and its Title X, the Consumer Financial Protection Act (CFPA),1 made such an agency possible. During the next year, as Special Assistant to the President and de facto head of the agency-under-construction, Warren frequently emphasized the Bureau's dual supervision-enforcement capabilities. At her now-legendary all-hands meetings, she inspired and energized employees with exultant statements like “there is now going to be a cop on the beat that has teeth!”

Nothing in the CFPA mandated that the supervisory and enforcement functions be housed together in one division within the Bureau, but Warren believed that doing so was optimal. Therefore, her organizational structure for the CFPB placed the Office of Supervision (“Supervision”) and the Office of Enforcement (“Enforcement”) together in the Supervision, Enforcement & Fair Lending Division (SEFL). SEFL now employs hundreds of professionals, many of whom are lawyers, making it the Bureau's largest division. However, it takes far more than lines on an organization chart to create the synergies that Warren envisioned. It is critical that Supervision and Enforcement figure out how to effectively complement each other. If they do not, their combination could actually prove counterproductive, and the division could end up being far less than the sum of its parts. SEFL's lack of self-awareness during the early stages of its development has created the risk of just such an unintended result.

SEFL's metaphorical mother is the collection of banking oversight agencies known as the Prudential Regulators, and its metaphorical father is the Federal Trade Commission's Bureau of Consumer Protection (FTC-BCP). The division's identity crisis stems from its failure to realize that, from an organizational perspective, its mix of traits makes it more closely resemble its first cousin, the Securities and Exchange Commission (SEC), than either of its parents. Despite the CFPB's organization chart, SEFL's current operational model is, in practice, two models functioning in tandem — the Prudential Regulators' “examination model” and the FTC-BCP's “litigation model.” To truly fulfill its potential, SEFL must adopt a more unified model that more closely resembles, and perhaps improves upon, that of the SEC.

SEFL's Mother — The Prudential Regulators

Because many of the laws under the CFPB's jurisdiction are banking laws, the first major influence on SEFL's operational model was the collection of regulators of deposit-taking institutions (i.e., banks) — the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the now-defunct Office of Thrift Supervision — commonly referred to as the Prudential Regulators. Most of the first managers in Supervision came from the Prudential Regulators or state banking regulators, as did many of Supervision's earliest examiners.

The Prudential Regulators exercise sweeping oversight of depository institutions based on the regulated entities' strict licensing/registration requirements — in essence, the Prudential Regulators can put their regulated companies out of business relatively easily by revoking their bank charters, insurance, or other authority necessary to continue operating. Therefore, they rarely need to use litigation tools like civil investigative demands (CIDs — basically government subpoenas) to force the subjects of their regulation to produce documents or provide information. Prudential Regulator oversight is primarily accomplished through examinations, which are conducted on a regular schedule (generally every year). Thus, the Prudential Regulators can be said to operate within an “examination model” of regulation.

Because the Prudential Regulators' primary concern is the safety and soundness of their depository institutions, a goal shared by the banks, the culture of the examination model is very collaborative — some might argue too collaborative. To do their jobs, bank examiners rely heavily on the cooperation of bank employees, and they sometimes actually refer to the banks they inspect as “their clients.” The frequent bank examinations and regular communications foster a natural human bond between examiners and bank employees. One of the reasons often cited for creating an agency like the CFPB was that this “industry capture,” a kind of Stockholm Syndrome in reverse, hindered the Prudential Regulators' ability to effectively protect consumers from sharp and potentially illegal bank practices. It was also argued that, because any increase in consumer fees strengthened banks' safety and soundness, the Prudential Regulators faced conflicting objectives when enforcing consumer financial laws that inhibit depository institutions' profitability.

The term “enforcement action” has a very different meaning for the Prudential Regulators than it does for other government regulators. Because their authority is so powerful, the Prudential Regulators' factual conclusions and decisions regarding remedial actions following examinations (e.g., termination of deposit insurance, cease-and-desist orders, removal and prohibition, civil money penalties, prejudgment asset seizures, capital directives, corrective action orders, etc.) are rarely challenged beyond the regulators' internal resolution processes. Most enforcement actions against banks are imposed through consent orders without litigation, and many are non-public. The Prudential Regulators have small enforcement units that primarily perform the limited function of litigation to ensure that the judgments of their supervision managers are imposed in the rare instances that depository institutions refuse to consent to them. In the examination model of regulation, traditional litigation is a largely ancillary exercise.

