Redux: Watching the lawyers on deregulation
White collar defense attorneys, especially the ones that go through the revolving door, stay busy in a deregulatory cycle or re-regulatory/reform period. Just like the Big 4 global audit firms.
I have written more than once that the business model of the largest global audit firms — Deloitte, EY, KPMG, and PwC — captures revenues no matter the business cycle, and no matter the fortunes of any particular corporate client.
The Big 4 are there when there’s a boom in companies preparing to IPO, then afterward as the external auditor, and then when the companies crash and burn in bankruptcy court.
The Big 4 serve as auditors, then help companies investigate allegations of wrongdoing — even when they are not independent — and the wrongdoing is allegedly committed by the CEO or CFO, and the Board/Audit Committee dropped the oversight ball.
The Big 4 perform aggressive tax avoidance scheme design and implementation work while also serving as auditor.
The Big 4 do due diligence work for audit clients and even for the private equity firms that are buying and selling their audit clients.
The Big 4 audited and consulted to the biggest banks leading up to the financial crisis and then took on lucrative foreclosure review engagements. That’s despite clear conflicts, and in the process collected billions before the reviews were shut down and settled via a more comprehensive process that put money back into the victims pockets, rather than the firms’ wallets.
Ten mortgage servicers have agreed to pay more than $8.5 billion in cash and other assistance to help borrowers now rather than pay billions later based on the results of the foreclosure review process. The April 2011 OCC/Fed consent orders sanctioned the servicers for foreclosure abuses for the period 2009-2010 and mandated the detailed reviews. Not one check was ever cut for the harmed borrowers, but the banks have reportedly paid out more than $1.5 billion dollars to the “independent” consultants hired and paid by the banks, rather than directly by the regulators, to perform the detailed reviews…
There’s never been a recession for consulting firms that serve financial services firms and government agencies that monitor banks. The lion’s share of the $1.5 billion paid out went to Promontory Financial Group – run by former OCC Chairman Gene Ludwig – and PricewaterhouseCoopers LLC. PwC also did well when audit clients JPMorgan Chase and Bank of America got even bigger by swallowing up the firms that failed during the crisis and when clients Goldman Sachs and AIG were favorites for financial crisis taxpayer support…
The next big thing is not here yet for firms like PwC and Promontory. Rest assured, however, whether it’s helping the CFPB get set up or supporting the Treasury and the Fed via open-ended, blank check procurement agreements, these firms are expecting a phone call any day from regulators handing them another risk-free, billion-dollar engagement with the same minimal expectations for performance and actionable results.
When companies are on both sides of fraud, the Big 4 are all involved, taking a piece each for themselves. See Autonomy and Theranos for two of many many examples.
I was reminded of the similarities between the Big 4 and the white collar bar by the closing remarks from Cooley’s Rebekah Donaleski and Paul Weiss’ Brad Karp at the Securities Enforcement Forum on January 28, in response to a question from the audience about whether state and local regulators such as Attorneys General will be “picking up actual slack with an absence of prosecutions, law enforcement:
Rebekah Donaleski: Yes. Okay The question was about whether we expected state regulators to pick up the slack or perceived slack from federal regulators or prosecutors. Yes. That's what happened in, that's what happens in, every administration wherever the side of perceived slack is coming from. I think we talked about earlier that this is a very timely discussion because my expectation is parallel investigations will only intensify, but with more politics and more distrust among regulators, which will make our lives more difficult.
Brad Karp: And, I would expect that you're gonna see a much more aggressive state and local enforcement of the criminal laws over the next four years than we've seen, particularly with the Democratic state AGs organizing themselves.
Also, what happens when you have a period of dereg, when you don't have regulatory enforcement and criminal enforcement, that is, you have the major scandals in the next administration. You've seen that with the financial crisis, you've seen after Bush, you saw that with Enron and WorldCom. There's a period of time when, if the companies know that no one is watching them and they can get away with proverbial murder, they're going to. And it will all wind up coming to the surface when regulation and enforcement picks up the next go round.
