May 28, 2014 Practice Groups: Government Enforcement Consumer Financial Services Global Government Solutions Individual Liability in CFPB Enforcement Proceedings By: Jon Eisenberg To date, the CFPB has brought 12 cases—out of more than three dozen total CFPB enforcement cases—in which it named individuals as defendants or respondents liable for violations of consumer protection statutes. Below, we consider the standards for individual liability in CFPB cases, the actual cases that have been brought, and 10 lessons that can be drawn from these cases. 1. CFPB Director Cordray’s Recent Statements on Individual Liability A. The Current Regulatory Environment Individual accountability is the regulatory catchphrase of the moment. In imposing a $10 million fine on a bank executive and a $7.5 million fine on a CFO for a bank’s alleged disclosure violations, the New York Attorney General said, “This settlement is one more step in our effort to hold top financial executives accountable for their actions.” In a March 2014 speech to the Exchequer Club, New York State’s Superintendent of Financial Services focused almost exclusively on his intent to punish Wall Street executives and stated that there was an “accountability gap” on Wall Street because “no single senior executive has really been held to account” and that “real deterrence…means a focus not just on corporate accountability, but on individual accountability.” The Chair of the SEC has made targeting individuals a “core principle” of the SEC’s enforcement program on the theory that “when people fear for their own reputations, careers or pocketbooks, they tend to stay in line.” Indeed, the SEC highlights the fact that, as of the end of 2013, it had filed enforcement actions against 70 CEOs, CFOs, and other senior officers in connection with its financial crisis enforcement actions. The U.S. Treasury Department’s Undersecretary for Terrorism and Financial Intelligence testified before Congress that the agency was focused on “employing all the tools at the agency’s disposal to hold accountable those institutions and individuals who allow our financial institutions to be vulnerable to terrorist financing, money laundering, proliferation finance, and other illicit financial activity.” (emphasis added). B. Director Cordray’s Statements CFPB Director Richard Cordray recently became the latest regulator to weigh in on the issue of individual accountability in his May 9, 2014, Remarks at the Federal Reserve Bank of Chicago. Because these are, by far, his most detailed remarks on the issue of individual accountability, we quote them at length below. Cordray stated: An article on the same topic will be appearing in the July issue of Mortgage Banking magazine. Individual Liability in CFPB Enforcement Proceedings [W]e have also reflected in various settings that a company only acts through individuals—both decision-makers and those who carry out decisions. This is nothing new. It accords with time-honored principles of law, including those governing relationships between the corporation and its employees and agents, principles of vicarious liability, and the concept of piercing the corporate veil. These determinations must be handled in a measured manner, but if treated properly they can achieve just and effective results in more fully redressing legal violations. The issues should not devolve into mere technical arguments about corporate form and structure; instead they must represent the more straightforward concept of accountability. In other words, there are legitimate occasions where it is appropriate to pursue not only the company that was a party to the consumer’s transaction, but also individuals who were decision-makers or actors relevant to that transaction. And so the Consumer Bureau has sued not only companies but also their executives in cases where we are authorized to do so. Under the law, this includes not only a provider of consumer financial products or services, but also, in certain cases, anyone with “managerial responsibility” or who “materially participates in conduct of [its] affairs.” We have named such individuals as parties in a variety of cases, and they have been required to finance restitution to consumers and submit to injunctive relief. Individuals have also been barred, sometimes permanently, from offering certain kinds of financial products or services. And they have been referred to the Justice Department for criminal prosecution in appropriate instances. The right response depends on the circumstances, and different thresholds may apply to each of these accountability measures, which are important supplements to simply imposing all legal responsibility on the corporate entity itself. This expands upon, and is consistent with, comments Director Cordray made last year about individual liability. “I’ve always felt strongly,” he stated, “that you can’t only go after companies. Companies run through individuals, and individuals need to know that they’re at risk when they do bad things under the umbrella of a company.” Cordray’s statements raise a number of interesting issues about personal liability in CFPB proceedings. When is the CFPB authorized to bring actions against individuals? When does it, in fact, sue individuals? What level of culpability is required? What level of involvement in the underlying unlawful conduct is required? Is there true “vicarious” liability? What type of relief does the CFPB demand? We turn to these issues below. 