March 22, 2018

Comment in Response to the CFPB's Request for Information on Its Enforcement Practices

  • Brian Knight

    Director of the Program on Financial Regulation

I appreciate the opportunity to respond to the Bureau of Consumer Financial Protection’s (CFPB) request for information on its enforcement activities. The Mercatus Center at George Mason University is dedicated to bridging the gap between academic ideas and real-world problems and to advancing knowledge about the effects of regulation on society. This comment, therefore, does not represent the views of any particular affected party or special interest group but is designed to assist the CFPB as it considers whether it should modify its enforcement activities, especially with regard to ensuring that parties have sufficient notice and an opportunity to comment on the rules that will bind them before they face potential liability for a violation. More generally, this comment seeks to assist the CFPB in embracing a regulatory approach that benefits consumers by allowing for competition and innovation while providing necessary consumer protections.

The CFPB Should Ensure Regulated Parties Have Adequate Notice of and an Opportunity to Comment on the Rules That Bind Them 

The CFPB performs an important function as the lead regulator for consumer financial products and services at the federal level. This includes rulemaking and enforcement authority for federal consumer financial laws and general authority to bar parties covered by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) from engaging in “unfair, deceptive, or abusive acts and practices.” The breadth of this power makes it vital that the CFPB abide by the core norms of due process and fairness.

Unfortunately, the CFPB has not always provided regulated parties sufficient notice and a chance to comment on the rules and standards that the CFPB holds parties to via enforcement actions. As the US Treasury Department noted in its report on banks and credit unions written pursuant to Executive Order 13772, “In practice, the CFPB has avoided notice-and-comment rulemaking and instead relied to an unusual degree on enforcement actions and guidance documents, which the CFPB has consistently issued without opportunity for public comment, to announce new standards of conduct.”

This failure to provide appropriate notice and a meaningful opportunity for regulated entities to comment on the rules they are bound by can and should be addressed by the CFPB. Fortunately, there are steps the CFPB can take to avoid these issues in the future. Among them is abjuring the use of guidance documents and previous enforcement actions as a substitute for rulemaking, with appropriate notice and comment, to illuminate the obligations of regulated parties. This will provide clarity not only to those parties but to the CFPB itself, providing for more uniform and consistent enforcement and placing CFPB actions on more solid legal footing. These improvements will help the CFPB more effectively pursue its important consumer protection mission while respecting fundamental notions of due process.

The Use of Guidance Documents

The CFPB, like many regulatory agencies, uses guidance documents to inform the public on matters relating to “the manner in which the agency proposes to exercise a discretionary power” or to “advise the public of the agency’s construction of the statutes and rules which it administers.” Unlike “legislative rules,” guidance documents are not intended to be binding and do not require the agency to undergo notice-and-comment rulemaking.

While guidance documents can provide useful information about legal and regulatory requirements to regulated parties and the general public, they should not serve as a substitute for notice-and-comment rulemaking. The risk that guidance will serve as de facto rulemaking is most acute when regulated entities feel that they are bound by, and will be held responsible for, the requirements expressed in guidance documents, even if those requirements exceed the underlying law and regulation. As the Office of Management and Budget notes, the use of guidance documents to circumvent notice-and-comment rulemaking risks “poorly designed or misused guidance documents [that] can impose significant costs or limit the freedom of the public.”

As the Administrative Conference of the United States explains, a regulated party being de facto bound by technically nonbinding guidance documents can be the result of an agency’s bad-faith intention to bind regulated parties without providing due process. However, even if the agency does not intend to circumvent due process, the guidance documents may have the same effect if the regulated entities believe they will be held liable for complying with a standard of conduct advocated by the guidance documents.

There are several situations in which a regulated entity can feel bound by agency guidance, even if that is not the agency’s intent. This can occur when the regulated party needs the regulator’s permission to do or receive something essential; operates in a highly regulated environment where perfect compliance is exceedingly difficult, causing the regulated entity to feel the need to comply with guidance to impress the regulator; or feels it risks a prohibitively expensive fight if it is subject to enforcement, even if the regulated party prevails.

Parties regulated by the CFPB can credibly claim all three reasons. Entities regulated by the CFPB could reasonably believe that the CFPB has leveraged government approvals from other regulators as a means of obtaining compliance. Entities regulated by the CFPB are subject to a myriad of complex laws and regulations that can make perfect compliance difficult, even if noncompliance does not materially harm consumers, and firms can reasonably believe that fighting a CFPB enforcement action will be ruinously expensive even if the firm ultimately prevails.

