When the CFPB Investigates: Responding to a CFPB CID

11 minute read | July.06.2023

Since opening its doors in July 2011, the Consumer Financial Protection Bureau (CFPB) has not been shy about initiating enforcement actions against companies and individuals subject to its authority, recovering billions of dollars as a result of enforcement actions. Recently, the Bureau has focused its enforcement efforts on lenders’ and other financial service providers’ use of new technology, such as artificial intelligence, as well as fair lending (including “digital redlining” and “discriminatory targeting”), fee practices, data monetization, including in the payments space, and on so-called “repeat offenders,” among other things.

Integral to any CFPB enforcement investigation is a civil investigative demand (CID), an investigative subpoena that allows the Bureau to demand documents and tangible items, including emails, reports, and data, as well as answers to written questions and oral testimony. In light of the breadth of the CFPB’s authority to investigate, the Bureau’s requests can be expansive, and receiving a CID can lead to a difficult, time-consuming, and expensive process for any responding company.

This article provides an overview of CFPB CIDs and offers practical tips on how companies can minimize burden and achieve a favorable investigation outcome.

What Triggers an Enforcement Investigation?

The CFPB has broad authority to investigate activity that could fall within the scope of its jurisdiction. The Bureau uses CIDs to seek facts regarding potential violations and to gather information regarding new products and technology to assess whether conduct falls within its jurisdiction.

The CFPB relies on myriad sources of information to justify opening an investigation, including:

Consumer complaints
The CFPB’s whistleblower hotline
The results of supervisory examinations
Referrals from other federal, state, and local agencies
Market intelligence

The Role of the CID

Once the Bureau opens an investigation, the CID quickly comes into play, serving as the Bureau’s primary fact-gathering tool. A CID can require its recipient(s) to produce documents, respond to interrogatories and requests for data, provide oral testimony and/or submit tangible things.

With limited exceptions, the Bureau can issue a CID to “any person” the Bureau reasonably believes may possess relevant documents and information.

The CID must state the nature of the illegal conduct alleged, cite the provision of law that may have been violated, and describe the Bureau’s requests and the time frame to respond to the requests. Importantly, at this stage, the Bureau’s notification regarding potentially unlawful activity is not required to be particularly specific or robust. Instead, CIDs tend to identify the general areas of focus of the CFPB’s investigation (for example, to determine whether a consumer lending company has “extended credit in a manner that is unfair, deceptive, or abusive” or “violates the Truth in Lending Act”).

With few exceptions, investigations―and, thus, CIDs―and materials produced in response to a CID are generally nonpublic.

Steps to Take Upon Receiving a CID

1. Take It Seriously, Involve Counsel

Receiving a CID can be daunting, but a company can position itself best by taking it seriously and preparing to address it head on. Ignoring a CID is rarely effective, and failure to comply with a CID may result in the CFPB filing a petition in federal court to enforce the CID, which would publicly reveal the investigation and possibly limit opportunities to negotiate with the CFPB over the scope and burden of the CID.

To better protect itself, a company should reach out to experienced counsel as soon as it receives a CID and send counsel a copy of the CID. Involving counsel early in the process can help a company understand the nature and scope of the CFPB’s investigation and devise an effective response strategy.

If a company receives a CID, it should understand that a CID may be, among other things:

A signal that the CFPB suspects the company has engaged in a potential violation of a federal consumer financial services law
A discovery tool to gather more information about alleged misconduct

A CID is not a formal finding by the CFPB of wrongdoing. It does not mean the Bureau has filed or will file a complaint in state or federal court or impose civil penalties, and it does not obligate a company to pause its business activities (though counsel may advise otherwise). Nevertheless, a company that receives a CID should proceed with due caution.