SEFL's Father —
The FTC's Bureau of Consumer Protection

The CFPB shares much of its statutory DNA with the FTC because large chunks of the CFPA's language were copied from the Federal Trade Commission Act. Therefore, it is not surprising that the second major influence on SEFL's operational model was the FTC-BCP. Most of the first managers in Enforcement, as well as many of its earliest Enforcement attorneys, either came from the FTC-BCP or had FTC experience (also, a senior manager in Supervision had been an FTC-BCP Assistant Director for Financial Practices).

Unlike the Prudential Regulators, the FTC-BCP does not license or register businesses, so it does not have the ability to easily put companies out of business by revoking their licenses or registrations, and it does not have a supervisory unit that conducts examinations. Therefore, its primary tool is litigation. The subjects of FTC-BCP investigations are referred to as “targets,” a term that reflects the relationship between the FTC-BCP and the people and/or businesses it investigates. Many FTC-BCP targets are small-time scammers who are difficult to corner and likely to destroy evidence. Given these factors, it makes sense that the FTC-BCP's interactions with its targets are typically extremely formal, adversarial, and non-collaborative.

FTC rules require an FTC commissioner to approve every CID. Consequently, FTC-BCP's attorneys try to put every imaginable information and document request into one massive initial CID, which they usually serve without warning on investigation targets. For the most part, from the moment the FTC-BCP contacts a target, the activity consists of lawyers serving papers on each other, parsing their words, and documenting their communications. The FTC-BCP can thus be said to operate within a “litigation model” of regulation.

SEFL's First Cousin —
The Securities and Exchange Commission

Like the Prudential Regulators, the SEC oversees many entities, most notably broker-dealers and investment advisors, that are subject to licensing and registration requirements. The SEC has a large supervision unit, the Office of Compliance Inspections and Examinations (OCIE), that is dedicated to conducting examinations and inspecting these registered entities.

From an operational perspective, the CFPB's Office of Supervision has more in common with OCIE than it does with the Prudential Regulators. Both CFPB Supervision and OCIE are focused more on the relationship between the regulated entities and their customers (consumers and investors, respectively) than on the entities' safety and soundness — in other words, the two regulators are focused more on businesses not cheating their customers than on those businesses' solvency. Both CFPB and OCIE examinations normally occur less frequently than every year, and are not conducted pursuant to a schedule that is predictable by the supervised entities. When less serious violations are detected, both CFPB Supervision and OCIE use relatively non-public procedures to request that the supervised entities make corrections; more serious violations are referred to the agencies' large, powerful, relatively independent enforcement units for investigation and potential public litigation. At the Prudential Regulators, the supervision function clearly drives the enforcement function. That is not the case at the CFPB or the SEC.

The SEC's large and prestigious Enforcement Division initiates many of its own investigations of licensed and registered securities industry professionals and businesses independently of OCIE's involvement. Similarly, CFPB Enforcement can independently initiate its own investigations of businesses over which it has supervisory jurisdiction, such as large debt collectors, mortgage servicers, payday lenders, and credit rating agencies.

SEC Enforcement also investigates and prosecutes many violations of the securities laws by individuals and businesses that are not required to be licensed or registered under the securities laws (e.g., Ponzi scheme operators, insider traders, and corporate officers), and are therefore not subject to supervisory oversight or OCIE examinations. Such people or entities come under the agency's jurisdiction based on SEC Enforcement's suspicion of violative conduct involving securities, the legal definition of which is fairly broad. This type of SEC investigation is similar to many investigations conducted by the FTC-BCP. Likewise, CFPB Enforcement conducts a high volume of investigations of individuals or businesses that are not subject to the Bureau's supervisory oversight, but that come under the CFPB's jurisdiction when its enforcement attorneys suspect them of offering financial products or services in violation of the consumer financial laws specified in the CFPA. SEC Enforcement investigations often involve fraudulent conduct, which is prohibited in very general terms by the Securities Exchange Act of 1934; similarly, CFPB Enforcement investigations often involve the close relatives of fraudulent conduct — unfair, deceptive, and abusive practices — that are similarly prohibited in very general terms by the CFPA.

SEFL's Awkward First Steps;
Enforcement Participation in Examinations

Throughout much of 2011, there were intense negotiations between Supervision and Enforcement over how to define the duties of, and relationship between, the units. It quickly became apparent that the gap between the examination-centric banking culture of Supervision's senior managers and the litigation-centric FTC-BCP culture of Enforcement's senior managers was quite wide. Most of these managers had been employed for many years in their respective regulatory organizations, and they often assumed that all regulators operated under conventions and procedures similar to their own. SEFL's third component, the Office of Fair Lending, consists of several highly-qualified attorneys, mathematicians, and other professionals who interact with Supervision Enforcement. Despite Fair Lending's relatively small size, it demanded and received equal status in both the division and these discussions. Ultimately, however, the most important issue to be resolved was the operational dynamic between Supervision and Enforcement. The challenge of integrating the three groups was exacerbated by the fact that the position of Associate Director of SEFL was vacant (it was not filled until June 2012), leaving the three components' leaders to reach agreement among themselves without the final say of a division chief.