2. The CFPB’s Authority to Name Individuals Who Engage in Knowing or Reckless Misconduct The Dodd-Frank Wall Street Reform and Consumer Protection Act, which created the CFPB, provides in Section 1036(a)(3) that: 1. “any person” 2. who “knowingly or recklessly” 3. provides “substantial assistance” to a covered person or service provider in violation of Section 1031 2 Individual Liability in CFPB Enforcement Proceedings shall be “deemed to be in violation of that section to the same extent as the person to whom such assistance is provided.” We can think of this as the CFPB’s authority to sue aiders and abettors of Section 1031 violations. Section 1031, in turn, is the catch-all provision authorizing the CFPB to prevent “covered persons” and service providers from engaging in an “unfair, deceptive, or abusive” act or practice in connection with consumer financial products or services. Most CFPB enforcement proceedings allege violations of Section 1031 even when the CFPB also sues for violations of other consumer statutes. Thus, there is almost always a statutory basis for bringing aiding and abetting claims if the CFPB is able to allege and prove knowing or reckless misconduct. 3. The CFPB’s Authority to Name Individuals Who Engage in Non-Culpable Misconduct The CFPB, however, rarely wants to take on the burden of alleging and proving “knowing” or “reckless” misconduct. Instead of relying on the aiding and abetting provision, it usually alleges that individuals are themselves “covered” persons and, as covered persons, are directly liable for violations of the relevant consumer statutes. A. Covered Persons The two obvious questions are who is a “covered person” and what must a covered person do to violate a consumer protection law. The term “covered person” includes: 1. any person that engages in offering or providing a consumer financial product or service; 2. any “affiliate” of such person if the affiliate acts as a service provider to such person; and 3. any “related person.” An “affiliate” is a person that 1. controls; 2. is controlled by; or 3. is under common control with another person. A “related person” is 1. any director, officer, or employee charged with managerial responsibility for, or controlling shareholder of, or agent for, such covered person; 2. any shareholder, consultant, joint venture partner, or other person, as determined by the Bureau (by rule or on a case-by-case basis) who materially participates in the conduct of the affairs of such covered person; and 3 Individual Liability in CFPB Enforcement Proceedings 3. any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in any— 1. violation of any provision of law or regulation; or 2. breach of a fiduciary duty. There is a carve-out, however, from the definition of a related person. The above persons cannot be deemed related persons of bank holding companies, credit unions, or depository institutions. As a practical matter, the most likely candidates for individual liability are controlling persons and persons who have “managerial responsibility” and persons who “materially participate” in the affairs of the entity—owner operators and senior executives. B. What Must an Individual Covered Person Do to Have Liability? Section 1031 does not provide that a “covered person” is vicariously liable for the acts of the entity. Rather, Section 1031 provides that the CFPB may take action to prevent a covered person from itself “committing or engaging in an unfair, deceptive, or abusive act or practice.” This suggests that by choosing not to rely on the aiding and abetting provisions in 1036(a)(3), the CFPB takes on the burden of proving that the individual defendant or respondent deemed to be a covered person itself engaged in unfair, deceptive, or abusive acts or practices. This is similar to the standard that federal banking regulators apply to institution-affiliated parties under the Federal Deposit Insurance Act—in which federal banking regulators may bring actions against individuals who themselves engage in a violation of federal banking law but in which concepts of vicarious liability do not arise. Below, we discuss representative cases in which the CFPB has brought actions against individuals. 