This week, the Consumer Financial Protection Bureau (CFPB or Bureau) issued Circular 2024-04 warning financial institutions about the potential illegality of nondisclosure agreements (NDAs) that could deter whistleblowing. Specifically, the Bureau addressed whether requiring employees to sign broad confidentiality agreements violates § 1057 of the Consumer Financial Protection Act (CFPA). According to the CFPB, the answer is “yes” under circumstances that could lead an employee to reasonably believe that they would be sued or subject to other adverse actions if they disclosed suspected violations of federal consumer financial law to government investigators or a law enforcement agency.

Of even greater interest, the CFPB’s circular specifically addresses the use of NDAs during internal investigations. It warns that requiring employees to sign confidentiality agreements that do not clearly permit communication with law enforcement can be seen as a threat against whistleblowing. “When an employee participates in an investigation or otherwise is made aware of possible wrongdoing and simultaneously is required to sign such an agreement, there is a heightened risk that the employee reasonably would view the requirement to sign as a threat by the employer to take adverse action if the employee were to engage in whistleblowing activity.” According to the Bureau, such threats may constitute discrimination within the meaning of § 1057 regardless of whether or not the employer acts on them or a court actually would enforce a confidentiality agreement with respect to whistleblowing.

Section 1057 of the CFPA provides that “‘[n]o covered person or service provider shall terminate or in any other way discriminate against, or cause to be terminated or discriminated against, any covered employee or any authorized representative of covered employees’ for: (1) providing or being about to provide information to the employer, the CFPB, or any other state, local, or federal government authority or law enforcement agency relating to a violation of, or any act or omission that the employee reasonably believes to be a violation of, a law subject to the CFPB’s jurisdiction or prescribed by the CFPB.” The CFPB is taking the position that “discriminate against” can be read broadly enough to encompass NDAs in the circumstances described above, even though the employees in question have not actually engaged in any protected whistleblowing activity (which the text of the statute requires).

The CFPB advises employers that they can reduce the risk of potentially violating the CFPA by ensuring that their agreements expressly permit employees to communicate freely with government enforcement agencies and to cooperate in government investigations.

Our Take:

The CFPB’s position appears highly tenuous under § 1057 of the CFPA. In the circular, the CFPB draws parallels to the authority to protect whistleblowers granted to the Securities and Exchange Commission (SEC) under the Securities and Exchange Act and the Commodities Futures Trading Commission (CFTC) under the Dodd-Frank Act, asserting similar authority to go after whistleblowers under the CFPA. “Confidentiality agreements that limit the ability of employees to communicate with government enforcement agencies or speak freely with investigators undermine the CFPB’s ability to enforce the law. Among the functions that Congress laid out for the CFPB is ‘taking appropriate enforcement action to address violations of federal consumer financial law.’ Subtitle E of the CFPA specifies the CFPB’s enforcement powers, including the authority to conduct investigations of potential violations of law.” However, this broad interpretation of what constitutes “discrimination” against whistleblowers and the parallels to the SEC and CFTC’s authority may be stretching the bounds of the CFPA. Section 1057 protects employees who actually engage in whistleblowing against retaliation. And, despite the fact that it contains a subsection making “certain agreements” unenforceable (§ 1057(d)), a non-disclosure agreement is not among those. It seems the CFPB is simply attempting to amend the statute through its interpretation.

Moreover, it seems extremely odd, and counter-intuitive, that a financial institution investigating a potential issue internally must specifically tell employees that they can communicate with the CFPB about the issue as part of the investigation. The CFPB seems to believe that, as the institution reveals the issue to an employee during an investigation, it should also essentially encourage the employee to report the issue to the CFPB. This has nothing to do with protecting whistleblowers against retaliation (which is what § 1057 of Dodd-Frank does), but rather seems like an effort to create whistleblowers out of thin air in the course of an internal investigation. Unfortunately, the CFPB’s stance on this issue is likely to lead to more constrained internal investigations, making it more difficult for institutions to detect and correct errors. So, in our view, the Circular is not only unfounded under the plain language of § 1057, but also a bad policy decision.