On June 25, 2013, the CFPB released a Bulletin to describe the sorts of “responsible conduct” that might lead it to be more lenient in the context of an enforcement investigation.  To me, the content of the Bulletin was largely unsurprising, because it follows closely the comments I have heard from lawyers in the Bureau’s enforcement division about the discretionary factors they would consider in determining the outcome of an investigation.  But for the consumer financial services industry, I think the Bulletin is a welcome effort by the Bureau to outline those factors in a public way.  My perception is that industry participants want guidance on this issue, to help reassure them about how to handle violations of the law – or potential violations – that they discover and remediate internally. 

The Bureau needs to encourage self-remediation, and to reward it when it occurs, and the Bulletin is a helpful public statement in that direction.  The actual experience of financial services companies in such situations will also be critical to the success of the Bureau’s efforts to encourage “responsible conduct” – the Bureau can either encourage that conduct by showing industry participants the real benefits of self-remediation, or can undermine its goals by using self-remediation as a springboard for public enforcement actions.

But even taking the Bulletin at face value, there are two serious problems that will face companies interested in following the Bureau’s guidance.  First is the Bulletin’s emphasis on self-reporting.  That emphasis is daunting as it is, since I believe only a precious few companies will view it as being in their self-interest to volunteer violations of the law to the Bureau. 

But even worse is the fact that most self-remediation conducted in a financial services company will probably involve a business practice that may or may not constitute a violation of the law.  It’s no secret that the CFPB’s enforcement priorities have strongly emphasized unfair, deceptive and abusive practices, and assessing a “violation” of the amorphous UDAAP standard will usually involve educated guesswork and judgment, rather than a determination that the law has definitely been violated.  While it is probably natural for financial services providers to examine their own operations and either modify or eliminate practices because they may pose a UDAAP risk, it strikes me as unrealistic to expect such judgmental decisions to be reported to the Bureau when they are made.  By treating the issue of self-remediation as a black and white issue, I think that the Bulletin ignores the reality that such efforts frequently involve nuanced judgment calls that do not lend themselves to self-reporting a “violation” of any law.

The other problem is the Bulletin’s discussion of “cooperation” with an enforcement investigation.  Here, financial services companies are told that they should respond to an enforcement by conducting an internal investigation and sharing the results of that investigation with the Bureau.  This sounds reasonable, but in practice, the Bureau’s approach to Civil Investigative Demands prevents it from actually working.  This is because a CID frequently does not identify any specific conduct alleged to violate the law, and instead requests information broadly about many (or all) aspects of a company’s operations. 

Indeed, in denying a petition to set aside or modify a CID, Director Cordray has stated publicly that it is appropriate for the Bureau’s CIDs to be broadly formulated: “Given the early stage of the investigation at which a CID is issued, the enforcement team typically presents a thorough and comprehensive request for documents, items, and information.”  In this context, when a company receives a “thorough and comprehensive request,” from the CFPB, how can it know what conduct it is supposed to investigate? 

Only if the Bureau is willing to share the specific issues it is investigating is this sort of “cooperation” possible, but in practice, I believe that there are many instances in which the recipient of a CID will not know enough about the Bureau’s enforcement objectives to even attempt such an investigation. 

So, although in general I view the “responsible conduct” bulletin as a positive step by the Bureau, I would like to see the two points above addressed publicly.  But even more important will be the Bureau’s reaction to self-remediation efforts that it encounters in the industry.  Through those actions, the Bureau can either encourage “responsible conduct,” or reduce the incentives for it by feeding the fear that self-remediation will be used against companies in enforcement actions.