Is “Regulation by Enforcement” a Pretext for Less Enforcement?
By Jeff Sovern, St. John’s University School of Law
The industry and some others often complain about “regulation by enforcement,” by which I gather is meant that enforcement agencies bring actions against businesses without having previously given extremely clear notice that, in the agency’s view, the conduct that is the subject of the action violates existing law. Director Cordray’s CFPB was thought to be a particularly bad offender. At its root, this idea is a complaint that companies are expected to comply with laws that don’t spell out proscribed conduct explicitly, but rather specify standards by which the industry is expected to operate. The idea behind the glib phrase has some appeal: who doesn’t want notice of what the law is? But in fact not only does the idea behind regulation by enforcement have a long history in our law, it is hard to imagine how some areas of the law could proceed without it.
Take the FTC. The FTC Act has barred deceptive and unfair practices for more than eighty years, and the statute doesn’t say much more than that about what is deceptive; a definition of unfairness, which some must find intolerably vague as it is the same one that the CFPB operates under, was added in the nineties. The FTC, with occasional judicial intervention, has given shape to unfairness and deception doctrine largely by bringing cases for all those years, and somehow sellers have not only dealt with it but the economy has grown dramatically. Given the many ways bad actors have found to take advantage of consumers, more explicit standards would have have to leave out much misconduct, and so words like unfair and deceptive are a necessity to adequately protect consumers. An example: the FTC has based much of its privacy jurisprudence on its power to prohibit unfair and deceptive practices, even though the words themselves say nothing about privacy; indeed, a leading article in the field is titled The FTC and the New Common Law of Privacy. If we didn’t have regulation by enforcement as to privacy protections, I suppose that we would have far fewer FTC privacy cases.
The analogy to common law is not coincidental. Every first-semester law student learns that courts create common law by deciding cases, and by so doing, we end up with something very like regulation by enforcement (the main difference is that the plaintiff in most such cases is not a regulator but a private person or entity). Nor is the Supreme Court reluctant to spin out lengthy interpretations of single words. For example, the entire standing doctrine, as exemplified by cases like Spokeo that make it harder for consumers to sue misbehaving businesses derives from a single word in the Constitution: case. The Court has held in numerous cases that a case is present only when a consumer has standing; i.e, has suffered a concrete and particularized injury that can be fairly traced to the defendant’s conduct, etc. The word “case” surely gives as much notice that plaintiffs must satisfy such standards as the word “unfair” does that banks should not open unauthorized accounts. The point is that the idea of using standards rather than clear rules–which is the basis of “regulation by enforcement”–is well established in our tradition. Why should the industry be treated any differently than the rest of society?
What about limiting enforcement actions to cases based on clear regulations so businesses have notice? The problem is that the process of issuing regulations takes years and in the meantime companies could harm consumers. Promulgating regulations also takes substantial resources, and taxpayers have better uses for those resources than issuing rules to stop what may be only one company from misbehaving when an enforcement action can do the job faster and at less expense. What about issuing guidance to let businesses know that their conduct is problematic? That would give notice but take less time and fewer resources than rule-making–except that the business-oriented Trump administration and the CFPB have said they won’t base enforcement decisions on such guidance. If guidance can’t be used to warn what actions an agency will bring, then complaining about an agency bringing cases without providing prior guidance seems like a recipe for bringing very few cases–which may in fact be the goal.
In any event, companies always have the option of challenging enforcement actions in court and trying to show that the agency has exceeded its mandate. Maybe the industry would do better to stop whining about regulation by enforcement and instead give up engaging in deceptive, unfair, and abusive acts and practices.