When the CFPB Investigates: Responding to a CFPB CID


11 minute read | July.06.2023

Since opening its doors in July 2011, the Consumer Financial Protection Bureau (CFPB) has not been shy about initiating enforcement actions against companies and individuals subject to its authority, recovering billions of dollars as a result of enforcement actions. Recently, the Bureau has focused its enforcement efforts on lenders’ and other financial service providers’ use of new technology, such as artificial intelligence, as well as fair lending (including “digital redlining” and “discriminatory targeting”), fee practices, data monetization, including in the payments space, and on so-called “repeat offenders,” among other things.

Integral to any CFPB enforcement investigation is a civil investigative demand (CID), an investigative subpoena that allows the Bureau to demand documents and tangible items, including emails, reports, and data, as well as answers to written questions and oral testimony. In light of the breadth of the CFPB’s authority to investigate, the Bureau’s requests can be expansive, and receiving a CID can lead to a difficult, time-consuming, and expensive process for any responding company.

This article provides an overview of CFPB CIDs and offers practical tips on how companies can minimize burden and achieve a favorable investigation outcome.

What Triggers an Enforcement Investigation?

The CFPB has broad authority to investigate activity that could fall within the scope of its jurisdiction. The Bureau uses CIDs to seek facts regarding potential violations and to gather information regarding new products and technology to assess whether conduct falls within its jurisdiction.

The CFPB relies on myriad sources of information to justify opening an investigation, including:

  • Consumer complaints
  • The CFPB’s whistleblower hotline
  • The results of supervisory examinations
  • Referrals from other federal, state, and local agencies
  • Market intelligence

The Role of the CID

Once the Bureau opens an investigation, the CID quickly comes into play, serving as the Bureau’s primary fact-gathering tool. A CID can require its recipient(s) to produce documents, respond to interrogatories and requests for data, provide oral testimony and/or submit tangible things.

With limited exceptions, the Bureau can issue a CID to “any person” the Bureau reasonably believes may possess relevant documents and information.

The CID must state the nature of the illegal conduct alleged, cite the provision of law that may have been violated, and describe the Bureau’s requests and the time frame to respond to the requests. Importantly, at this stage, the Bureau’s notification regarding potentially unlawful activity is not required to be particularly specific or robust. Instead, CIDs tend to identify the general areas of focus of the CFPB’s investigation (for example, to determine whether a consumer lending company has “extended credit in a manner that is unfair, deceptive, or abusive” or “violates the Truth in Lending Act”).

With few exceptions, investigations―and, thus, CIDs―and materials produced in response to a CID are generally nonpublic.

Steps to Take Upon Receiving a CID

1.  Take It Seriously, Involve Counsel

Receiving a CID can be daunting, but a company can position itself best by taking it seriously and preparing to address it head on. Ignoring a CID is rarely effective, and failure to comply with a CID may result in the CFPB filing a petition in federal court to enforce the CID, which would publicly reveal the investigation and possibly limit opportunities to negotiate with the CFPB over the scope and burden of the CID.

To better protect itself, a company should reach out to experienced counsel as soon as it receives a CID and send counsel a copy of the CID. Involving counsel early in the process can help a company understand the nature and scope of the CFPB’s investigation and devise an effective response strategy.

If a company receives a CID, it should understand that a CID may be, among other things:

  • A signal that the CFPB suspects the company has engaged in a potential violation of a federal consumer financial services law
  • A discovery tool to gather more information about alleged misconduct

A CID is not a formal finding by the CFPB of wrongdoing. It does not mean the Bureau has filed or will file a complaint in state or federal court or impose civil penalties, and it does not obligate a company to pause its business activities (though counsel may advise otherwise). Nevertheless, a company that receives a CID should proceed with due caution.

2. Read and Understand the CID – But Move Quickly

It is imperative that a company read (and reread) the CID to understand the essence and breadth of the investigation. A company should pay particular attention to the following items:

  • Notification of Purpose – This section describes the nature and scope of the investigation and the legal provisions applicable to the alleged violation(s). In practice, however, this description typically is brief and vague, often leaving companies guessing about the bases for the CFPB’s suspicions. To help uncover what is driving the CFPB, a company should consult with counsel, review the contents of the requests themselves to glean any insight into the investigation, and examine the Bureau’s current enforcement priorities (e.g., in press releases, speeches, congressional testimony) and similar enforcement actions against other companies.
  • Actions Required – This section tells the company the concrete actions it must take to respond to the CID, such as providing oral testimony, producing documents, and/or responding to interrogatories.
  • Deadlines – A CID requires a company to act quickly, so a company should be aware of the main deadlines, which are:
    • Meet and confer – A company is generally required to “meet and confer” with Bureau counsel within 10 calendar days after receiving the CID or before the petition to modify or set aside the CID, whichever is earlier
    • Return date for the requests – This date is often 30 days from the date of service, although it can be shorter (but this date is frequently extended as part of the meet-and-confer process)
    • Petition for order modifying or setting aside demand – In general, if a company believes it has a legal basis to do so, it must file a petition to modify or set aside the CID within 20 calendar days after the CID is served and after the company has met and conferred with the CFPB. Generally, such a petition is publicly filed and therefore discloses the existence of the Bureau’s investigation to the public. These petitions rarely succeed but may still be prudent to defend against a later claim that the company has waived objections to the CID by failing to exhaust administrative remedies
  • Applicable Period – This section sets forth the period covered by the CID. The Bureau usually seeks information dating back several years, and the period is usually within a defined time frame (e.g., January 1, 2020, until January 1, 2023) or from a set date “until the date of full compliance” with the CID.
  • Language of the Requests and Definitions – A company should carefully review the “Definitions” section, since the CID may define terms in peculiar ways that can significantly impact the scope of the investigation, such as describing “company” to broadly include all of a company’s affiliates. The phrasing of the requests themselves can also impact the breadth of the investigation, as they may direct companies to produce “all” documents or only document templates or “documents sufficient to show” a particular item.
  • Document Submission Standards – Sometimes overlooked, this section describes the technical instructions for submitting documents electronically, including information to include in a cover letter, how to produce partially privileged documents, and how to label documents.

