The Consumer Financial Protection Bureau's Whistleblower Program: How It Works and What It Means for Financial Services Companies

Bloomberg Law®, an integrated legal research and business intelligence solution, combines trusted news and analysis with cutting-edge technology to provide legal professionals tools to be...

Contributed by Benjamin Saul, Sasha Leonhardt, and Kristopher Knabe, Buckleysander LLP

 Whistleblowers are “often the best source of information about waste, fraud, and abuse....” --President Barack Obama1

On December 15, 2011, the Consumer Financial Protection Bureau (Bureau or CFPB) issued a bulletin announcing its program to collect whistleblower information and law enforcement tips, stating that it “welcomes information from current or former employees of potential violators, contractors, vendors, and competitor companies.”2 Through an active outreach campaign, including press releases and public pronouncements, the Bureau has made it clear that obtaining information from whistleblowers will be a central component of its enforcement efforts. Indeed, in the press release accompanying the bulletin, Richard Cordray, current Director of the Bureau and then-Assistant Director of Enforcement, stated: “We are providing whistleblowers and other knowledgeable sources with a direct line of communication to the CFPB….Their tips will help inform Bureau strategy, investigations, and enforcement. And they will help us fulfill our commitment to consumers.”3 Whistleblower protections are not new, and the CFPB’s protection joins several other governmental whistleblower programs from the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), Internal Revenue Service (IRS), and Department of Justice (DOJ). Confronted with a new, expansive class of potential whistleblowers, financial institutions need to understand how the Bureau’s whistleblower protections work and develop best practices to reduce the risk of incurring penalties—reputational and monetary—resulting from whistleblower actions.

Understanding How the CFPB’s Whistleblower Protection Works

In keeping with the Bureau’s broad mandate to protect consumers, the CFPB’s whistleblower protections apply broadly to employees of both “covered persons” and “service providers.”4 Covered persons are defined as any person—or affiliate of any person—who engages in offering or providing a consumer financial product or service.5 The addition of “service providers” extends whistleblower protections further down the supply chain, as it includes any person who offers a material service in connection with the provision of consumer financial products or services.6 By statute, service providers include those who participate in the design, operation, or maintenance of the consumer financial product or service, as well as those who process transactions related to the product or service.7

The Bureau’s whistleblower provisions not only cover an expansive number of employers, but also reach a large number of employees as well. Under the statute, a “covered employee” who may be entitled to whistleblower protection is “any individual performing tasks related to the offering or provision of a consumer financial product or service.”8 The statute even covers the “authorized representative” of an employee, thereby giving an employee the ability to delegate the reporting of a potential issue to another.9

The Dodd-Frank Reform and Consumer Protection Act (Dodd-Frank Act) enumerates several activities that are protected from retaliation. An employer may not retaliate against an employee when, through the employee’s own initiative or through the ordinary course of the employee’s duties, he or she:

  • provides information of federal consumer financial law violations to an employer, the CFPB, or another law enforcement agency;
  • testifies about a potential violation;
  • files a lawsuit or other proceeding under any federal consumer financial law; or
  • objects to, or refuses to participate in, any activity that the employee reasonably believes violates federal consumer financial laws.10

In light of these protected activities, any internal or external reporting of suspected violations would be covered by the Dodd-Frank Act. The Act, moreover, draws no distinctions in the credibility of information provided. Although the statute requires the employee to “reasonably believe” a violation has occurred, the statute’s anti-retaliation protection applies regardless of whether the alleged violation actually has merit.11

What Is Retaliation under the Statute?

The Dodd-Frank Act prevents retaliation by stating that an employer must not “terminate or in any other way discriminate against” the whistleblower.12 Neither the Bureau nor case law has provided specific guidance on this language, but the Department of Labor has traditionally defined an adverse action as any act that could dissuade an employee from engaging in the protected activity. Examples of adverse actions include firing, laying-off, blacklisting, demoting, denying overtime pay or promotion opportunities, disciplining, denying benefits, making threats, reducing pay or hours, or making reassignments affecting promotion prospects.13 However, if an employer has a reason unrelated to the protected conduct to terminate an employee, the Dodd-Frank Act’s whistleblower protection permits termination. Accordingly, employers covered by the Dodd-Frank Act should pay particular attention to their labor management practices and carefully document the reasons for termination—as they would in any other circumstances—to avoid charges of illegal termination. Employers also need to be mindful of employees making frivolous complaints to avoid termination under the anti-retaliation provisions. 