4. Suing the CEO and Vice President for Unlawful Bonus Payments In July 2013, the CFPB sued a mortgage loan company, its president, and its vice president for capital markets. The company had approximately 330 employees and originated over a billion dollars of mortgage loans a year. The CFPB alleged that the defendants violated consumer financial protection laws by paying quarterly bonuses to loan officers in amounts that varied based on the interest rates of the loans they originated, with higher interest rates resulting in higher quarterly bonuses. The complaint alleged that both the company and individual defendants developed and implemented a scheme by which the company would pay quarterly bonuses to loan officers in amounts that varied based on the interest rates of the loans they originated; that the president allegedly sanctioned and decided to implement the bonus program; and that the vice president of capital markets allegedly calculated the amount of quarterly bonuses to be paid each quarter. The CFPB charged that, because they “had managerial responsibility for the Company and [have] materially participated in the conduct of its affairs,” the two individuals were “related persons” and, thus, were liable for the violations to the same extent as the company. The district court entered injunctive relief against all three defendants imposed a judgment of “equitable monetary redress” of $9.2 million “against Defendants, jointly and severally,” and 4 Individual Liability in CFPB Enforcement Proceedings imposed a $4 million fine “against Defendants, jointly and severally.” Because the monetary relief and the fine were entered “jointly” against the defendants, the company defendant could pay the entire amount. 5. Suing the Owner/CEO for Collecting on Loans that Failed to Comply With State Usury Laws In December 2013, the CFPB sued an online loan servicer, its individual owner/CEO, its subsidiary, and its affiliate. The CFPB alleged that the defendants attempted to collect on hundreds of thousands of small loans that violated state usury laws, and it rejected the defense that those laws did not apply to its business because it was based on an Indian reservation and owned by a member of an Indian tribe. The complaint alleged that the owner/CEO had managerial responsibility and was thus a “related person,” and that he “knew or should have known” about the allegedly violative practices. The complaint seeks an injunction as well as restitution, disgorgement, and civil money penalties against the defendants. 6. Suing the Owner/CEO for Violating RESPA Anti-Kickback Provisions In January 2014, the CFPB sued a mortgage loan originator and its owner/president for allegedly violating the anti-kickback provisions in RESPA by paying above-market rental fees in exchange for mortgage referrals. The complaint alleged that the individual defendant was a “related person” because he had managerial responsibility and materially participated in the company’s affairs; that he had insisted on the arrangement; and that he had signed the lease agreement. The CFPB issued a cease and desist order against both the corporate entity and the individual, issued a disgorgement order against the corporate entity alone, and issued a civil money penalty against both respondents “jointly and severally.” 7. Suing Owners/Officers for Offering Deceptive Debt-Relief Services The CFPB has named individuals as defendants in a number of cases against companies marketing debt-relief services in an allegedly deceptive manner. In fact, most of the CFPB’s debt relief services cases involve claims against individuals (as well as against entities). The individuals were often both the owner and the CEO (or the primary lawyer in the case of a law firm defendant), they were involved in day-to-day operations and developed the business model, and they often directly engaged in the debt-relief sales efforts on the company’s behalf. The complaints sometimes allege that the individuals “knew or should have known” of the allegedly unlawful conduct. They contain language such as the individual “approves, ratifies, endorses, directs, controls, and otherwise materially participates in the conduct of the company’s affairs.” In cases that have been settled, the monetary relief is typically entered “against Defendants, jointly and severally,” which means that the individual may avoid liability if the company pays the entire amount. 8. Cases in Which Individuals Are Not Named As important as the cases in which the CFPB has named individuals are the cases in which it has not. In just over two-thirds of its enforcement cases, the CFPB has not named any 5 Individual Liability in CFPB Enforcement Proceedings individual defendants or respondents. None of the CFPB’s 10 largest settlements name individuals. None of the CFPB’s cases against public companies name individuals. None of the CFPB’s cases name non-officer directors. None of the CFPB’s cases name low-level officers or employees as individual defendants or respondents. 9. Practice Pointers The fact that the CFPB focuses on individuals means that practitioners also have to be alert to making sure that individuals are vigorously represented before the CFPB. When the staff gives any indication that it contemplates potentially recommending an action against an individual (or when the facts otherwise suggest that as a realistic possibility), careful consideration should be given to retaining separate counsel for the individual and making a separate NORA submission. An individual submission will often focus less on whether there were violations of consumer protection laws and more on the individual’s background, good faith, and relative absence of involvement in the alleged violations. On the other hand, it is important not to overreact as well. More than two-thirds of CFPB enforcement cases involve no individual defendant. Bringing in separate counsel may send exactly the wrong message when the staff otherwise had not even contemplated the prospect of recommending an action against an individual. A middle course may be to bring in “shadow counsel.” The role of shadow counsel is to make sure the individual’s interests are being protected, but not to formally surface in the investigation. 