2. Read and Understand the CID – But Move Quickly

It is imperative that a company read (and reread) the CID to understand the essence and breadth of the investigation. A company should pay particular attention to the following items:

Notification of Purpose – This section describes the nature and scope of the investigation and the legal provisions applicable to the alleged violation(s). In practice, however, this description typically is brief and vague, often leaving companies guessing about the bases for the CFPB’s suspicions. To help uncover what is driving the CFPB, a company should consult with counsel, review the contents of the requests themselves to glean any insight into the investigation, and examine the Bureau’s current enforcement priorities (e.g., in press releases, speeches, congressional testimony) and similar enforcement actions against other companies.
Actions Required – This section tells the company the concrete actions it must take to respond to the CID, such as providing oral testimony, producing documents, and/or responding to interrogatories.
Deadlines – A CID requires a company to act quickly, so a company should be aware of the main deadlines, which are:
- Meet and confer – A company is generally required to “meet and confer” with Bureau counsel within 10 calendar days after receiving the CID or before the petition to modify or set aside the CID, whichever is earlier
- Return date for the requests – This date is often 30 days from the date of service, although it can be shorter (but this date is frequently extended as part of the meet-and-confer process)
- Petition for order modifying or setting aside demand – In general, if a company believes it has a legal basis to do so, it must file a petition to modify or set aside the CID within 20 calendar days after the CID is served and after the company has met and conferred with the CFPB. Generally, such a petition is publicly filed and therefore discloses the existence of the Bureau’s investigation to the public. These petitions rarely succeed but may still be prudent to defend against a later claim that the company has waived objections to the CID by failing to exhaust administrative remedies

Applicable Period – This section sets forth the period covered by the CID. The Bureau usually seeks information dating back several years, and the period is usually within a defined time frame (e.g., January 1, 2020, until January 1, 2023) or from a set date “until the date of full compliance” with the CID.
Language of the Requests and Definitions – A company should carefully review the “Definitions” section, since the CID may define terms in peculiar ways that can significantly impact the scope of the investigation, such as describing “company” to broadly include all of a company’s affiliates. The phrasing of the requests themselves can also impact the breadth of the investigation, as they may direct companies to produce “all” documents or only document templates or “documents sufficient to show” a particular item.
Document Submission Standards – Sometimes overlooked, this section describes the technical instructions for submitting documents electronically, including information to include in a cover letter, how to produce partially privileged documents, and how to label documents.

3. Preserve Documents

As soon as a company receives the CID, it should promptly institute an appropriate legal hold on any materials that may be relevant to the investigation, even if the company believes such materials are privileged. Even after materials have been provided in response to a CID, a company must not destroy materials it has produced or relied on in responding to the CID. Failure to preserve documents and information responsive to the CID can result in an adverse inference or other sanction in later civil litigation, or even criminal penalties.

4. Prepare to Respond

Responding to a CID can be challenging, especially in a compressed time frame, but the following steps can help a company position itself for success:

Involve counsel at the outset and throughout the investigation, including in meetings or discussions with the Bureau and internal meetings with company employees.
Identify company employees who may possess documents and/or information relevant to the investigation. A company should also identify any IT personnel who will be needed to access relevant data and documents. To maintain the confidentiality of the investigation, we recommend that a company identify a limited group of employees who will be responsible for responding to the CID (i.e., not the entire company).
Schedule internal meetings with the appropriate personnel to outline, request-by-request, how the company intends to respond; inform responsible personnel of the CID’s key deadlines and set internal deadlines to respond to requests; and start collecting relevant materials.
Schedule the meet and confer with Bureau counsel within 10 days of receiving the CID. Counsel should assist with this. For investigations that will involve significant IT-related work, the Bureau may insist that a representative from the company’s IT department attend.
Act quickly, but carefully.

5. Meet and Confer

The meet-and-confer session can be held in-person or virtually. It will likely be the company’s first in-person interaction with Enforcement counsel to discuss and negotiate the terms of the CID. Therefore, a company should take full advantage of the meeting, as it presents opportunities to:

Inform the CFPB that the company intends to cooperate fully.
Educate the CFPB about the company and any burdens associated with responding to the CID. The company should advise Enforcement counsel of company-specific information relevant to the investigation, such as the company’s history and the nature of the company’s financial products and services. The company should also articulate up front any real and/or anticipated difficulties with responding to the CID, such as the fact that certain documents do not exist or are spread across numerous sources, or that the company is leanly staffed and possesses limited resources. Explaining to Enforcement counsel any issues with responding to the CID can persuade the Bureau to narrow the scope of the CID.
Ask for modifications and extensions to the requests. The Bureau usually expects that companies make any requests to modify the CID in writing. The Bureau also expects that the company detail the burdens involved in responding to the CID as drafted. During the meet-and-confer session, the company can ask clarifying questions about the nature, scope, and origin of the CID, and meanings of certain terms as well as any technical requirements.
Build rapport with Bureau counsel to get a sense of the temperature of the investigation. Although a Bureau investigation is somewhat adversarial, the ultimate objective of the CID process is to meet the Bureau’s demands, so company employees should be respectful and constructive during the meeting.