See my previous newsletter for more remarks from the Securities Enforcement Forum panel on parallel investigations.
The message to those in the room, who may have been getting a bit worried with all this talk about DOJ reorienting enforcement priorities on ca$e$ like FCPA, and are wondering where their next big multi-pronged parallel ca$e will be coming from was, “No worries, we’ll all have plenty of work when the dereg cycle is spent.”
I’ve read the concerns about “companies know that no one is watching them and can get away with proverbial murder” such as Karp described as a result of the Trump administration recent actions taken against the CFPB.
Here’s Matt Stoller explaining the stakes:
By shuttering the CFPB, Trump is not just going back to a pre-financial crisis status quo, but to something actually weaker than that. There is essentially no longer any Federal enforcement of consumer protection rules for financial products.
To understand the impact of this move, a good metaphor is a scene in the 1984 hit movie Ghostbusters, a film about a group of private contractors who hunt and trap ghosts for money, putting them in a containment unit. Towards the end of the movie, a meddling government official forces the shutdown of the containment unit, which leads to an explosion, and then ghouls coming out all over the city. Cabs are run by goblins, the Titanic arrives with dead passengers, and eventually, the evil god, Gozer, comes to take over the world.
To draw a bad metaphor, ending the CFPB is a bit like blowing up the containment unit, with scammers as the ghosts and ghouls, and big tech as Gozer. We can now expect rampant fraud and cheating in banking and fintech, not just a scam here or there, but regular losses of life savings by people who followed the rules, illegal foreclosures, random seizures of the working capital of small businesses, abuse by debt collectors, and routine deception by even respected financial firms. And behind that, we could see big tech, either Google, Meta, Amazon, or perhaps X, serving as your credit card, payroll provider, and debt collector, all in one. It’s a bit like what I wrote about in 2019 when then-Facebook tried to start its own currency, Libra.
Let’s start with some of the small stuff that will now change. Rules against excessive overdraft fees? Gone. A rule capping credit card late fees? Gone. Oversight of debt collectors and payday lenders? No more. An honest site to compare credit card products? Likely gone. In 2023, the CFPB said that big banks can’t charge junk fees for basic customer service, like being able to check the amount of money in your account. The reason isn’t just that it’s nice, but that big banks themselves were unable to offer basic information, like who owned mortgages, prior to 2008. That’s gone too. Another rule put forward recently is that mortgage servicers can’t garner excessive fees when they foreclose, which is an incentive to foreclose rather than working out loans. No longer.
And then something more significant. In July, the CFPB proffered an interpretive rule for how companies, such as Walmart, Kroger, and Wendy’s, give “paycheck advances” to their employees, charging over 109% in interest charges. About 5% of workers use these, and the number is increasing rapidly. Is there disclosure of the terms? That’s not clear. But now that there’s no one paying attention, we can expect these company store-like products to be everywhere.
I have written about the CFPB a lot, including capturing former Trump administration official Mick Mulvaney on tape making some provocative comments at a conference about how he does business.
My friend Matt Kelly, who authors the Radical Compliance blog, wrote that shutting down the CFPB is not something that can happen without Congress.
So how much does all that chaos actually change the compliance obligations that firms face, and the precautions a wise company should take? Not as much as you’d think.
What Really Happened Here
As compliance officers sift through this chaos, let’s remember a few facts.
First, the CFPB website has not gone off-line. The Trump Administration simply changed up the homepage with a giant ‘404: page not found’ graphic; but as of 7 p.m. ET Sunday evening, the entire website was still active and working just fine. (The attached image isn’t even what a 404 error actually looks like.) Perhaps that will change in the future and the site will be reduced somehow; but at the moment, the cutesy 404 image is just right-wing virtue signaling, where the Administration hopes people won’t notice what’s behind the curtain.
Second, Vought has told all employees to stop doing any substantive regulatory oversight: no new work on investigations, rulemaking, examinations, settlement talks, industry guidance, or anything else. Nor are employees allowed to make any external communications. The office is closed for the coming week.