If the employee believes that his or her employer took retaliatory action in response to a complaint, the employee must file a complaint with the Secretary of Labor no later than 180 days after the date on which the alleged retaliation occurred.14 Thereafter, the Secretary of Labor must notify the employer—who is given an opportunity to respond—and initiate an investigation no later than 60 days following the receipt of the complaint to determine whether the complaint has merit.15 If the Secretary of Labor fails to issue a final order within 210 days after the complaint has been filed or within 90 days after the date of receipt of a written determination, the whistleblower may file a civil action with the appropriate district court.16

The Impact of the Provisions

In an effort to encourage whistleblowers, the Dodd-Frank Act sets a low standard for triggering whistleblower protections. The language of the statute does not require that the whistleblower’s information be probable, likely, or even material. Instead, the employee merely has to “reasonably believe” that a violation occurred.17 This subjective standard places the burden on the CFPB to act as a gatekeeper, sorting through many tips to determine whether each is credible. Particularly now, when the CFPB is still hiring staff and creating systems to handle these complaints, this may complicate the Bureau’s efforts to focus its investigations and resources. By contrast, higher reporting standards would likely provide the Bureau with more reliable tips, more focused and productive investigations, and greater conservation of resources. Not only will the low whistleblower protection threshold burden the CFPB, but employers likely will have to respond to a large number of meritless tips from employees. This will result in increased compliance costs and legal fees—costs that are ultimately borne by the market. 

Another noteworthy distinction is what the CFPB whistleblower provisions are not doing—offering whistleblowers the chance to obtain a bounty for actionable information. The Dodd-Frank Act not only empowered the Bureau to create its own whistleblower program, but also required the SEC to establish a whistleblower program that pays bounties of up to 30 percent.18 Under the SEC program, the whistleblower retains counsel, develops a detailed report describing the alleged misconduct, and provides details to guide the SEC’s subsequent investigation. SEC investigators, unlike their CFPB counterparts, will receive detailed information—previously screened by an attorney—that allows the SEC to conserve resources and focus its efforts on the most credible tips. The whistleblower’s work lays the factual groundwork for the investigation—an invaluable service to the SEC, particularly when it must investigate complicated allegations of fraud. In contrast, the Bureau’s whistleblower program merely opens the door for employees to provide tips to the Bureau. 

Another open and lingering question is how the CFPB will collect tips and administer the program. Currently, the CFPB only offers a hotline and a dedicated email address for a whistleblower to use to contact the Bureau.19 The CFPB plans to establish a website devoted to receiving information in 2012.20 Although the details of the website have not been revealed, one possible option for the CFPB would be to mirror the SEC’s whistleblower collection web-portal. On the SEC’s site, whistleblowers enter information through a guided submissions process and respond to specific questions. It is also unclear where the responsibility to review complaints will fall in the CFPB. The SEC’s Office of the Whistleblower—led by Sean McKessy, a former in-house counsel and attorney within the SEC’s Division of Enforcement—has a dedicated staff reviewing tips.21 The CFPB, on the other hand, has no clear member of its leadership tasked with overseeing whistleblower complaints. 

The extent to which the CFPB has the infrastructure to handle and process a large volume of whistleblower allegations is unclear. However, the appointment of Richard Cordray will result in the CFPB continuing to increase staff and develop a more robust organizational structure.22 Ensuring that tips are handled and processed in a timely manner will be critical to the success of the CFPB’s whistleblower program. Failure to develop internal procedures for reviewing tips may cause a processing bottleneck, preventing the CFPB from acting on time-sensitive information. Furthermore, the CFPB should develop and make publicly available its internal policies for handling confidential whistleblower information.

Keeping It in the Family: What Financial Services Companies Can Do to Encourage Internal Reporting

Despite these open questions, both the Bureau and employers are likely to see an increase in the number of whistleblower tips, especially in the current political, business, and economic climate. The Dodd-Frank Act gives employees statutory license to circumvent internal complaint procedures and report their concerns directly to the Bureau. Employers, however, benefit if these complaints come up through internal reporting, where issues can be addressed without the time and expense of an external investigation. Therefore, it is imperative that employers encourage employees to take advantage of internal reporting mechanisms—a goal that is consistent with whistleblower provisions in that it seeks to reduce wrongdoing. 

