Skip to main content

“Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania Law School

Thank you for the honor of being chosen as this year’s Distinguished Lecturer on Regulation. I am especially happy to be back at the University of Pennsylvania, even if just virtually. I want to thank Professor Coglianese and the Penn Program on Regulation for organizing today’s event.

Not only did I grow up nearby, I was also fortunate to attend business school here at Penn. Today, my classmates, students, and other alumni are now financiers, convicted felons, and everything in between.

While here – and I was hardly alone on this point – I viewed financial regulators as clueless and often corrupt lawyers and economists. Government officials were often seen as auditioning for a future job in finance to exploit their inside knowledge to help dominant financial firms extract special favors and evade accountability for wrongdoing, even when they violate the law repeatedly.

This brings me to today’s topic: reining in repeat offenders. As always, my remarks today reflect the views of the Consumer Financial Protection Bureau and do not necessarily represent the views of any other part of the Federal Reserve System.


I want to address a vexing problem facing regulators across sectors of the economy: How do we stop large dominant firms from violating the law over and over again with seeming impunity? Corporate recidivism has become normalized and calculated as the cost of doing business; the result is a rinse-repeat cycle that dilutes legal standards and undermines the promise of the financial sector and the entire market system.

Agency and court orders are not suggestions, but many large companies see them as such. While small firms can get hit hard with penalties that threaten their viability and their operators fear imprisonment, many large institutions see the law as mere expenses on their income statements.

The special treatment applied to large financial institutions over their smaller counterparts, as well as the “too big to fail” and “too big to jail” problems, undermines the public’s confidence in the rule of law, a bedrock principle of our society. Honest players and new entrants are disadvantaged, and the whole system is corroded.

Repeat offenders take many forms. The worst type of repeat offender violates a formal court or agency order; this is especially egregious because they often consented to the terms as part of a settlement. They clearly understand the laws and provisions to adhere to but failed to comply due to dysfunction or they took a calculated risk. Another type of repeat offender is one that has multiple violations of law across different business lines, but the violations stem from a common cause. For example, I have found that violations across business lines often relate to problematic sales practice incentives or a failure to properly integrate IT systems after a large merger. In other words, the company may have dealt with some symptoms but didn’t do anything about the disease.

We must forcefully address repeat lawbreakers to alter company behavior and ensure companies realize it is cheaper, and better for their bottom line, to obey the law than to break it.

First, I want to spend my time today talking about some specific examples of big firms that have repeatedly broken the law. Second, I want to explore a case study of the Federal Trade Commission’s handling of Facebook’s repeated violations of law. And finally, I want to describe some of the steps the Consumer Financial Protection Bureau and other regulators can take to halt recidivism and create a system that treats small and big firms equally.


There are many examples of large firms that have repeatedly broken the law but faced few meaningful consequences. This is, of course, true in the financial sector.

For those who do not know, the CFPB was created in the wake of the 2008 financial crisis to focus on protecting consumers in the financial marketplace. Even in our relatively short existence, we have seen what other regulators have been seeing for decades: large financial institutions crossing legal fault lines over and over again. Specifically, we have taken action against:

  • Citigroup – 5 times;
  • JPMorgan Chase – 4 times;
  • Wells Fargo – 4 times;
  • American Express – 3 times; and
  • Discover – 3 times, one of which was a repeat violation of a previous 2015 CFPB order.

There are many more examples, but you get the point. Repeat offenses – whether it’s for the exact same offense or more malfeasance in different business lines – is par for the course for many dominant firms, including big banks, Big Tech, Big Pharma, and more.

The numbers are also quite large. The CFPB ordered Citibank to pay more than $1 billion in consumer redress. We ordered JPMorgan Chase to pay more than $300 million. All told, in the decade since Congress stripped the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Trade Commission, and other agencies of their authorities and transferred them to the new consumer regulator, the CFPB has already required large corporate recidivists to provide more than $3 billion in consumer redress.

Of course, small players also violate the law. But when they do, they often face punishing sanctions that fundamentally question whether they can remain viable. Dominant firms seem to know that law enforcement will not have that kind of impact on their viability, which allows them to take bigger risks that come with bigger rewards.

After the savings and loan crisis of the 1980s and early 1990s, scores of individual bankers were convicted by the Department of Justice. Many were sent to prison. But almost no single senior executive went to jail or was truly held financially accountable for their role in the 2008 financial crisis, even as so many Americans paid a serious price when they lost their homes because they were underwater with toxic mortgages.