Supervision's managers were unaccustomed to a system in which they were not responsible for the ultimate sanction, enforcement action (however that term is defined), and they were understandably resistant to any decision that might implicitly place them below Enforcement in the Bureau's internal pecking order. Also, given the importance of supervised entity cooperation under the examination model of regulation, Supervision found the possibility that Enforcement's actions might interfere with its work unsettling. For example, Supervision employees in the midst of an onsite examination at a bank might be shown the door if the bank learned that it was the subject of an Enforcement investigation. Such concerns led Supervision's managers to demand a say in whether any proposed Enforcement investigation would be opened, and a guarantee that Enforcement attorneys would have little or no contact with witnesses or potential defendants prior to Enforcement's commencing a formal investigation.

On the other hand, many of Enforcement's young lawyers were curious about, and in a few cases almost obsessed with, the examination process. They were anxious to observe examinations in person (analogies were made to the practice of criminal prosecutors going on “ride-alongs” with police officers). Since Supervision was asking Enforcement to give it a say in Enforcement decisions while relinquishing little control over its own operations, it seemed reasonable to allow Enforcement attorneys to participate in examinations. It was ultimately decided that one or two Enforcement attorneys would be assigned to every examination team. The attorneys would offer legal research support and, they hoped, their opinions regarding which potential violations should be the examiners' focus. In practice, the Enforcement attorneys' participation varied quite a bit depending on the attitudes of the Supervision managers heading each examination.

This innovative experiment in Supervision-Enforcement cross-pollination ultimately proved to be less productive and more disruptive than anticipated. While the examiners themselves generally liked the idea of having lawyers present to provide advice and to counterbalance possible intimidation from banks' lawyers, the examiners' managers did not always welcome the potential interference or second-guessing of Enforcement attorneys looking over their shoulders. Worse yet, the banks and the Bureau's critics viewed the presence of Enforcement attorneys at examinations as a veiled threat. Many cried foul — here was the regulatory intimidation that the CFPA's opponents had warned of when the bill was being debated.

Without any official public change of policy, the presence of Enforcement attorneys was eventually scaled back a bit, and in some cases their visible involvement now amounts to little more than attendance at examinations' initial “meet-and-greet” sessions and concluding conferences. However, the financial services industry continues to view the practice as antagonistic. An entire section of the CFPB Ombudsman's Nov. 15, 2012 report was devoted to “Supervisory Examinations: Presence of Enforcement Attorneys.” The Ombudsman noted drawbacks “such as the potential for the policy to be a barrier to a free exchange during the examination,” and “recommended that the CFPB establish ways to clarify the Enforcement Attorney role in practice at the supervisory examination.”2

The Enforcement Action Process

In addition to the Supervision-Enforcement negotiations, there were also less protracted debates regarding Enforcement's relationship with other CFPB components, including the General Counsel's Office, the Research, Markets, and Regulation Division, and the Consumer Engagement unit.

The final product of months of internal wrangling was the Enforcement Action Process (EAP). The EAP, which I drafted and revised throughout the negotiations, governs how Enforcement collaborates with other components of the Bureau. The EAP might be described as Enforcement's internal constitution — it defines the different stages and events of an Enforcement matter and the type of approval required for each event, including opening investigations, issuing CIDs, and commencing enforcement actions, settlement negotiations, litigation, and appeals. The most significant provision of the EAP is that it prohibits Enforcement attorneys from conducting informal investigations or having information-gathering contact with anyone outside of the Bureau (other than whistleblowers and consumer complainants) prior to opening a formal investigation.

The EAP formalized a somewhat rigid model of regulatory oversight that is less a supervision-enforcement model than two completely independent supervision and enforcement models existing side-by-side. Its strictly delineated boundaries ensure minimal functional overlap and preserve respective cultures that are little evolved from their Prudential Regulator and FTC-BCP origins. Supervision handles almost all informal, collaborative interaction with CFPB-regulated businesses, while Enforcement's activities are almost entirely formal, litigation-based, and adversarial. Despite their nominal combination into a single division, in practice the two units operate separately. This result is particularly ironic, given CFPB senior management's repeated pronouncements about Supervision-Enforcement cooperation and coordination.

