In a wide-ranging speech yesterday before the Consumer Bankers Association, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray forcefully defended his agency’s approach to consumer financial regulation and supervision against critics who call it “regulation by enforcement.” Saying that criticism of this practice (and even the term) is “badly misplaced,” he argued for the need to work “toward a pattern of actions that conveys an intelligible direction to the marketplace, so as to create deterrence that can be readily understood and implemented.”

Director Cordray noted that the “vast majority” of CFPB enforcement actions involve some sort of deception or fraud and commented on the difficulty of creating specific rules to address fraud or untruth. In turn, he said, the CFPB has sought

to present specific enforcement orders that meticulously catalogue the facts we have found in our very thorough investigations and set out the legal conclusions that follow from those facts. These specific orders are also intended as guides to all participants in the marketplace to avoid similar violations and make an immediate effort to correct any such improper practices.

In this regard, the Director’s speech included an unambiguous warning to financial institution compliance officers and executives about the need to pay attention to CFPB enforcement actions:

These orders provide detailed guidance for compliance officers across the marketplace about how they should regard similar practices at their own institutions. If the same problems exist in their day-to-day operations, they should look closely at their processes and clean up whatever is not being handled appropriately. Indeed, it would be “compliance malpractice” for executives not to take careful bearings from the contents of these orders about how to comply with the law and treat consumers fairly.

Are you a consumer financial services provider? Do you tell your customers that your data security practices are “best in class”? If so, it had better be true, or Richard Cordray and his colleagues at the Consumer Financial Protection Bureau (CFPB) may want to talk with you.

On March 2, the CFPB initiated and settled by consent an administrative action against an online consumer payments provider (Respondent) for what the CFPB charged were deceptive acts and practices arising out of representations that the Respondent made about its data security practices.

In the Consent Order, the CFPB charged that Respondent (which offers funds transfer services to consumers) made numerous representations about its data security practices that were not true, including statements that

  • its network and transactions were safe and secure,
  • its transactions were safer than credit cards,
  • its data security practices “exceeded industry standards,”
  • customer information was safely encrypted, and
  • its data security measures were Payment Card Industry (PCI) compliant.

On February 26, the Office of the Comptroller of the Currency (OCC) released its revised Policies and Procedures Manual policy for assessing civil money penalties (CMP Policies). The CMP Policies are used as a reference tool for examiners in assessing the severity of any identified unsafe and unsound banking practices, violations of laws, regulations, orders, conditions imposed in writing, and formal agreements (“violations”) by institutions and persons subject to OCC’s supervision (national banks, federal savings associations, federal branches and agencies, and bank service companies and service providers). The CMP Policies replace the prior OCC policies and procedures regarding civil money penalties (CMP Matrix) that were issued in 1993 and prior Office of Thrift Supervision policies for federal savings associations that were issued in 2009.


The CMP Policies—like the predecessor CMP Matrix used by the OCC—assigns a positive numerical score and a factor weight to each of 11 factors that are taken into account in determining whether to assess a CMP and the amount of the CMP (e.g., intent, concealment, financial gain, loss to the bank, or loss/harm to consumers or the public). In addition, the CMP Policies assign what is in effect a negative risk weighting to 3 specified mitigating factors—good faith, cooperation, and restitution. For each factor, the numerical score is multiplied by the factor weight to arrive at a component factor score, and the component scores are then summed to arrive at a composite CMP matrix score upon which the OCC relies in making its final CMP decision.

As the Consumer Financial Protection Bureau (CFPB) completes its fifth year as a fully operating entity in 2016, distinct enforcement patterns have emerged that can assist businesses and individuals that have or may become targets of the agency in assessing penalties and their impact should they elect to settle with the CFPB.

The CFPB’s Settlement Precondition Provisions

Key provisions required by the CFPB as a precondition for settlement deeply impact the bottom line result of a settlement and are different in material respects from those typically required by other federal and state financial services enforcement agencies. These key provisions include the following:

  • Prohibitions on the settling party (Respondent) claiming favorable tax treatment for monetary penalties
  • Prohibitions on the Respondent claiming any part of the monetary penalties against available insurance
  • Prohibitions against the Respondent asserting a setoff for payments made to the CFPB against any judgment in a related private action or, in the alternative, the payment of any such setoff to the US Treasury

The specific language is comprehensive, but will vary somewhat depending on whether the matter is a resolution in US District Court or in an administrative proceeding, as well as if the matter involves entities, individuals, or both.