Third, that does not mean your CFPB compliance risks have gone away. Vought can suspend the agency’s activities, so perhaps your risk of enforcement is now lower — but a violation of CFPB rules or the Consumer Financial Protection Act is still a violation, regardless of whether Vought decides to turn a blind eye to it.
Fourth, your CFPB compliance obligations will continue to exist until the agency actually rescinds its rules. That process takes time, and can be challenged in court. True, the CFPB won’t adopt any new rules, so your compliance obligations won’t increase; but they won’t decrease either. Just because Vought declares, “We’re not doing enforcement any more,” that doesn’t mean your duty to obey the law goes away. It only means your risks of enforcement are lower.
Fifth, state attorneys general still have their own power to enforce the law here. Section 1042 of the Consumer Financial Protection Act (which established the CFPB) empowers state attorneys general to bring their own civil enforcement actions for violations of the law. So if your firm engages in some practice that violates the CFPA, a state attorney general can pursue enforcement of that violation regardless of what the CFPB may or may not do. States also have their own consumer protection laws that could expose a bank to liability.
Sixth, neither Section 1042 nor any other portion of the law can be changed by Vought, Musk, or any other individual in the Trump Administration. Only Congress can do that.
In other words, all the CFPB compliance obligations you had last week still exist today, and they will continue to exist in the future. Perhaps the risk of enforcement is lower, because Vought has suspended all enforcement actions and likely won’t launch any new ones — but the performative theatrics of slapping a 404 image on the website or sending employees home for a week won’t change the duties that the law and CFPB rules impose upon companies. You’re still supposed to obey the law.
On the other hand, not a lot of good work will occur when employees are told to “stand down” and not to show up, when there’s uncertainty and confusion and fear of getting fired or worse for defiance. Marisa Kabas of The Handbasket, writes
Lots of people have said that the PCAOB can’t be shut down except by Congress, since it was created by the Sarbanes-Oxley Act. (The CFPB was created by the Dodd Frank Act of 2010.) From the FT in December:
The board was set up under the bipartisan Sarbanes-Oxley Act and was kept at arms length from the SEC in the hope of insulating it from politics and making sure it could pay private sector salaries. Williams, a litigation lawyer appointed by the commission in January 2022, is paid $673,000 a year, in contrast to SEC chair Gary Gensler’s own salary of $168,400. Board members can be removed by the commission without cause, however, and the regulator has yet to approve the board’s annual budget of close to $400mn. In recent years its spending has attracted criticism from Republican commissioners.
The first Trump administration proposed giving the agency’s work to the SEC to save roughly $64mn a year, but such a change requires action by Congress and the idea did not gain traction at the time. Now Republicans are set to hold majorities in both houses of Congress, and Bill Huizenga, who first introduced legislation to fold the board into the SEC in 2021, is one of the candidates vying for the chair of the House financial services committee.
Ending the board’s independence was also proposed in the “Project 2025” blueprint for congressional action written by the right-wing Heritage Foundation think-tank, saying it would “reduce costs and improve transparency, due process, congressional oversight, and responsiveness”.
“The bill is out there, it’s been written, it’s available,” said Lynn Turner, a former chief accountant at the SEC and an adviser to the PCAOB. Folding the agency into the regulator would mean “you’ll have to cut those salaries and the staff would be gone”, he said. “It would destroy the PCAOB and they know that. It’d be dead in 24 months.”
I expressed my opinion on the subject during the first Trump administration.
Regardless of the federal judicial response to the CFPB moves, and Elizabeth Warren raising the alarm bells, expect the same playbook — fire existing Board except for Christina Ho, install a hatchet person, shut the office and tell everyone to cease activities — when Paul Atkins is installed as SEC Chair and he gets around to the PCAOB, the audit regulator.
This time Sen. Warren will be one of those who put a nail in the coffin.
© Francine McKenna, The Digging Company LLC, 2025