The biggest challenge created by the EAP's self-imposed restrictions was that, beyond Supervision referrals following examinations, Enforcement was left to identify possible legal violations and determine whether to commence formal investigations without conducting informal inquiries or performing simple self-educational tasks. The EAP bans even common sense actions like making information-gathering phone calls to anyone outside the Bureau. Enforcement's management has attempted to overcome this handicap by creating “issue groups” that conduct almost entirely internal research into potential legal violations, as well as a “strategy team” that performs limited internal studies and provides similar analysis and recommendations (in a particularly memorable all-hands meeting, one of Enforcement's senior managers bluntly proclaimed that he couldn't see any difference between what the issue groups and the strategy team did). While the starting points for the internal research include consumer complaints, news stories, tips, academic studies, and information provided by other state and federal government agencies, there is only so much the “researchers” can learn by surfing the Internet.

Enforcement CIDs

The FTC-BCP's influence on CFPB Enforcement's investigative procedures and rules of practice, particularly its CID rules, is obvious. CFPB investigations commence with the service of a monster CID on the investigation's “subject.” (I convinced Enforcement's senior management to deviate from FTC-BCP practice and refer to companies under investigation as “subjects” rather than “targets.” The SEC wisely uses the term “subject,” and describes each SEC investigation as a search for the truth; the term “target” implies that an investigation's objective is to collect evidence that supports a predetermined conclusion of guilt). Like those issued by the FTC-BCP, the CFPB's initial CIDs, which can easily be 20 or 30 pages long, request almost every imaginable relevant piece of documentary evidence, and require recipients to provide additional potentially relevant information in response to interrogatories. The CFPA mandates that CIDs contain a description of the suspected illegal conduct, but recipients should not expect much specific detail beyond a bland recital of generic bad acts and the laws such acts would violate.

The CFPB's tough rules of practice for investigations3 force CID recipients to quickly assemble a legal team and analyze as many as possible of the documents, emails, and pieces of information requested within 10 days of receipt, at which time both sides and their technology specialists must “meet and confer” for hours so that the subject's lawyers can plead with the Enforcement attorneys to pare down the CID requests. The subjects' lawyers must get up to speed quickly because their clients lose the right to make any objections they don't raise in that meeting. If the subjects can't convince the Enforcement lawyers to moderate their requests, they have 10 more days (20 in total) to petition the CFPB's director to modify or set aside the CID.

Receiving one of these monster CIDs is, simply stated, a nightmare for the unfortunate recipient. Even before the two sides' attorneys “meet and confer,” the subject will have incurred significant legal expenses. Furthermore, the subject's lawyers will likely have difficulty identifying all the burdens raised by the CID in time for the “meet and confer” session, and will not be able to petition the director for relief from any unforeseen problems that are detected after the meeting. Petitioning the director may not even be a practical option, since doing so will likely result in the formerly confidential investigation becoming public.


On Sept. 20, 2012, CFPB Director Richard Cordray issued In Re PHH Corporation,4 an important legal decision regarding Enforcement's CID procedures. A careful reading of this decision demonstrates how SEFL's organizational model can make CFPB investigations unnecessarily inefficient and expensive.

In Re PHH arises from Enforcement's investigation of private mortgage insurance premium practices at PHH, a large mortgage lender. PHH was served with a typically overbroad and unwieldy CID at the outset of the investigation. The company appears to have been hostile and almost entirely uncooperative before it petitioned Cordray to modify and/or set aside the CID. Not surprisingly, Cordray denied PHH's petition.

Cordray's decision explained that when CFPB begins an investigation, all the Bureau knows about the subject company is what it has learned from publicly available sources, and from whistleblowers and consumers who have complained to the agency – just enough “to determine that it is worthwhile to devote some of the Bureau's limited resources to further investigation of the issue.” Therefore, Cordray wrote, CIDs are necessary to “close the information gap so that a more considered evaluation can be made whether the investigation is worth pursuing further,” and they are “crafted broadly” because “the enforcement team must formulate its initial inquiries based on preliminary and often incomplete knowledge.”

The decision went on to provide legal precedent supporting the Bureau's right to demand any evidence that is arguably relevant to a CFPB investigation (including documents that are many years older than any violations that could be prosecuted), and rejected PHH's argument that CIDs have to provide more than a general description of the suspected illegal conduct. Finally, Cordray made it clear that CID recipients must have a really good reason to be granted a reprieve from the tight schedule dictated by Enforcement's rules of practice.