Some would argue that these large financial institutions have simply become too big to supervise and that is part of the problem. Government supervisors can’t keep up with the convoluted, behemoth financial products. And government lawyers are never adequately staffed to go up against corporate lawyers trained to spin wheels and run out clocks. Some litigate for years with the hope of the regulator giving up or a new, more forgiving administration coming in. The smaller companies become the low-hanging fruit with cases that are easier to quantify, qualify, and take to court. Whatever the reasons, regulators are willing to lay down the hammer on little guys but settle for press headlines with the big guys.

Often, our laws provide immediate disqualifications from certain privileges for companies found to be engaged in wrongdoing. This is particularly true when it comes to violations of criminal statutes. For example, under federal securities law, an issuer cannot enjoy the privileges of being designated as a Well-Known Seasoned Issuer if they have committed certain felonies, misdemeanors, or violated various anti-fraud laws. This designation gives the largest companies a true competitive advantage over smaller companies in tapping our capital markets. However, the SEC has routinely waived this disqualification. For example, from 2006 to 2015 the SEC granted 23 such waivers to Citigroup, Barclays, UBS, JPMorgan Chase, and Royal Bank of Scotland alone. Meaningful penalties become a paper tiger when regulators are not willing to enforce them, entrenching incentives for large companies to engage in repeated misconduct.

Similarly, violating Department of Justice deferred prosecution agreements, which are deals made between the DOJ and companies to postpone prosecution on the conditions of better behaviors, have become quite common with corporate defendants. For example, JPMorgan Chase has a long history of multiple, overlapping deals with the DOJ. In 2020, the DOJ offered JPMorgan a deferred prosecution agreement for its eight years of “separate schemes” relating to trading, despite the fact that, as the DOJ acknowledged in the same press release, the company had already pled guilty to “similar misconduct involving manipulative and deceptive trading practices.”

There has been a lot of noise by government officials that big financial institutions are not “too big to jail,” but the way government has been treating them suggests otherwise. This simply raises the stakes in what we do, as government regulators, when wrongdoers are caught.


I now want to discuss one of the best examples of failed repeat offender enforcement: the Federal Trade Commission’s treatment of one of the largest and most well-known corporations in the world: Facebook. Facebook is a clear example of a politically powerful firm that routinely violated the terms of its government order with no real consequences.

I raise Facebook not only because it is such an egregious case but also because of the potential of very large firms entering financial services. It’s clear that Big Tech wants to get into the market, as we saw with Facebook’s failed attempt to create a new global currency. We’ve also seen Alibaba, Amazon, Google, and Tencent entering financial services, including with payments, money management, insurance, and lending. Given their size and customer reach, their entry has the potential to transform the industry. How these companies engage in other business practices is how we can expect them to engage in financial services, so it is worth going into some detail about the FTC case against one of the biggest players in this space.

In 2011, the FTC voted to issue an eight-count complaint against Facebook. According to the FTC, Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” The FTC simultaneously settled the matter for no money but required that Facebook cease its deceptive conduct and implement a program to ensure that privacy promises were kept. The settlement also gave the Commission broad access to company documents and personnel to ensure the company would not break the law again.

I arrived at the FTC as a Commissioner in May of 2018. The agency was in deep decay and disarray after years of lax enforcement against large corporate actors, spanning multiple administrations. In some of the most widespread recent nationwide crises, from the 2008 financial disaster to the opioid epidemic to the student loan and for-profit college scandals, the FTC was essentially missing. On a bipartisan basis, the Commission heavily relied on a “no-money, no-fault” settlement strategy, where wrongdoers essentially faced no consequences, even in cases of egregious fraud.

In the case of Facebook, though, the company was already subject to an FTC order, and violations of an order were subject to significant consequences under existing law. But for many observers, the FTC simply seemed to be watching from the sidelines as its orders were being openly flouted.

A few months prior to my arrival at the Commission, it came to light that Facebook allowed Cambridge Analytica, a data analytics firm, to harvest information from more than 50 million individuals and use it for political purposes. This was just one of many controversies where Facebook broke its promises to employ reasonable safeguards to keep personal information private unless the user gave explicit affirmative consent.

As a matter of credibility for the U.S. government, I thought it was essential for the FTC to enforce its own order. For years and years, though, Commissioners set up agency staff to fail. Commissioners deployed armies to small-scale scams, while depriving staff of the needed resources to police Facebook and other Big Tech firms. It was clear that these firms did not think the FTC was serious at all.

