In his 2022 speech “Reining in Repeat Offenders” at the Distinguished Lecture on Regulation at the University of Pennsylvania Law School, the director of the Consumer Financial Protection Bureau (CFPB) stated that “[a]chieving general deterrence is an important goal for the CFPB” and “the role of individual liability cannot be discounted.” To that end, the CFPB recently proposed an enforcement order registry that would, among other things, require certain larger participant nonbanks subject to the CFPB’s supervisory authority to designate a senior executive who is responsible for and knowledgeable of the nonbank’s efforts to comply with the orders identified in the registry to attest regarding compliance with covered orders and submit an annual written statement attesting to the steps taken to oversee the activities subject to the applicable order for the preceding calendar year and whether the executive knows of any violations of, or other instances of noncompliance with, the covered order.
It is not surprising that one of the major questions that has arisen about financial institution (FI) insurance coverage is the extent of coverage for regulatory enforcement actions. Other questions arise in interpreting the scope of FI insurance coverage for terms such as a pending and prior claim, the performance of professional services, invasion of privacy (and whether data breaches are covered), and fraud. These terms can be particularly important in the heavily regulated financial services industry. Accordingly, financial institutions need to understand FI coverage options and the negotiable terms.
Are regulatory enforcement actions included in coverage terms?
Responding to inquiries from agencies such as the CFPB, Securities Exchange Commission (SEC), Department of Justice, attorneys general, and federal and state banking agencies can be disruptive and expensive. As a threshold matter it is important to understand the extent of insurance coverage, including the kind of inquiry that is covered. The first step is to make sure you understand which regulators are covered when there is an inquiry or enforcement action. Ideally, financial institutions would have coverage for claims from any federal or state agency.
Is there coverage for costs incurred in responding to informal inquiries?
For example, there may be coverage for an informal document request and employee interview by a government agency. Many policies now offer some coverage of a formal government agency civil investigative demand (CID) or subpoena to a financial institution, and it is important to understand the specific scenarios in which such a CID or subpoena is covered.
When facing an ongoing government investigation, is it subject to the excess policy’s “pending and prior claim” exclusion?
In a recent case, the policy language provided that the excess policy did not apply to “any amounts incurred by the Insureds on account of any claim or other matter based upon, arising out of or attributable to any demand, suit or other proceeding pending or order, decree, judgment or adjudication entered against any Insured on or prior to July 31, 2011.” The court ruled that the parties had agreed to exclude from the excess policy coverage any claim as defined in the language of the primary policy.
The court also ruled that an ongoing SEC investigation, even though it was not being covered by any insurance policy, was a claim as defined under the primary policy and thus was subject to the pending and prior claim exclusion of the excess policy. This case emphasizes the importance of understanding the definitions of a claim within the relevant policies.
What are some considerations for losses arising out of the performance of professional services?
Many FI policies have exclusions for loss arising out of the performance of professional services, which distinguish claims covered by a company’s errors and omissions (E&O) insurance. It is important to understand the effect of these exclusions, which are illustrated in recent court decisions.
In one recent case, a court held that a bank’s policy’s professional services exclusion precluded coverage for all insureds, not just those delivering the services. The exclusion in the case provided that there was no liability for claims “made against any Insured alleging, arising out of, based upon, or attributable to the Organization’s or any Insured’s performance of or failure to perform professional services for others….” The court held that the phrase “any Insured” made the insurer’s obligations jointly held, which prohibited recovery from any insured.
However, the policy at issue in this case did not have a severability provision. The court’s opinion suggests that a professional services exclusion in a policy with a severability provision would preclude coverage only for those who actually performed the professional services.
Another consideration is the broad language that was used in the clause in this case—it uses words like “arising out of,” “based upon,” or “attributable to” the professional services provided. Companies should ensure that the clause serves its purpose and does not preclude too much coverage.
Another issue involving professional services exclusions, particularly for banks, are fee cases. Overdraft fees, as well as a lot of other fees, including junk fees, have been a focus of regulators. One court has considered the question of insurance coverage for a bank’s obligation to repay overdraft fees. In this case, a bank customer filed suit against the bank, seeking relief from “unfair and unconscionable assessment and collection of excessive overdraft fees.” The bank filed suit against its insurer for refusing to pay defense costs in the lawsuit.
The policy at issue had a duty-to-defend clause covering claims “for a Wrongful Act committed by an Insured or any person for whose acts the Insured is legally liable while performing Professional Services, including failure to perform Professional Services.” However, the policy also had an exclusion “for Loss on account of any Claim … arising from … any fees or charges.” The court affirmed the denial of the companies’ entitlement to payment for defense costs, ruling that the fees exclusion absolved the carrier of an obligation to pay such costs. Cases like these reinforce the importance of understanding defense costs coverage for these kinds of overdraft fee cases.
How does an exclusion for invasion of privacy impact cyber breaches?
It is not uncommon for policies to have clauses that exclude claims based on invasion of privacy. Recent cases underscore the importance of understanding whether such clauses exclude coverage for claims in cyber breaches.
A court recently held that the Los Angeles Lakers were not entitled to insurance coverage for allegations that the team violated the Telephone Consumer Protection Act (TCPA). The court ruled that “because a [TCPA] claim is inherently an invasion of privacy claim, [the insurer] correctly concluded that the underlying [TCPA] claims fell under the Policy’s broad exclusionary clause.”
This decision could affect coverage of cyber-liability claims involving cybersecurity and data privacy, which are becoming increasingly common and which often touch on invasion of privacy issues. Companies should understand their exclusionary clauses on this score.
What is “final” for purposes of an insurance policy’s fraud exclusion?
Many FI insurance policies exclude coverage if the insured is found to have engaged in fraud. Often, the exclusion is only triggered after a “final” judicial determination that the excluded conduct has occurred. The issue of what a “final” determination is can affect the coverage for a claim.
Financial institutions should look for fraud exclusions in their FI policies to determine whether such exclusions refer to a “final, non-appealable adjudication” or a “final judgment.” In a New York state case, after a former CEO was sentenced for the commission of various fraud crimes, he filed an appeal of his convictions. While the appeal was still pending, however, his insurer asked to be relieved of its obligation to defend the plaintiff because the fraud exclusion in its policy was triggered upon a final judgment against its insured.
The former CEO filed suit against his insurer, but the appellate court affirmed the trial court’s ruling that the insurer was no longer obligated to pay his defense. The court held that the imposition of the criminal sentence was a “final judgment,” which appropriately triggered the fraud exclusion in the policy. The court explained that even if an appeal is successful, the finality of the sentence is not changed.
This case shows how important it is to understand the contours of a policy’s fraud exclusion.
Defense Costs: Duty to Defend v. Duty to Indemnify
Finally, a company needs to consider whether it wants to have primary control over the defense of a covered claim or wants the insurer to have primary control. An advantage of having the insurer control the defense—a “duty to defend” policy—is that the coverage requirements can be a bit more broad in many states. The main advantage of the company having primary control of the defense in a so-called “duty to indemnify” policy is that the company gets wider latitude in choosing lawyers that they trust and know to have the appropriate experience to handle the matter. Under either of these arrangements, the carrier would pay covered defense costs.
As trends in enforcement shift, it is increasingly important to understand liability coverage. Financial institutions should consider reaching out to experienced insurance brokers and attorneys to assist them in reviewing and analyzing the terms and features of their policies in the evolving enforcement climate.