When the Consumer Financial Protection Bureau (CFPB) sends a letter to the board of directors, it is rarely good news. It often means the institution is facing a potential or actual enforcement action. Enforcement actions can unfold quickly. They typically require an institution to respond, at least on certain preliminary matters, within a matter of days.
The board of directors should be involved in the institution’s handling of virtually any threatened enforcement action. The CFPB, like the prudential regulators, holds an institution’s board of directors ultimately responsible for the institution’s conduct. Thus, it is in the board’s interest to provide direction and oversight throughout the enforcement process. Such an approach will help directors fulfill their regulatory obligations and assist in ensuring that the enforcement matter is handled appropriately.
In addressing a CFPB enforcement action, directors should bear in mind five key principles:
- Assemble a response team. It is important to develop a comprehensive and strategic approach to responding to the CFPB’s enforcement action. Ideally, an institution already has in place a plan that specifies the individuals responsible for coordinating the institution’s response. The response team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business and outside counsel. The team also may include, depending on the nature of the enforcement action, additional representatives, such as from human resources, information technology, finance or compliance.
- Inform the board and determine appropriate board involvement. Once the institution is notified of the contemplated enforcement action, a member of the response team should immediately alert the board’s audit committee chair, and in consultation with the audit committee chair, decide when and how to inform the remainder of the board. Although the entire board should be kept apprised and consulted, as necessary, throughout the enforcement process, the board often designates one or more directors as the primary contacts with management and their outside advisors as the institution develops its response strategy.
- Develop a coordinated short-term plan. CFPB enforcement actions often require immediate tactical decisions that can have long-term strategic implications. For example, an institution usually has only 20 days to decide whether to object formally to any provisions in a CFPB civil investigative demand. The institution should consult with legal counsel to weigh the benefits of filing such a petition against the possible risks, including the impact of such a filing on the institution’s interactions with the CFPB and the likelihood that the institution’s legal arguments will succeed.
The bank also should determine whether any public disclosures are required—such as under the securities laws or customer notification laws—or whether any disclosures should be made to preserve relationships with business partners and customers and, if so, how these disclosures may be made in accordance with restrictions on the disclosure of confidential supervisory information. Such decisions must account for the fact that an enforcement action may create multiple areas of exposure, including follow-on private litigation, reputational harm, and customer relations issues. The board should be briefed on these disclosure obligations and ensure that the various disclosures are handled in a coordinated manner.
- Develop a longer-term strategy. While the institution likely will be required to make some decisions immediately, those decisions should be made in the context of the institution’s longer-term strategy. The development of this strategy should take into account such factors as the strength of the institution’s defenses, the magnitude of the institution’s exposure, factors affecting the institution (e.g., a possible acquisition), and whether the institution is likely to reach a better result through a cooperative approach (while still advancing the institution’s defenses) or by assuming a more aggressive stance. In all events, the board should understand what this strategy is and make sure management is informing the board of any major developments.
- Adopt long-term reforms. One of the best ways to avoid regulatory scrutiny and enforcement is to adopt lessons learned from past violations. At a minimum, the board should determine whether other areas present similar risks, review the adequacy of internal controls and compliance policies, and assess the frequency and thoroughness of management reports to the board.
An effective response to a CFPB enforcement action requires a coordinated strategic approach that is overseen and monitored by the institution’s board of directors. Bearing in mind these five key principles will help board members lead their institutions successfully through CFPB enforcement actions.