By the summer of 2019, we prepared a six-count, 50-page complaint that detailed a long list of privacy failures, including substantial order violations. That was clearly just scratching the surface of the company’s problems. But rather than investigating the matter fully or demanding significant changes to Facebook’s data harvesting practices, Commissioners pursued what many believed to be a publicity stunt.

I admit that the negotiated settlement accepted by a majority of the Commission made for a great headline. But the fine print in the settlement gave a lot for Facebook to celebrate. Facebook would pay a $5 billion fine but did not have to make any material changes to its business practices. Shockingly, Facebook was able to secure a highly unusual immunity clause for its executives, including for Mark Zuckerberg and Sheryl Sandberg. Zuckerberg was also able to retain absolute control over the corporation; though the settlement required a so-called independent committee on privacy whose members would need to be approved by a shareholder vote; and we know Zuckerberg essentially controls a supermajority of voting rights.

Three of the commissioners held a press conference, complete with custom-made graphics, about the “record-setting” nature of the settlement. In fairness, $5 billion does sound very significant. But Facebook had become one of the most valuable corporations in the world, approaching a trillion-dollar valuation. During the press conference, a senior career official largely admitted that Commissioners agreed to forego seeking testimony and documents from Zuckerberg in exchange for a higher fine. It was clear to many that the company paid off the FTC to minimize scrutiny of its top executives’ role in the order violations.

News of the settlement quickly set off alarm bells among data protection regulators around the world. A global consensus emerged that the settlement was a sham.

In my voting statement opposing the settlement, I described how Facebook flagrantly violated the FTC’s 2012 order and how the proposed settlement did little to change the business model or practices that led to the recidivism. The settlement imposed no meaningful changes to the company’s structure or financial incentives, which led to the violations. Nor did it include any restrictions on the company’s mass surveillance or advertising tactics. Instead, the order allowed Facebook to decide for itself how much information it could harvest from users and what it could do with that information, as long as it created a paper trail.

The proposed settlement let Facebook off the hook for unspecified violations and it gave Facebook a legal shield of unusual breadth, deviating from standard FTC practice. Indeed, when the settlement was announced against Facebook, its stock popped.

In my view, there were many lessons from the FTC’s Facebook saga:

  • For very large firms, seemingly large fines, even ones that are “record-setting,” may appear to be very punitive, but may have little effect;
  • Corporate boards will go to great lengths to shield top executives from scrutiny, even though they are all bound by agency orders; and
  • Committees, paperwork, compliance units, and other procedural requirements have much higher monitoring costs than bright-line structural remedies that meaningfully change business incentives.

We need to learn from these lessons to think about not only how to halt recidivism, but also how to treat small and big firms equally when it comes to enforcement actions.


Finally, I’ll close with how regulators should be sharpening their focus on repeat offenders and discuss some of the non-monetary, structural remedies agencies might seek in order to levy the same kind of deterrents on small and big firms alike.

Achieving general deterrence is an important goal for the CFPB. We need penalties where the expected financial benefits of an illegal scheme do not outweigh the expected costs. And we need an understanding that agency and court orders are not suggestions. Put plainly, regulators charged with overseeing large institutions have lost credibility when it comes to halting repeat offenders. While headline-driven penalties give the guise of deterrence, they do not work for dominant, powerful firms.

In the end, we need to look at bright-line structural remedies, rather than press-driven approaches. As any gardener knows, to address a weed, you need to get at the root, rather than constantly monitoring what is simply seen on the surface.

Indeed, when the CFPB helped to uncover the “fake accounts” scandal at Wells Fargo, it was not necessarily the $100 million fine on the bank that was material. Instead, it was the Federal Reserve Board’s decision to impose a growth cap that got the institution’s attention. And when the Office of the Comptroller of the Currency took a role in vetting appointments of new executive hires, that also got their attention. Rather than relying solely on penalties and procedural paperwork, it is critical that regulators and enforcers shift their mindset in this way when it comes to remedies.

At the CFPB, we have plans to establish dedicated units in our supervision and enforcement divisions to enhance the detection of repeat offenses and corporate recidivists and to better hold them accountable. This will include closer scrutiny to ensure orders are being followed and closer coordination with partner agencies to ensure that each agency’s orders are not treated as suggestions. It is critical that we – regulators, enforcers, and supervisors – support each other in effectuating deterrence and compliance with orders.