10. Insurance and Indemnification Defending against CFPB investigations and proceedings can be expensive. Individuals should review and pursue their rights to advancement of legal fees, indemnification, and insurance coverage. The CFPB often takes the position that defendants may not seek reimbursement from insurance carriers or others for any penalties imposed, but has not taken the same position with respect to advancement and reimbursement of legal fees or the payment of monetary relief other than penalties, such as consumer restitution. Conclusion We draw the following 10 lessons from enforcement cases that the CFPB has brought against individuals to date: 1. Owners are, by far, the most commonly named individual defendants. For relatively small companies, the CFPB may make little distinction between what the company does and what the owner/operator of the company does. Arguments about corporate form may not have much impact in that setting. 2. When the CFPB has named individuals, it has not relied on theories of vicarious liability or relied exclusively on their status as owners or officers—rather, it has typically alleged that the individuals were involved in the allegedly unlawful conduct. 3. Although the CFPB has authority to name individuals as aiders and abettors if it alleges that they engaged in reckless or knowing misconduct, the CFPB rarely relies on the aiding and abetting provision to name individuals. That creates the odd dynamic that the authority Congress most clearly provided for the CFPB to bring cases 6 Individual Liability in CFPB Enforcement Proceedings against individuals is almost never used by the CFPB when it actually brings cases against individuals. 4. The CFPB rarely names individuals in cases against large companies. That makes sense because the larger the company, the less likely it is that there will be an owner or senior officer that was culpably involved in the alleged misconduct. Moreover, the statute itself limits the CFPB’s authority to sue individuals associated with bank holding companies, credit unions, and depository institutions. 5. To date, the CFPB has not named individuals in the CFPB’s 10 largest settlements or the CFPB’s cases against public companies. The CFPB also has not named nonofficer directors or low-level officers or employees as individual defendants. There are good reasons for this. 6. In most cases when it has named individuals, the CFPB has been willing to enter into settlements in which the company and the individual are jointly responsible for the monetary relief. That allows the company to pay the entire amount. There is no assurance, however, that this will always be the case. 7. CFPB investigations can be expensive. Individuals should carefully review their rights to advancement, indemnification, and insurance. 8. Practitioners need to be alert to the possibility the CFPB staff will recommend naming an individual. Depending on the circumstances, individuals may be well served by being separately represented and making separate NORA submissions. Submissions by individuals will often focus less on whether there were violations at all, and more on the individual’s good faith and the relative absence of involvement in the violation. 9. On the other hand, practitioners should also avoid overreacting. Given that more than two-thirds of CFPB proceedings do not name individuals, separate representation may be premature absent an indication by the staff that it contemplates recommending an action against an individual. Indeed, separate representation may send exactly the wrong signals to the staff. In close cases, “shadow counsel” may be appropriate to provide completely independent advice to the individual without formally surfacing in the investigation. 10. Finally, because the CFPB is a young agency, it is wise to provide the usual cautionary observation—we know what the CFPB has done so far, but we do not know what twists and turns it will take in the future. Author: Jon Eisenberg jon.eisenberg@klgates.com +1.202.778.9348 7 Individual Liability in CFPB Enforcement Proceedings Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris Perth Pittsburgh Portland Raleigh Research Triangle Park San Diego San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five continents. The firm represents leading multinational corporations, growth and middle-market companies, capital markets participants and entrepreneurs in every major industry group as well as public sector entities, educational institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations, practices and registrations, visit www.klgates.com. This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. © 2014 K&L Gates LLP. All Rights Reserved. 8