See the second article in this series, on how in-house counsel can protect themselves from SEC enforcement actions and criminal prosecutions.
There is a veritable alphabet-soup of scenarios which financial institution in-house counsel hope not to encounter: CID, OOI, PWL, NORA, 15-Day Letter. When a bank or credit union receives a Civil Investigative Demand (CID), an Order of Investigation (OOI), a Preliminary Warning Letter (PWL), a Notice of Opportunity to Respond and Advise (NORA), or a 15-Day Letter, the institution knows one thing for sure: it is in the crosshairs of a potential enforcement action by a prudential regulator or the Consumer Financial Protection Bureau.
This article identifies lessons that in-house counsel at banks and credit unions may find helpful as they advise their own institutions. The lessons are drawn from my own experiences representing financial institutions – their directors and officers – under investigation or in enforcement litigation, and augmented by a review of other publicly filed actions and consent orders.
Enforcement Actions by Prudential Regulators
Prudential regulators such as the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve pursue formal enforcement actions when they believe that there have been violations of laws, rules, or regulations, unsafe or unsound banking practices, breaches of fiduciary duty, or violations of final orders or conditions imposed in writing or written agreements. The enforcement actions may seek anything from cease-and-desist orders to civil money penalties.
Banks or credit unions that find themselves the target of enforcement investigations rarely litigate against their prudential regulators, absent overreach in the agency’s jurisdiction or demand. The supervisory relationship is usually too important to risk long-term damage, and the restrictions on an institution’s ability to pursue business opportunities without supervisory approval are usually too stifling to be tolerated for long.
Individual executives are sometimes in a better position to fight. Not only do they not have the same institutional concerns, they usually can draw on a directors and officers liability (D&O) insurance policy or have their fees indemnified and possibly advanced by the institution. Moreover, they are often motivated to clear their reputation and avoid draconian sanctions, such as civil money penalties and/or removal and prohibition from the banking industry.
Here are three key takeaways based on my work handling enforcement actions by prudential regulators. These lessons might have forestalled or avoided the enforcement action altogether had they been part of the institution’s policies or performed at the outset.
Lesson #1 – An ineffective risk management function is a recipe for trouble
A common denominator in many enforcement actions is the lack of an effective risk management function with sufficient authority and voice within the bank to elevate concerns and drive changes. Sometimes risk management failures manifest themselves in the failure to comply with existing consent orders, resulting in repeat violations that are invariably dealt with far more harshly than the original violation. There are numerous examples where financial institutions failed to comply with existing consent orders that mandated changes to Bank Secrecy Act/Anti-Money Laundering (BSA/AML) practices, only to see recurring violations and correspondingly more draconian penalties.
Other enforcement actions are premised on inattention to governance and compliance mechanisms. This inattention can manifest in many ways, such as taking reactive approaches that depend on third parties – customers, credit reporting agencies, examiners – to identify problems; failing to investigate and address what in retrospect may be viewed as red flags; and providing superficial responses that fail to fix root causes. These shortcomings may be attributed to competing management priorities, or an inexperienced or ineffective risk management team. Institutions that have the most significant compliance violations tend to have risk management departments that are under-staffed, under-resourced, and under-appreciated. Whatever the underlying cause, regulators (with the benefit of hindsight) are predisposed to pursue enforcement actions if an institution is perceived as having a substandard risk management function.
The lesson here is that every financial institution should place a premium on having an effective and formidable risk management function. Risk management should have the resources and ability to evaluate internal and external complaints or reports of misconduct, investigate and report suspicious banking activity, conduct risk-based assessments of operations, assess compensation systems, detect and investigate outliers, consider feedback given by departing employees, and adhere to a transparent and well-documented disciplinary system.