Companies often rely on experienced outside counsel to conduct the meet and confer, often with company representatives present.

6. Respond, Advocate, and Resolve

It is now time for the company to respond.

A company must respond fully and truthfully to each request in the CID, as modified. This means that a company must produce all responsive, non-privileged information, even if it is damaging. If a document or information does not exist or can only be produced in a limited form, the company should explain that in its response (and, if possible, to Enforcement counsel during a meet and confer discussion).

The strongest responses include accurate information and also educate Enforcement staff regarding important context for the conduct under investigation. For instance, a company can include in its interrogatory responses its efforts to ensure compliance with any laws, describe corrective actions it took after discovering misconduct, and show how the company is appropriately serving its customers.

Companies should submit responses on time and in the proper format (review the Document Submission Standards) and check for accuracy and consistency.

After a company satisfies its obligations under the CID, the Bureau typically will take time to assess the information it has received. At this stage, the investigation could go in several different directions, including:

Additional CIDs to collect more information (including testimony)
Follow-up questions from the Bureau based on the information it has received
The CFPB asserting that it believes the company has violated the law in one or more ways
Notification that the CFPB has closed the investigation without further action

Orrick’s team of experienced advisors, litigators, and advocates have defended clients in dozens of high-stakes CFPB investigations and enforcement matters, many of which have been successfully (and non-publicly) resolved without further action. Combining deep substantive knowledge of CFPB regulations, jurisprudence, and operations with practical experience, we advise companies through the entire CID response process from receipt to resolution, to proactively engage with the CFPB, and to relentlessly advocate for our clients to reduce their burden and legal risk. Please contact the authors with any questions about CFPB investigations or other state and federal consumer protection matters.

Authors

John Coleman Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8006
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

John Coleman Partner

Washington, D.C.

Prior to joining Orrick, John was a partner at Buckley LLP, which he joined after 15 years in federal government service as a litigator and advisor to senior policymakers, most recently as Deputy General Counsel for Litigation and Oversight at the Consumer Financial Protection Bureau. He joined the CFPB soon after its creation in 2010 and was one of a core group of attorneys tasked with interpreting the authorities granted to the agency by the Consumer Financial Protection Act of 2010 and establishing the procedures by which the agency exercises those authorities. He was the first person to appear in court on behalf of the CFPB and was involved in every significant litigation matter in the agency’s history prior to his departure. As Deputy General Counsel, he managed the team of attorneys responsible for representing the Bureau in litigation, including appellate matters, and before congressional oversight bodies.

John served every director or acting director in the CFPB's history during his tenure at the CFPB, advising them and senior officials in the Division of Supervision, Enforcement, and Fair Lending on a range of complex legal and policy matters, including those arising in the course of examinations, investigations and enforcement actions. He also advised the Director and senior officials in the Division of Research, Markets, and Regulations with respect to rulemakings, and represented the agency in all rulemaking challenges.

Prior to joining the CFPB, John was a trial attorney in the Federal Programs Branch of the Department of Justice’s Civil Division, representing federal agencies and officials in high-profile civil litigation, including cases brought under the U.S. Constitution, the Administrative Procedure Act and federal antidiscrimination laws.

Following law school, he served as a law clerk for the Honorable T.S. Ellis III, of the United States District Court for the Eastern District of Virginia.

Amanda Lawrence Partner, Fintech, Financial & Fintech Advisory

Washington, D.C.

See my bio

D:+1 202 349 8089
E: [email protected]

Practice:

Fintech
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Finance
Complex Litigation & Dispute Resolution
Internal Investigations
Class Action Defense

vCard

See full bio

Amanda Lawrence Partner

Washington, D.C.

She is a trusted adviser to and first call in high-stakes litigation and enforcement matters, including government investigations, regulatory examinations, class action and complex litigation, and internal investigations. Her matters include investigations, examinations, and enforcement actions before the CFPB, FTC, federal and state bank regulators and state attorneys general, including defending a leading bank in one of the CFPB’s first enforcement actions—a joint investigation and enforcement action with the FDIC.

