Will My Confidential CID Information Be Released by the CFPB? It’s Far from Certain
A recently published opinion of the US District Court for the District of Columbia creates some uncertainty as to the Consumer Financial Protection Bureau’s (CFPB’s) authority to protect information provided to it pursuant to a civil investigative demand (CID). In his opinion in Franks v. CFPB, Judge Christopher Cooper rejected most of the arguments made by a plaintiff’s class action firm seeking information gathered by the CFPB pursuant to a CID in an enforcement investigation. But, he granted summary judgment to the plaintiff and ordered the CFPB to review its decision to withhold certain information that had been provided “voluntarily” pursuant to the CID.
The Freedom of Information Act (FOIA) generally requires executive branch agencies such as the CFPB to provide copies of information in their records, but also establishes exemptions from that requirement, including an exemption for information gathered for “law enforcement purposes.” One of the underpinnings of the law enforcement exemption is that such information is not routinely gathered or maintained by the government, but sometimes must be collected so that government prosecutors may conduct investigations of potential violations of law.
To encourage voluntary cooperation with government investigators, the FOIA grants heightened confidentiality protection to information voluntarily provided to investigative agencies. In FOIA matters, the CFPB has taken the position that because its CIDs are not self-executing—namely, enforcing one requires the CFPB to take the additional step of filing a complaint in district court seeking enforcement of its CID and compelling the noncomplying recipient to produce information—the decision of a CID recipient to produce information is “voluntary.”
Judge Cooper found this argument unpersuasive and contrary to circuit precedent. He found that the CFPB had misinterpreted longstanding federal law to the effect that “voluntariness does not turn on the recipient’s perception of whether it must comply with the demand—it instead turns on the agency’s power to induce compliance.” This is hardly surprising given that the CFPB’s position, taken to its logical endpoint, would counsel simply ignoring CIDs and further burdening both parties and the court with pointless litigation.
Nonetheless, this decision raises the specter that the FOIA standard for protecting information that has been provided pursuant to a CID may be less secure than the CFPB staff has led regulated entities to believe, and common sense would have dictated in any event. Because the CFPB’s rigorous Document Submission Standards (DSS) are specific and intricate, information is produced in a form that makes it convenient for use by others, including, as here, the plaintiff’s class action lawyers seeking information that might then be used to sustain a class action complaint.
Until we see how the CFPB elects to treat sensitive information produced pursuant to what the law and common sense both treat as compulsory process, no one who has provided information pursuant to a CID should presume that their information will remain safe from being turned over to others and used against them, and should certainly not rely on CFPB assurances to the contrary. Persons who produce information in response to a CFPB process of any kind also should assert all available exemptions from disclosure under the FOIA (such as the trade secrets exemption for proprietary business information, or the invasion of privacy exemption for nonpublic personal information of consumers) at the time of production.
 Indeed, the CFPB has made much in public statements surrounding settlements it has reached with targets of enforcement investigations of such targets’ “cooperation” and that this has been taken into account in reaching an accord. Targets of investigations do indeed feel pressured to comply absent judicial orders.