Follow-On Shareholder Suits After CFPB Settlements
Federal regulators landed the first blow: Several major credit card companies paid more than half a billion dollars in customer restitution and fines as part of settlements reached with the Consumer Financial Protection Bureau in the summer and fall of 2012. But while these companies were still reeling from the first punch, shareholders took the next swing, filing class action shareholder derivative suits against the directors and senior officers of these financial services companies, alleging the CFPBs findings and the settlements demonstrated mismanagement, breach of fiduciary duty, and unjust enrichment at the companies expense.
The three shareholder derivative suits target senior officers and directors, whose actions are presumably covered by D&O policies, and suggest a pattern: Plaintiffs invoke the companies compliance policies and related representations, cite at length to governmental investigations or settlements, and then allege that the divergence between the companies representations and the investigations or settlements evidence a breach of fiduciary duty, mismanagement, or unjust enrichment. The companies refusals to admit wrongdoing, including in the settlement, is not acknowledged.
Follow-on or piggyback suits filed on the heels of settlements with government regulators are not uncommonmost frequently with the Federal Trade Commission (consumer product violations), the Securities and Exchange Commission (securities violations) and the Department of Justice (antitrust or Foreign Corrupt Practices Act violations)so these new suits are not entirely surprising. Also, because the CFPB is a new agency with only a few settlementsalbeit significant oneson its record and the follow-on suits are in early stages, extrapolating guidance from previous forms of piggyback litigation must only be done cautiously. Still, the phenomenon deserves revisiting in this latest iteration for several reasons.
First, a backlash against the attendant abuses of follow-on class actions in the context of FTC and SEC investigations already may have limited the prospects of these suits. In cases in which plaintiffs have attempted to bootstrap FTC settlements involving lack-of-substantiation claims into false advertising or state consumer protection claims, courts have held those claims to the higher standard of proving actual falsity through affirmative evidence, rather than mere lack of substantiation. Even the FTC filed amicus briefs opposing some follow-on suits, suggesting they benefit the plaintiffs bar more than consumers. Similarly, the heightened pleading burdens under case law interpreting Rule 10b-5 and the Private Securities Litigation Reform Act of 1995 have limited follow-on securities litigation in federal court.
Complaints that do little more than cut and paste defendants public assertions of compliance and allegations from SEC reports have suffered dismissals for failure to plead particularized facts alleging fraudulent circumstances and intent. Against this backgroundand perhaps as a way to avoid existing adverse federal precedents and rulescurrent CFPB-related follow-on lawsuits have alleged only state common-law claims of breach of fiduciary duty, corporate waste/mismanagement, and unjust enrichment.
Second, not only will precedents discouraging vaguely pled or frivolous follow-on CFPB litigation take time to develop, but this process will occur under statutes with greater tolerance for private rights of action generally. As the history of class actions following FTC settlements indicates, these cases encountered judicial opposition, in part, because the FTC Act provides no private right of action. In contrast, a number of the rules, regulations, and statutory schemes that the CFPB now oversees expressly allow for private rights of action, providing greater latitude for follow-on lawsuits after CFPB settlements than has historically been the case after FTC resolutions.
Third, the credit card issuers that settled with the CFPB are large and sophisticated financial services companieslong accustomed to having compliance officers and committees managing risks, carrying comprehensive D&O insurance coverage, and managing substantial litigation budgets. But the universe of companies subject to CFPB regulation includes many much smaller companies that may still be trying to determine their basic obligations to the CFPB, much less how to deal with the risk of follow-on litigation. The CFPBs recently announced definition of larger participants in the debt collection marketcompanies with $10 million in annual receiptstargets approximately 175 companies for CFPB supervision, demonstrating that even so-called large companies for CFPB purposes are both relatively small and significant in number.
The CFPB also has the authority to regulate all nonbank entities of any size that offer financial products or services in residential mortgage, private education lending, and payday lending markets, meaning that the 175 or so larger participants in debt collection represents a small fraction of companies now under the CFPBs authority oversight. Add in the service providers to these consumer financial services companies, which the CFPB also has authority to regulate, and the likely number of companies whose officers and directors could be subject to follow-on lawsuits (many with limited resources relative to large financial services companies or even large participants), is both inestimable and potentially staggering.
Accordingly, before they come to grips fully with the compliance and litigation risk management needs to which large credit card issuers have become accustomed, companies that have recently become subject to CFPB regulation understandably need to work through several layers of comprehension. Many companies, especially service providers, undoubtedly have not yet even recognized the possibility that a federal financial regulator is or may soon be looking over their shoulder.
Larger numbers of companies may be in the early stages of thinking about CFPB oversight and compliance, but have not yet identified anyone to whom they can turn for helpbe that compliance personnel, compliance committees, or informed in-house or external advisers. For a subset of these companies, the need to proactively prepare for examinations, possible investigations, and the risk of CFPB enforcement is on the horizon, along with the recognition that before they are scrutinized they should conduct a gap analysis, identifying deficiencies between regulatory requirements and their current practices. But even many of these forward-thinking companies have yet to fully recognize that service provider relationships are also regulated, and that failure to ensure that service providers are complying with the law is an independent basis for liability of the outsourcer.
Thus, the prospect that CFPB regulation, supervision, and enforcement carries with it potentially significant private litigation exposure, including for officers and directors, may not even be on the radar of many companies. Yet given that follow-on litigation is common in other regulatory contexts, sometimes even before the regulator has completed its investigation, companies should consider the risk of litigation alongside the evaluation of compliance deficiencies. At a minimum, the prospect that follow-on litigation could add a potentially lengthy and expensive second stage of exposure to liability based on CFPB allegations suggests an even greater urgency for companies to prepare for CFPB oversight as soon as possible.
Michael W. Jahnke is a partner with Loeb & Loeb in New York, and serves as co-chair of Loebs antitrust department and on the firms CFPB task force. He can be reached at firstname.lastname@example.org. Partner Michael A. Thurman is a member of Loebs consumer protection defense department in Los Angeles and serves as co-chair of the CFPB task force. He can be reached at email@example.com. Partner Michael Mallow, who chairs Loebs consumer protection defense department and serves as co-chair of the CFPB task force, provided significant contributions to this article. He is also based in Los Angeles and can be reached at firstname.lastname@example.org.