Cordray offered an olive branch to potential investigation subjects, writing that “the enforcement team needs to be responsive, in turn, as it gains a fuller understanding of what information is truly germane to its investigation so that it can minimize any unwarranted burdens on the subject.” I have no doubt that he means it, or that most of my former Enforcement colleagues will be reasonable. However, given the CFPB's harsh rules of practice and the unavoidable expense of responding to a CID, subjects are unlikely to derive much comfort from Cordray's reassurances.

It's difficult to know why PHH dug in its heels and decided to fight the CFPB. While I had nothing to do with the investigation, I doubt that the problem was the Enforcement attorneys named in PHH's petition — they are polite, professional straight-shooters who probably bent over backwards to be reasonable with PHH. Perhaps PHH's lawyers read the voluminous CID, looked at the short timeline they were facing, and concluded that their client's best option was to litigate the CID, possibly in a sympathetic forum like the United States Court of Appeals for the District of Columbia. Whatever PHH's strategy, one thing is certain — if other CID recipients respond in the same way, a lot of “the Bureau's limited resources” will be devoted to litigating CIDs.

Cordray's legal analysis may be sound, but the PHH decision is incorrect on one very important point — in most cases, CFPB investigators do not have to “formulate their initial inquiries based on preliminary and often incomplete knowledge.” Rather, they choose to do so. Or, to be more accurate, Enforcement's internal procedures unnecessarily force them to do so. In most cases, it is only these procedures that prevent the investigators from “closing the information gap” before formulating their initial CIDs. There are many fast, easy, inexpensive ways the Bureau can learn a tremendous amount about potential investigation subjects — the most obvious being to simply pick up the phone and ask the subjects or their lawyers a few questions. Such informal techniques are employed frequently and to great effect by SEC enforcement attorneys, but rarely by FTC-BCP lawyers. Had SEFL recognized the ways in which it more closely resembles the SEC than the FTC-BCP, it could have avoided its needless self-prohibition on such methods.

Supervision-Enforcement Lessons from the SEC

If one looks beyond the potential distraction of relatively superficial traits, it becomes clear that the CFPB's oversight of a balanced portfolio of supervised and unsupervised entities, and its operation of both a large supervision and a large enforcement unit, make its overall organizational resemblance to the SEC much greater than to that of either the Prudential Regulators or the FTC-BCP. These critical similarities should have made the SEC's operational model the starting point for combining Supervision and Enforcement, but it was largely overlooked due to the CFPB's relative dearth of former SEC employees (I was one of only two former SEC attorneys in Enforcement during the CFPB's set-up year; another former OCIE attorney joined Supervision later in 2011.) A bit of self-reflection and some modest course correction before the current SEFL model(s) become entrenched would be extremely beneficial to both the Bureau and the businesses it regulates.

Given the stream of scandals and investigative failures at the SEC during the past decade — the colossal Bernard Madoff fumble, the belated discovery that several employees spent significant work time viewing and downloading pornography, the improper termination of an enforcement attorney following managerial interference with his insider trading investigation, the improper destruction of informal investigation files — it might seem counterintuitive to advise the CFPB to build on the SEC's supervision-enforcement model. However, the benefits of analysis come both from emulating what works and from avoiding what doesn't. What makes the SEC's example so relevant to SEFL is not so much its record as its organizational similarity. Careful study of the SEC's supervision-enforcement model and procedures offers the following critical lessons for SEFL:

1. Supervision and Enforcement Should Assist
Each Other, But Not In Public

Although government agencies rarely discuss or acknowledge the relative prestige or supremacy of their various divisions, the SEC's Enforcement Division has long been understood to be above OCIE in the agency's internal pecking order. A high percentage of SEC Enforcement's employees are attorneys, many of whom hold degrees from top law schools and go on to (or have interrupted) high-powered careers at elite law firms. The bulk of OCIE's examiners hold no advanced degrees, and many are recent college graduates. The average employee compensation in SEC Enforcement is considerably higher than that in OCIE.

When a broker-dealer or investment advisor is unfortunate enough to be simultaneously the subject of both an SEC Enforcement investigation and an OCIE examination, the enforcement attorneys, unbeknownst to the regulated entity, will often give instructions to the examination team. SEC Enforcement frequently does not inform a regulated entity that it is the subject of an investigation for weeks or months while OCIE's examiners retrieve documents that the enforcement attorneys have requested for use in their investigation. Occasionally, SEC Enforcement will even direct OCIE to initiate an unscheduled examination of a regulated entity for purposes of more easily and quickly collecting investigation evidence. As might be expected, OCIE would rather not interrupt its own scheduled work at the behest of another division, but it rarely rebuffs SEC Enforcement. On the other hand, OCIE hardly ever asks SEC Enforcement for support. OCIE doesn't have to — regulated entities know that being uncooperative with an examination team can trigger an investigation. SEC Enforcement attorneys don't have to show up at OCIE examinations to drive this threat home, and they almost never do.