Amanda also represents clients in bet the company litigation, including financial institutions and lenders in residential mortgage-backed securities (RMBS) matters, consumer class actions and other complex civil litigation matters.

Amanda is well versed in all aspects of her clients’ business and is known for providing thoughtful and practical advice. She leverages her experience with litigation and enforcement agencies to stay ahead of regulatory trends impacting the finance and fintech industries. Key among these is data monetization and regulators’ heightened focus on how data is collected, used, stored and transferred. Amanda’s practice started in the cyber and privacy spheres, and today she helps clients manage compliance with the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Safeguards Rule, the Fair Credit Reporting Act (FCRA), the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Prior to joining Orrick, Amanda was a partner at Buckley LLP, where she was a member of the partner board. She also has an active pro bono practice.

John (Jay) Williams Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 461 2987
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech
eDiscovery & Information Governance

vCard

See full bio

John (Jay) Williams Partner

Washington, D.C.

Jay has represented clients before the Department of Justice (DOJ), Consumer Financial Protection Bureau (CFPB), Federal Housing Finance Agency (FHFA), Department of Housing and Urban Development (HUD), New York Department of Financial Services (NYDFS) and other state regulators, including state attorneys general. He is focused on the compliance issues surrounding government-insured mortgages and other credit products and works with his clients to conduct compliance and consumer protection reviews to mitigate risk.

Jay has extensive experience assisting clients in matters involving complex electronic discovery issues, such as large-scale document collection, developing effective document retention policies and using cutting-edge technology (including artificial intelligence) to reduce review and production costs.

Active in pro bono work, Jay has represented clients before the U.S. Parole Commission and handled multiple matters with the Washington Lawyers’ Committee. He is a current board member of the Interfaith Action for Human Rights, was a founding board member of the Greater D.C. Diaper Bank, and coaches Capitol Hill Little League baseball teams.

Prior to joining Orrick, Jay was a partner at Buckley LLP. He also was a litigation associate at Venable LLP, where he represented clients in complex commercial litigation and arbitration. During law school, he served as a clerk in the Office of the Public Defender in Montgomery County, Maryland.

Brian Bartholomay Counsel, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7937
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Brian Bartholomay Counsel

Washington, D.C.

Brian’s experience includes matters initiated by the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC), Office of the Comptroller of the Currency (OCC), and U.S. Department of Housing and Urban Development (HUD), as well as state attorneys general and other state regulators. In addition to his enforcement practice, Brian also represents financial services clients in individual and class actions arising under federal and state consumer protection statutes.

Prior to joining Orrick, Brian was counsel at Buckley LLP.

Ronald Williams Managing Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 461 2917
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Ronald Williams Managing Associate

Washington, D.C.

In his government enforcement practice, Ron routinely defends a broad range of clients in the financial services industry before federal and state regulators, including matters initiated by the Consumer Financial Protection Bureau (CFPB), Federal Reserve Board, the Federal Trade Commission (FTC), and state regulators. Ron has experience responding to Civil Investigative Demands (CIDs), managing large-scale discovery, and advising clients on regulatory risks.

In his litigation practice, Ron represents businesses in class actions and complex commercial disputes in federal and state courts. Ron effectively drafts briefs and discovery requests, prepares witnesses for depositions, manages discovery, and conducts complex legal research on a range of issues.

Ron maintains an active pro bono practice, with a particular focus on criminal justice reform. He has helped draft legislation to severely limit the use of solitary confinement in District of Columbia correctional facilities, drafted an amicus curiae brief on behalf of an individual charged with homicide seeking to exclude expert testimony, and reviewed innocence claims for an incarcerated individual.

A fervent advocate for diversity, equity, and inclusion (DEI) at Orrick and in the legal profession, Ron serves on Orrick's DEI committee in D.C.

Prior to joining Orrick, Ron was an associate at Buckley LLP and Fried, Frank, Harris, Shriver & Jacobson LLP. He also clerked for the Honorable Peter G. Sheridan of the U.S. District Court for the District of New Jersey.

Related Areas

Markets

Portland