3.  Preserve Documents

As soon as a company receives the CID, it should promptly institute an appropriate legal hold on any materials that may be relevant to the investigation, even if the company believes such materials are privileged. Even after materials have been provided in response to a CID, a company must not destroy materials it has produced or relied on in responding to the CID. Failure to preserve documents and information responsive to the CID can result in an adverse inference or other sanction in later civil litigation, or even criminal penalties.

4.  Prepare to Respond

Responding to a CID can be challenging, especially in a compressed time frame, but the following steps can help a company position itself for success:

  • Involve counsel at the outset and throughout the investigation, including in meetings or discussions with the Bureau and internal meetings with company employees.
  • Identify company employees who may possess documents and/or information relevant to the investigation. A company should also identify any IT personnel who will be needed to access relevant data and documents. To maintain the confidentiality of the investigation, we recommend that a company identify a limited group of employees who will be responsible for responding to the CID (i.e., not the entire company).
  • Schedule internal meetings with the appropriate personnel to outline, request-by-request, how the company intends to respond; inform responsible personnel of the CID’s key deadlines and set internal deadlines to respond to requests; and start collecting relevant materials.
  • Schedule the meet and confer with Bureau counsel within 10 days of receiving the CID. Counsel should assist with this. For investigations that will involve significant IT-related work, the Bureau may insist that a representative from the company’s IT department attend.
  • Act quickly, but carefully.

5.  Meet and Confer

The meet-and-confer session can be held in-person or virtually. It will likely be the company’s first in-person interaction with Enforcement counsel to discuss and negotiate the terms of the CID. Therefore, a company should take full advantage of the meeting, as it presents opportunities to:

  • Inform the CFPB that the company intends to cooperate fully.
  • Educate the CFPB about the company and any burdens associated with responding to the CID. The company should advise Enforcement counsel of company-specific information relevant to the investigation, such as the company’s history and the nature of the company’s financial products and services. The company should also articulate up front any real and/or anticipated difficulties with responding to the CID, such as the fact that certain documents do not exist or are spread across numerous sources, or that the company is leanly staffed and possesses limited resources. Explaining to Enforcement counsel any issues with responding to the CID can persuade the Bureau to narrow the scope of the CID.
  • Ask for modifications and extensions to the requests. The Bureau usually expects that companies make any requests to modify the CID in writing. The Bureau also expects that the company detail the burdens involved in responding to the CID as drafted. During the meet-and-confer session, the company can ask clarifying questions about the nature, scope, and origin of the CID, and meanings of certain terms as well as any technical requirements.
  • Build rapport with Bureau counsel to get a sense of the temperature of the investigation. Although a Bureau investigation is somewhat adversarial, the ultimate objective of the CID process is to meet the Bureau’s demands, so company employees should be respectful and constructive during the meeting.

Companies often rely on experienced outside counsel to conduct the meet and confer, often with company representatives present.

6.  Respond, Advocate, and Resolve

It is now time for the company to respond.

A company must respond fully and truthfully to each request in the CID, as modified. This means that a company must produce all responsive, non-privileged information, even if it is damaging. If a document or information does not exist or can only be produced in a limited form, the company should explain that in its response (and, if possible, to Enforcement counsel during a meet and confer discussion).

The strongest responses include accurate information and also educate Enforcement staff regarding important context for the conduct under investigation. For instance, a company can include in its interrogatory responses its efforts to ensure compliance with any laws, describe corrective actions it took after discovering misconduct, and show how the company is appropriately serving its customers.

Companies should submit responses on time and in the proper format (review the Document Submission Standards) and check for accuracy and consistency.

After a company satisfies its obligations under the CID, the Bureau typically will take time to assess the information it has received. At this stage, the investigation could go in several different directions, including:

  • Additional CIDs to collect more information (including testimony)
  • Follow-up questions from the Bureau based on the information it has received
  • The CFPB asserting that it believes the company has violated the law in one or more ways
  • Notification that the CFPB has closed the investigation without further action

Orrick’s team of experienced advisors, litigators, and advocates have defended clients in dozens of high-stakes CFPB investigations and enforcement matters, many of which have been successfully (and non-publicly) resolved without further action. Combining deep substantive knowledge of CFPB regulations, jurisprudence, and operations with practical experience, we advise companies through the entire CID response process from receipt to resolution, to proactively engage with the CFPB, and to relentlessly advocate for our clients to reduce their burden and legal risk. Please contact the authors with any questions about CFPB investigations or other state and federal consumer protection matters.