Unsurprisingly, firms, and the lawyers who advise them, consider CFPB guidance as creating new binding requirements beyond the underlying laws and regulations. For example, in response to the CFPB’s Compliance Bulletin 2012-03 on service providers, at least one law firm believed that the CFPB’s expectations constituted an effective mandate of procedures beyond those required by the relevant law and regulation. These commenters further noted that while the bulletin “has all the hallmarks of a regulation,” the CFPB failed to follow standard procedures for a regulation, including providing for notice and comment from the public and following the Small Business Regulatory Enforcement Fairness Act procedures required when the CFPB pursues a rulemaking with a significant economic impact.

Likewise, the CFPB’s guidance on debt collection found in CFPB Bulletin 2013-07 has been interpreted by observers to impose the obligations of the Fair Debt Collection Practices Act (FDCPA) through Unfair, Deceptive, and Abusive Acts and Practices (UDAAP) liability on parties generally not covered by the FDCPA.

These examples indicate that whether or not the CFPB intends for guidance documents to create new binding rules, they appear to have that effect on regulated parties. This creates the risk that rights are being limited without the necessary and appropriate process being followed, and that the risk of ruinous litigation is preventing regulated entities from using the courts to vindicate their rights appropriately. This is an unacceptable state of affairs that risks depriving regulated parties of due process and delegitimizing the CFPB.

The CFPB’s Use of Regulation by Enforcement

The CFPB has also developed a reputation for using enforcement actions to announce new legal requirements for regulated firms instead of providing appropriate notice via rulemaking. The use of targeted enforcement actions to guide markets through consent orders has been acknowledged by former CFPB Director Richard Cordray in testimony before Congress. This use of enforcement without necessary notice has also been criticized by commenters and has been found to violate the due process rights of regulated parties.

The use of enforcement, such as consent orders, to elucidate standards to which the CFPB will hold regulated parties presents several problems. First, the firm that is to be made an example of may not have adequate notice of its obligations before being subject to an enforcement action. This lack of notice can violate due process, as in the case of the CFPB’s enforcement action against PHH, where the CFPB adopted a new interpretation of the requirements of the Real Estate Settlement Procedures Act. Second, a settlement and consent order do not necessarily reflect the law but rather what the specific parties were willing to agree to, and unlike rulemaking they do not allow other affected parties to challenge the CFPB’s interpretation or the terms of the settlement. This can result in regulation being set not by the law but by the relative litigation position of a regulated entity. Third, because consent orders are inherently fact and circumstance specific, they cannot provide sufficient guidance. Fourth, consent orders are not as durable as regulations because new agency leadership can demand a different standard for behavior.

While enforcement actions are necessary and consent orders can be useful tools to inform the public and other regulated entities, they cannot substitute for the due process and clarity that notice-and-comment rulemaking can provide.

Recommended Changes

The CFPB should seek to prevent regulated parties from being unduly bound, either intentionally or de facto, by guidance and enforcement actions. Fortunately, there are several steps that the CFPB can take.

First, to the extent the CFPB intends for guidance documents and consent orders to inappropriately substitute for notice-and-comment rulemaking, it should stop that policy promptly and retract the guidance documents issued with that intent. The CFPB should also make clear through agency policy and practice, rather than just boilerplate language, that consent orders are not binding except to the party who is the subject of a consent order and that guidance documents are not binding.

For example, the CFPB may wish to adopt a policy forbidding its enforcement attorneys from using guidance or consent orders as bases, in and of themselves, for proving that a regulated party has violated the law. This approach would mirror actions taken by the Department of Justice (DOJ) with regard to guidance documents in certain affirmative civil enforcement cases. As with the DOJ’s policy, this does not mean that guidance documents and consent orders could not be used at all. For example, to the extent that guidance or a consent order simply explains or rephrases the underlying law or rule without adding additional requirements, it could be used to show that the regulated party had notice of its obligations.

Second, the CFPB should engage in more rulemaking, including notice-and-comment rulemaking, to help define the criteria by which they will evaluate compliance. For example, the CFPB could seek to define “abusive” more fulsomely via rulemaking. Even if fully defining what conduct is “abusive” may be difficult, at a minimum the CFPB could seek to provide more clarity as to what the essential elements are and what is not “abusive.” This will provide regulated entities at least some additional information to help them comply with the law. Rulemaking will also allow regulated entities to challenge the CFPB’s interpretation of the law before facing potential liability under the rule, which can serve to provide needed accountability.

Conclusion

The CFPB has an important mission to protect consumers. Previous efforts to substitute guidance documents and enforcement for rulemaking have undermined this mission by depriving regulated parties and the public of both clarity and appropriate opportunities to comment on or contest proposed rules. These efforts have also weakened the CFPB’s position with the courts. By utilizing rulemaking appropriately, the CFPB can redress these concerns and better achieve its mission.