Both the legacy of the supervision-centric Prudential Regulators and the CFPB's egalitarian culture ensured that SEFL would not adopt the SEC's enforcement-above-supervision hierarchy. To the contrary, many of the provisions of the EAP, such as Supervision's ability to interject itself into several key Enforcement functions such as opening investigations and commencing settlement negotiations, arguably put Supervision above Enforcement in SEFL's pecking order. Still, there is no reason why SEFL's more balanced supervision-enforcement culture should prevent Enforcement from obtaining Supervision's assistance in the same way that SEC Enforcement gets help from OCIE.

Because banking laws generally impose high hurdles to sharing information and documents from examinations with other government agencies, it was to be expected that former Prudential Regulator employees managing Supervision would be resistant to Enforcement requests that examiners collect documents from supervised entities for use in investigations. Surprisingly, it was Enforcement's managers who were most troubled by the question of whether Enforcement could take advantage of the CFPB's supervisory powers in this manner. Within the FTC-BCP's litigation culture, it seemed somehow wrong for a government agency to bypass the formality and requirements of issuing CIDs to more quickly collect evidence that ultimately could be used in a lawsuit. Of course, Supervision and Enforcement are not separate government agencies — they are not even separate divisions of the same agency. Neither this important distinction, nor exhaustive legal research that supported the practice, nor confirmation that OCIE often provides such assistance to SEC Enforcement attorneys, conclusively resolved the issue. Thus, SEFL ended up in a worst-of-both-worlds scenario in which Enforcement appears to the public and the financial services industry to be heavy-handedly using examinations as a prelude to enforcement actions, while it is actually reluctant to ask Supervision for assistance in its investigations.

SEFL can address this paradox by studying how the SEC takes advantage of its dual supervision-enforcement capabilities. Specifically, it should observe that the SEC's two units quietly coordinate activities under their own roof without flaunting their cooperation. While governmental transparency is generally desirable, there is a fine line between openness and antagonistic muscle flexing.

Regardless of the physical presence of Enforcement attorneys at examinations, informed CFPB-supervised entities understand that Supervision and Enforcement can and do communicate and share documents (with the exception of privileged documents - whether CFPB examiners have the legal right to demand privileged documents from supervised entities is currently disputed. Even if the permissibility of mandating such production is ultimately established, Supervision’s sharing with Enforcement of privileged documents will almost certainly be forbidden). Therefore, these businesses probably would not be shocked were they to learn that Enforcement attorneys ask examiners to collect evidence for use in investigations. However, the CFPB's experience thus far shows that many are offended by the implication that an enforcement threat is required to secure their cooperation, despite the Bureau's telling them that Enforcement attorneys are present only as a matter of “standard procedure.” For this reason, when it comes to the interplay between Supervision and Enforcement, less transparency is sometimes advisable. The CFPB should strive for quiet coordination between Supervision and Enforcement, without unnecessary and counter-productive practices that are perceived to be saber rattling. If Enforcement decides that it can more efficiently obtain documents by asking examiners to collect them through the Bureau's legitimate supervisory authority, it should do so without announcing the fact. If SEFL finds that assigning Enforcement attorneys to examination teams is beneficial, it should do so, but should avoid unnecessarily revealing the attorneys' participation. Internal meetings and examination updates from Supervision staff should be sufficient to keep Enforcement in the loop.

2. There Is More Than One Type of Investigation,
and More Than One Type of Investigation Subject

When creating procedures for government teams such as Enforcement, an important and recurring issue is the optimal degree of standardization. Too little structure can leave the agency vulnerable to potential embarrassment from an employee who exhibits poor judgment. On the other hand, procedures that are too rigid or hew to a one-size-fits-all mentality can stifle employee creativity and prevent the application of common sense — in other words, they can cause the types of silly inefficiencies that are the bane of government.

Standardization works best for a government unit that deals with a relatively limited variety of subjects. Therefore, it is not surprising that the FTC-BCP's procedures engender a more uniform approach to investigations. By contrast, SEC Enforcement faces a wider array of entities, with varying supervision/registration requirements, engaged in a tremendous range of activities — insider traders, Ponzi schemers, corporate officers, broker-dealers, accountants, stock manipulators, registered investment advisors, market makers, and old-fashioned thieves, to name a few. A one-size-fits-all investigation procedure simply would not work, and SEC enforcement attorneys are allowed a great deal of flexibility in deciding what methods, sequences, and timetables to use.