Lesson #2 – Avoid high-risk products or services unless your institution has the requisite competence and expertise
Another common feature of investigations and enforcement actions is that they involve high-risk products, services, or customers. There have been a number of enforcement actions around flawed or deficient BSA/AML compliance and monitoring processes emanating from high-risk customers. For instance, third-party payment processors may pose heightened risk to financial institutions if they service merchants or businesses that regulators deem to be (potentially) fraudulent, predatory, or unsavory, such as telemarketers or internet gaming providers. Financial institutions that cater to digital asset customers such as cryptocurrency exchanges and other crypto-related businesses run the risk that prudential regulators may find their Customer Due Diligence (CDD) processes inadequate for the risk posed by these customers. Likewise, partnering with Fintech companies poses its own set of risks, as the financial institutional may be held accountable for the actions or omissions of the third-party company, which may be more focused on growth and product development than customer service and compliance without adequate oversight and controls.
Financial institutions whose CAMELS ratings are less than satisfactory should be particularly wary of banking high-risk customers, products, or services. Examiners rarely look fondly on this, and commonly criticize these practices and fault institutional management for the high-risk customer’s shortcomings when there is any problem. For those financial institutions that are considering banking with higher risk customers or partnering with Fintech companies, it is advisable to keep an open line of communication with prudential regulators – this proactive step helps avoid surprises and demonstrates an ability to handle the relationship. It is imperative to develop and periodically update an overarching banking strategy that has been approved by the Board and shared with regulators and to have a sophisticated and experienced BSA/AML officer charged with making sure that the strategy is followed. Institutions should also have the technology and resources to develop and apply enhanced due diligence procedures to high-risk customers, both at the outset and throughout the course of the relationship, and have a demonstrated track record of compliance.
Lesson #3 – Individuals may be held accountable for systemic shortcomings in institutional safety and soundness
Individual enforcement actions typically are predicated on breaches of the duty of loyalty and outright violations of law, and mostly focus on deception, obstruction, or self-dealing. Such misconduct presents a straightforward case for proving that institution-affiliate parties (IAPs) breached their fiduciary duties. By contrast, prudential regulators rarely pursue enforcement actions against individuals based solely on safety and soundness, as it can be difficult to blame any single individual for such a collective lapse.
However, regulators have come under increased criticism and scrutiny over the past decade for not holding individuals accountable for bank failures and other systemic risk management shortcomings. For example, in 2014 the Office of Inspector General analyzed bank enforcement actions and recommended that enforcement counsel pursue more cases against IAPs on safety and soundness violations. More recently, politicians and the media have exerted pressure on regulators to hold individuals accountable for institutional misconduct, particularly when that misconduct occurred on a systemic basis or affected large numbers of customers. As a result, there has been an uptick in enforcement actions against individuals premised on significant safety and soundness failures. It is no longer enough to simply avoid engaging in personal dishonesty or self-dealing to stay out of enforcement’s crosshairs. It is more likely now than ever that IAPs will be held personally accountable for institutional shortcomings if the problems are considered to be widespread or egregious.
A corollary of this observation is that in-house counsel are no longer exempt from being held responsible for institutional problems. It used to be that in-house lawyers were fairly insulated from enforcement actions unless they engaged in deception, obstruction, or some form of self-dealing. Now, however, there are signs of an emerging willingness to hold in-house lawyers accountable when the institution engages in unsafe and unsound practices for an extended period of time. This is not a strict liability regime; rather, enforcement counsel appear inclined to hold in-house counsel responsible when they believe (with the benefit of hindsight) that in-house counsel’s contemporaneous actions or inaction to address systemic problems were unreasonable, reckless, or grossly negligent.
What does this mean as a practical matter? To put it simply, if you see something, say (or do) something. The best way to inoculate yourself and to protect your institution is to act. In-house counsel should not ignore so-called red flags or other signs that there may be unsafe or unsound conduct. This is especially true for systemic issues rather than isolated problems. Warning signs can emanate from many different sources – for example, internal ethics complaints by employees, customer complaints, exit interviews with departing employees, or outlier analyses of the performance of employees or agents. The critical question is whether in-house counsel monitors how the warnings are being handled and takes affirmative and effective action if problematic trends persist. Ignoring systemic problems is a recipe for trouble; likewise, ineffective actions by counsel may not be enough to stave off an enforcement action, particularly if counsel does not take steps to elevate their concerns to others who can take effective action.