But more importantly, for serial offenders of federal law, the CFPB will be looking at remedies that are more structural in nature, with lower enforcement and monitoring costs. Under our authorizing statute, the CFPB may seek “limits on the activities or functions” of a firm for violations of laws, regulations, and orders.

These are reforms that are needed throughout government. Depending on the specific facts, government enforcement agencies have an arsenal of options to truly stop the repeated illegal practices at big financial institutions. Let me run through some of the most important options. While many government regulators have sought such limitations on small businesses, they have shown less willingness to do so with larger and more powerful firms. This needs to change.

First: Caps on size or growth. When you impose asset caps, limitations on transferring or acquiring assets, or related limitations that impact the entity overall, you are curbing incentives to break the law and boosting incentives for compliance.

Second: Bans on certain types of business practices. When you put limits on business or product lines, or you close business lines or specific practices, it stops the immediate harm and stops the company from violating the law again in the future. For example, after LendUp violated a 2016 CFPB order to stop misleading customers about the benefits of its loans, we took action. We stopped LendUp from making new loans, collecting on outstanding loans to harmed customers, and selling customer information. LendUp, a former darling of venture capital, is now shutting down.

Third: Divestitures of certain product lines. Sometimes it is not a toxic product but the business model around that product or the management of the product that is the problem, in which case it makes sense to spin it off so it can operate legally. When order violations stem from a firm’s lack of managerial acumen, this is especially relevant to ensure that all subsidiaries and affiliates are obeying the law.

Fourth: Limitations on leverage or requirements to raise equity capital. When you put guardrails on how the company is fundamentally funded, it mitigates chances that a company will become over-leveraged and engage in the type of dangerous “gambling for resurrection” behavior that can harm customers and our economy. Putting these limitations on the table also serves as a powerful deterrent given financial companies’ desire to maximize their risky debt-funding and short-term return-on-equity.

Fifth: Revocation of government-granted privileges. Large firms are often required to meet certain conditions to maintain privileges authorized by the public through administrative agencies. For example, pharmaceutical companies rely on patents and sell products to government payors. Misconduct can lead to losing these benefits. Meat and poultry firms must often register with government authorities and can lose their registration if engaged in certain wrongdoing.

For repeat offenders that are insured depository institutions, they can lose access to federal deposit insurance or their ability to continue operating. For example, regulators should assess whether it is appropriate to terminate or limit access to FDIC deposit insurance or to put banks directly into receivership. Congress specified that institutions that are unsafe and unsound may be subject to losing access to FDIC deposit insurance or their ability to stay in business. Repeat offenses and, in particular, order violations, may be a sign that an institution’s condition or behavior is unsafe and unsound.

For licensed nonbank institutions, the CFPB will be deepening its collaboration with state licensing officials, so that states can ascertain whether licenses should be suspended or whether corporate assets should be liquidated. If senior management is unable to remedy deep-seated failures, it may be appropriate to liquidate, disband, or otherwise shut down the institution to prevent further harms or legal violations. Indeed, since our nation’s founding, regulators in the U.S. have a history of terminating corporate charters and licenses. Today, this should be considered for institutions of all sizes when the facts and circumstances warrant it.

Finally, the role of individual liability cannot be discounted. When small businesses get in trouble, regulators and enforcers are quick to target the top brass. It is inappropriate and unfair to not have the same approach to big financial institutions when the facts and circumstances of the role of individuals is the same.

Agency and court orders bind officers and directors of the corporation, and so do the laws themselves, so there are multiple ways in which individuals are held accountable. Where individuals play a role in repeat offenses and order violations, it may be appropriate for regulatory agencies and law enforcers to charge these individuals and disqualify them. Dismissal of senior management and board directors, and lifetime occupational bans should also be more frequently deployed in enforcement actions involving large firms.

When it comes to individuals, we also need to pay close attention to executive compensation incentives. Important remedies for restoring law and order may include clawbacks, forfeitures, and other changes to executive compensation, including where we tie up compensation for longer periods of time and use that deferred compensation as the first pot of money to pay fines.

Such actions are more likely to halt recidivism than fines paid from the profits of wrongdoing.


In the end, large dominant firms should be subject to the same consequences of enforcement actions as small firms. We need to end double-standard enforcement that exists. We need to move away from just monetary penalties and consider an arsenal of options that really work to stop repeat offenses.

More importantly, when the public perceives that powerful actors in the economy and society live by a different set of rules, this deeply undermines the promise of the rule of law and our market system. We can and must change course on this. Thank you.

Read the cited version of the speech .