The level of variety in the CFPB's portfolio of subjects, including both supervised and unsupervised entities, is much closer to that of the SEC than that of the FTC-BCP — large banks, debt collectors, student lenders, pre-paid card issuers, credit rating agencies, mortgage servicers, payday lenders, credit card issuers, fraudsters, and mortgage originators, just for starters. And yet Enforcement's rules of practice, especially regarding CIDs, are highly standardized, and very similar to those of the FTC-BCP. This result was primarily due to two factors: the drafters of the CFPB's rules were mostly former FTC-BCP employees, and the political environment surrounding the Bureau when the rules were drafted in 2011 fostered an extreme aversion to potentially embarrassing employee errors. Unfortunately, while the political danger to the Bureau was virtually eliminated by the 2012 elections, Enforcement's inflexible and often inefficient procedures remain.

Enforcement's current investigation rules and procedures are appropriate for investigation subjects like the proto-typical FTC-BCP target — hostile, evasive, and not subject to supervisory examinations. However, utilizing different approaches and methods for other types of investigation subjects can allow Enforcement to be far more productive, and can save businesses, especially cooperative ones, a lot of unnecessary expense.

3. Investigations Do Not Have to Begin with a Big Bang — A Progression from Informal to Formal Is Often More Effective

One important lesson that CFPB Enforcement can learn from the SEC is that initiating contact with an investigation subject by serving a massive CID can be ineffective, inefficient, and unnecessary, especially when the subject is not the proto-typical FTC-BCP target. SEC enforcement attorneys know that many companies, especially large financial service providers, would much rather work with regulators than fight with them. Introducing yourself with a huge CID effectively commences an investigation with litigation — it's like saying “We think you're guilty, and we don't trust you. We view you as the enemy, and the only way to get the information or documents we need is by force.” Proceeding in this manner can be a self-fulfilling prophesy — it puts investigation subjects on the defensive and forces them to view the government as an adversary. It deprives both sides of the opportunity to explore quicker, more efficient, less costly alternatives.

Most experienced SEC enforcement attorneys would disagree with Director Cordray's assertions that CIDs are necessary to “close the information gap so that a more considered evaluation can be made whether the investigation is worth pursuing further,” and “the enforcement team must formulate its initial inquiries based on preliminary and often incomplete knowledge.” Securities lawyers know that government investigators often close such information gaps very quickly just by picking up the phone, because companies have a host of motivations to voluntarily produce documents and provide information. If circumstances allow, good SEC enforcement attorneys, like many other law enforcement professionals (police detectives, FBI agents, etc.), often utilize a graduated investigation approach rather than an ambush blitzkrieg.

Most SEC investigations begin as informal “MUIs” (Matters Under Investigation). The subjects of these inquiries frequently offer SEC lawyers everything they ask for without receiving a single subpoena. Their attorneys advise them to cooperate, especially if they believe their clients are not bad actors, because doing so might dissuade the SEC from opening a formal investigation. If you know that the other guy has a really big gun, you don't need him to pull it out and point it at your head. Anyone who watches police programs on television can tell you how rarely people slam the door when that first detective arrives. The sheathed sword is an incredibly powerful tool, and SEC enforcement attorneys use it quite effectively.

By forbidding informal investigations, the CFPB deprived every company of the opportunity to voluntarily cooperate instead of becoming the subject of a formal investigation and being served with a massive CID. Furthermore, even formal investigations don't have to go from 0 to 100 miles per hour the moment the starter pistol is fired. There's no good reason why most investigations can't begin with a focused CID containing fewer interrogatories and document requests designed to “educate” the Bureau. For that matter, there's nothing to stop Enforcement attorneys from just calling an investigation subject or its lawyers and asking a few questions before issuing a more educated, more reasonable, less burdensome initial CID. Rather than shooting first and asking questions 10 days later at a formal meet-and-confer session, why not try asking questions first?