This is not to say that a General Counsel must operate as a de facto Chief Risk Officer. Most institutions of sufficient size separate those roles and establish independent reporting structures, and in-house counsel are permitted to rely on others (until it is no longer reasonable to do so). But it does put a premium on in-house counsel keeping abreast of systemic problems identified by the Risk Management function and assessing whether appropriate action is being taken. When problems persist and in-house counsel fails to follow up or take meaningful steps to ensure that those problems are being addressed in an effective manner, the risk of enforcement action for both the institution and the individual rises significantly.
It also means that in-house counsel should carefully review the scope and coverage provided by their D&O insurance policy, including whether there is Side A coverage that is exclusively available to D&Os. These policies can be critical to the defense of directors and officers, particularly in the unfortunate circumstance where the institution itself has been placed into receivership. While D&Os with larger insurance policies may be a more attractive target, I have yet to meet a client who wishes their D&O coverage was less. Indeed, more often than not the converse is true, and the individual clients wish their coverage was greater. Although it may feel remote and unnecessary at the time, having a substantial D&O policy is an important factor in being able to mount an effective legal defense.
Enforcement Actions by the CFPB
The Consumer Financial Protection Bureau (CFPB) presents a different regulatory challenge for financial institutions whose assets exceed the $10 billion jurisdictional threshold. Unlike prudential regulators whose primary mission is to ensure institutional safety and soundness, the CFPB’s mandate is to an institution’s consumers and not the institution itself.
The CFPB is charged with enforcing 18 different consumer protection statutes and armed with expansive unfair, deceptive, or abusive acts or practices (UDAAP) power under Title X of the Dodd Frank Wall Street Reform and Consumer Protection Act. Historically, the CFPB has wielded its power aggressively. The Bureau is known for taking enforcement positions that push the envelope. And while that posture was modulated to a degree during the Trump administration, the pendulum appears to be swinging back to a more aggressive enforcement posture, with particular emphasis on pursuing fair lending violations and abusive acts or practices.
While the key takeaways for dealing with prudential regulators continue to apply, there are other lessons that are unique to the CFPB’s enforcement investigations and actions. Prioritizing a strong Compliance Management System under the direction of qualified and capable Risk Management personnel will always be the most important thing a financial institution can do to stay on the good side of regulators. Institutions with a strong risk management function are more likely to spot issues and address them promptly, and therefore will have greater credibility with prudential and CFPB examiners alike. But what else should an institution do to better position itself with regard to the CFPB?
Lesson #1 – Approach supervisory responses, even Supplemental Information Requests and PARR letters, from an advocate’s perspective
Often the decision whether to refer a matter inside the CFPB from Supervision to Enforcement is a judgment call. In my experience, once a matter gets referred to Enforcement, it tends to take on a life of its own. That is not to say that every investigation inevitably ends with an enforcement action, but most of them do. That reality means that financial institutions should put a premium on their supervisory responses. The deadlines for providing responses are often short, particularly for Supplemental Information Requests. But institutions with the foresight to involve in-house counsel and – when appropriate – outside counsel, can improve the quality of their responses and frame them in ways that provide important context and ultimately make them more persuasive. This does not guarantee that an institution can avoid a referral to Enforcement, but it can make the difference in a close case. And even if there is a referral to Enforcement, having involved litigation counsel at the Supervisory stage ensures that the counsel is up-to-speed and ready to handle the matter from the outset.
Lesson #2 – It is never too late to fix things, even after an investigation starts
Sometimes financial institutions fall short despite their best efforts. Mistakes happen, or sophisticated databases do not function as expected, and consumers may be negatively impacted. Institutions that identify these problems, promptly take corrective action, and voluntarily disclose the issue almost always find themselves in a better overall position when dealing with the CFPB than those that do not. For starters, sometimes the Bureau will decline to take enforcement action if it believes that the institution was forthcoming, has a strong compliance management function, and took appropriate action to notify and remediate affected consumers. But even when the Bureau does elect to bring an enforcement action, it will often acknowledge the voluntary corrective actions that were taken and negotiate a reduced penalty below what it otherwise might have demanded.
Even when an institution does not identify the problem until after an investigation has begun, it still is not too late. Investigations rarely move quickly; they are most often measured in years rather than months. Financial institutions that take effective action early in an investigation to address deficiencies may come out ahead. If the institution implements new and effective controls to address the issue, they can then point to those changes to demonstrate their responsiveness to supervision, the important role played by management in driving these changes, and the effectiveness of the controls.