To encourage internal reporting, employers should take proactive steps to create a robust, transparent, and reliable internal reporting system. A robust complaint system must be well-advertised to employees, and all levels of management—from the board room to the branch manager—should be committed to encouraging and protecting internal whistleblowers. A transparent complaint system must have written, clear, and comprehensive reporting standards. The guidelines for reporting should be easily accessible through policies and procedures and updated frequently. The company should also make its commitment to internal reporting well-known through internal communications. A reliable complaint system must be one where employees feel that their voices are heard and their complaints addressed promptly; otherwise, their incentive to report out to the Bureau increases. And, because the whistleblower protections under the Dodd-Frank Act extend to the employees of service providers, financial services companies should consider extending their whistleblower programs to employees of their contractors, sub-contractors, and business partners as well. 

Transparency has its limits, however, and a whistleblower program should protect the identities of whistleblowers. A company should have several ways for employees to file internal complaints, including suggestion boxes, email, and even a potential 1-800 ethics hotline that employees can call from the privacy of their own homes. All of these avenues should permit anonymous as well as signed complaints from employees. Finally, the people who handle complaints should not be in the direct chain of command for protected employees, be it through a dedicated team in the human resources department, an independent ombudsman, or a third-party vendor retained by a corporate compliance department. 

By making reporting easy, anonymous, and separate from the chain of command, employers will accomplish two key objectives. First, they will encourage internal—rather than external—whistleblowing by giving employees the safety and comfort of reporting potential issues on their own terms. In particular, anonymous complaints give employees the safety of knowing that they cannot be subject to discipline or adverse action. Additionally, having the investigation and execution of complaints handled by people outside of the employees' chain of command protects the company; if the employee is later terminated for poor performance, the employee will find it much more difficult to claim that his supervisors terminated him for making a complaint when the supervisors could not have known that a complaint was made.

 Internal reporting provides several advantages to both employees and employers. Employees, rather than management, are more likely to be aware of ethical lapses; it is important for there to be a direct way to funnel this information to senior managers so they can correct isolated errors before they become systematic problems. Robust internal reporting systems help the employer prove to the Bureau and other prudential banking regulators that discovering fraud and encouraging compliance is a central element of the employer’s corporate culture.23 When investigations do happen—and given the Bureau’s expansive power to investigate unfair, deceptive, and abusive practices under the Dodd-Frank Act,24 they likely will happen—enforcement authorities traditionally give credit for a strong internal whistleblower program. Furthermore, if internal violations are identified, internal reporting will permit the company to disclose any violations to the government in a methodical, controlled manner. Internal complaint procedures are not only less expensive and less damaging to the company’s reputation, but also often lead to faster, more efficient resolution of problems for the consumer. By contrast, if an employee “reports out” to the CFPB, then the company must wait until the CFPB examiner informs them of the problem; such delay is counterproductive for consumers and creditors alike.


Although financial services companies confront whistleblower issues under several generally-applicable statutes, the Dodd-Frank Act creates additional whistleblower issues unique to the financial services industry. Many of the best-practices from discrimination, labor, and securities law can be readily adapted to these new financial services-specific whistleblower rules. But the broad scope of the Bureau’s authority—and the equally broad reach of the Dodd-Frank Act’s whistleblower provisions—provides a strong motivation for employers to revisit and expand their internal reporting systems. By incentivizing employees to look inwards to resolve issues, companies can better manage and reduce their exposure to whistleblower claims. 

Benjamin Saul, a partner in the Washington, D.C. office of BuckleySandler LLP, has a nationwide practice representing corporate and individual clients in high-stakes administrative enforcement and criminal matters, private civil and class action litigation, and parallel proceedings involving private litigants and federal and state enforcement authorities. He also conducts corporate internal investigations and advises financial services and other clients on compliance issues and programs. Mr. Saul received his J.D. from American University and his B.A. from the University of Pennsylvania. Mr. Saul can be reached at Sasha Leonhardt is an associate in the Washington, DC office of BuckleySandler LLP. He has represented clients in government investigations and enforcement actions related to mortgage origination, servicing, and foreclosure. Mr. Leonhardt has written and published articles on data privacy, class action litigation, and the Consumer Financial Protection Bureau. Mr. Leonhardt received his J.D. from Duke University and his A.B. from Princeton University. Mr. Leonhardt can be reached at Kristopher R. Knabe is an associate in the Washington, DC office of BuckleySandler LLP. He represents financial services industry clients in a wide range of litigation matters, including class actions and complex civil litigation, as well as government enforcement matters. Mr. Knabe received his J.D. from Loyola University Chicago School of Law and his B.A. from George Washington University. Mr. Knabe can be reached at

This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.

Request Bloomberg Law®