Now, it goes without saying that in some cases Enforcement would not want to tip off potential defendants before issuing a CID. For example, the suspected illegal practice might be a relatively small consumer scam, like the kind frequently shut down by the FTC-BCP (two such CFPB enforcement actions have been brought against law firms accused of selling worthless mortgage assistance relief services to distressed homeowners). In such matters, there is a legitimate concern that the bad guys will fire up their shredders and wipe their hard drives clean before the CFPB's investigators can collect evidence of the illegal practices (truth be told, if a bad guy is desperate enough to commit a crime by destroying evidence, there's a good chance he'll do so even after he receives a CID — the only way to guarantee document preservation for such criminals is to have the FBI or some other police force raid their offices). Nobody would argue that Enforcement should always start off by asking investigation subjects to voluntarily produce documents and educate the Bureau about their businesses.

However, in the majority of CFPB inquiries, subjects are not going to risk criminal charges (obstruction of justice, etc.) for destroying evidence in a civil matter. The same prohibition against destroying documents and emails that comes with a CID can easily attach the moment an Enforcement attorney contacts a potential defendant. All the investigator has to do is instruct the subject and/or its attorney that it must preserve any potentially relevant evidence. In practice, such verbal warnings are usually documented by a contemporaneous email or letter known as a “litigation hold.” Once a litigation hold is issued, defense lawyers will go to great lengths to ensure that their clients don't destroy any relevant evidence, even unintentionally, because the lawyers themselves can be sanctioned if they don't do enough to prevent such destruction. Attorneys are incredibly motivated when their own necks are on the line.

During Enforcement's first two-day training program in June 2011, I led a panel presentation on “How to Conduct an Investigation.” I advised the attorneys to “always see if it's possible to do things the easy way before doing things the hard way.” To my surprise, the former FTC-BCP attorneys on the panel and in Enforcement's senior management objected to this approach. They argued that government investigators should almost always proceed formally. They ultimately succeeded in getting Enforcement to adopt a one-size-fits-all, litigation-centric investigation process. In some cases that approach is optimal, but in most matters it results in both an inefficient deployment of the Bureau's limited resources and an unwarranted burden on investigation subjects. The SEC's decades of experience have clearly demonstrated the benefits of pursuing informal investigations and voluntary cooperation before commencing a strictly formal, rigidly adversarial investigation process.

4. A Series of Small CIDs Can Be More Efficient Than One Huge CID

Unlike FTC-BCP attorneys, SEC attorneys conducting formal investigations have the authority to subpoena documents and testimony without additional sign-off from an SEC commissioner. In the absence of the incentive to subpoena every possible document at once created by a commissioner approval requirement, experienced SEC attorneys learn to tailor each document request as closely as possible to their immediate needs, and they often send follow-up subpoenas that contain relatively limited requests as their investigations progress.

The CFPB, like the SEC and unlike the FTC-BCP, does not require director approval of Enforcement CIDs. Unfortunately, the former FTC-BCP attorneys who drafted Enforcement's rules of practice for investigations did not reflect upon the significant implications of this similarity between the SEC and the CFPB, and simply adopted CID procedures that are very similar to those at the FTC-BCP. By mandating that a formal “meet-and-confer” conference be held within ten days of the issuance of every CID, Enforcement created a powerful incentive for its attorneys to issue as few CIDs as possible. Hence, rather than being a potentially precise and efficient tool like a well-crafted SEC investigative subpoena, the typical CFPB CID is unnecessarily front-loaded, overbroad, and blunt. Revising Enforcement's CID rules, especially the “meet-and-confer” provisions, to promote investigations that proceed in a more logical, more efficient manner would benefit both the CFPB and its investigation subjects.


Elizabeth Warren, Richard Cordray, and the many talented CFPB employees who have worked so hard to build the Bureau so quickly should be commended for their efforts — it's difficult for outsiders to appreciate the monumental scope of their accomplishments. However, the CFPB now needs to revisit some of the decisions it made along the way and be willing to implement meaningful organizational and procedural adjustments. The relationship between Supervision and Enforcement, and the way that relationship affects SEFL's interactions with consumer financial businesses, is critical to the ultimate success of the agency. If the CFPB studies the SEC more closely, it will learn several important lessons about how to combine strong supervision and enforcement units, and thereby both become a more effective regulator and reduce unnecessary expenses that might otherwise be imposed on the businesses it oversees.

Ronald L. Rubin, a partner at Hunton & Williams LLP in Washington, DC, was one of the earliest enforcement attorneys at the Consumer Financial Protection Bureau, where he played an important role in building the Office of Enforcement's capabilities by drafting several critical rules and procedures and co-heading the enforcement training program. Earlier in his career, Mr. Rubin was a criminal prosecutor, an enforcement attorney at the Securities and Exchange Commission, and a managing director at an investment bank.

This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.

© 2013 Ronald L. Rubin

To view additional stories from Bloomberg Law® request a demo now