It is often quite compelling to have the institution’s own personnel showcase their work. For example, it may make sense to arrange for an in-person demonstration of newly developed controls, and to have employees show how it functions and how its use now prevents the problem at the heart of the investigation from recurring. When done correctly – i.e., with personnel who have the qualifications, credibility, and presentation skills needed to communicate their message – this sort of show-and-tell can reassure CFPB enforcement personnel that they do not need to make an example of the institution.
Lesson #3 – Sometimes it pays to litigate
Given the Bureau’s tendency to take aggressive positions, it is sometimes difficult to reach a reasonable settlement with the CFPB in a pre-litigation posture. There are institutional reasons why the Bureau tends to be more aggressive in enforcement actions. First, it is still a relatively new agency and is trying to cement its reputation as a tough and effective consumer advocate. The more wins it can get under its belt, and the more significant they are, the more fearsome it becomes. Second, the Bureau cannot possibly file enforcement actions against everyone who violates any of the 18 federal consumer protection laws under its purview. So it magnifies its leverage by pursuing high-profile entities – including financial institutions – to set examples for the rest of the industry, and then using those investigations and actions as templates to target others. Third, to borrow a baseball analogy, in its early years the Bureau preferred swinging for the fences to adopting a more conservative strategy premised on hitting singles or doubles. Early on, the CFPB pursued litigation on the periphery of its authority, such as around indirect auto lending, or controversial interpretations, such as around the proper interpretation of RESPA or Regulation E, rather than consistently tackling acts or practices more at the heart of its authority. This approach sparked substantial criticism of the CFPB’s “regulation by enforcement” approach. And fourth, the Bureau is trying to establish the parameters of its authority and therefore is incentivized to take more expansive and aggressive positions in order to do so.
Despite these dynamics, it is common to resolve enforcement actions without litigation. To their credit, CFPB enforcement counsel usually engages in substantive discussions about the merits of their claims. This process usually begins in earnest with a NORA response, but often continues after enforcement counsel obtains authority to sue. When they are fact- and principles-based, these discussions can lead both parties to modify their positions and reach an acceptable resolution. When this happens, the CFPB typically will include additional factual recitals requested by the institution to add context or emphasize voluntary remedial measures.
There are times, however, when management and the board of directors view the Bureau’s demands as too extreme or unreasonable. Perhaps the CFPB predicates its demand on agreeing to certain conditions, such as the amount of restitution or civil money penalty, or frames the facts in the proposed consent order in a way that the institution feels is misleading or inaccurate, or is pursuing claims that exceed its authority. In those circumstances, institutions are left with a stark choice: they can take the offer on the table, or they can choose to litigate. In those situations, financial institutions sometimes achieve substantially better outcomes when they choose to litigate the enforcement action.
I co-authored an article on this topic: Sometimes It Pays to Litigate Against the CFPB, Law360, Oct. 13, 2017. Although published over three years ago, the central premise of this article – that defendants threatened with CFPB enforcement actions should carefully weigh the merits of their legal and factual defenses and not assume that settlement will result in the best outcome – remains true today. This is not to say that institutions should litigate simply for the sake of litigation. To the contrary, if the institution lacks a compelling defense, then it may be best to accept the offer on the table. But when there are unsettled legal questions and a factual narrative that diverges from the CFPB’s telling, then litigation can pay off.
* * *
The benefits of avoiding damaging and expensive enforcement actions and reputational hits are incalculable. Financial institutions that internalize these lessons and devote the necessary resources to establishing a culture and system that prioritizes compliance will come out ahead in the long run. But even sophisticated financial institutions make mistakes, and when that happens it is important to remember that there are still things that can be done to improve your position with regulators and the overall outcome of any enforcement actions.
 Ryan Scarborough is a partner at Williams & Connolly LLP. He litigates enforcement actions brought by prudential regulators targeted at financial institutions, their directors and officers, and other institution affiliated parties, as well as consumer protection actions brought by the CFPB, securities actions brought by the SEC, and investigations by the DOJ.