Skip to main content
An official website of the United States government
(855) 411-2372
Submit a Complaint
Search
Consumer Financial Protection Circular

Consumer Financial Protection Circular 2024-04

Whistleblower protections under CFPA Section 1057

Question presented

Can requiring employees to sign broad confidentiality agreements violate Section 1057 of the Consumer Financial Protection Act (CFPA), the provision protecting the rights of whistleblower employees, and undermine the CFPB’s ability to enforce the law?

Response

Yes. Although confidentiality agreements can be entered into for legitimate purposes, such as to ensure the protection of confidential trade secrets, such agreements, depending on how they are worded and the context in which they are employed, could lead an employee to reasonably believe that they would be sued or subject to other adverse actions if they disclosed information related to suspected violations of federal consumer financial law to government investigators. Threats of this nature can lead to violations of Section 1057 and impede investigations into potential wrongdoing, including the CFPB’s efforts to uncover violations of the consumer financial protection laws it enforces.

Background

Public policy in the United States long has recognized the important role that whistleblowing plays in preventing and stopping illegal and unethical misconduct. One of the first federal laws to provide protections to employees who reported fraud against the government was the False Claims Act, originally passed in 1863 and since amended. A majority of states since have passed their own such statutes. As Congress passed more legislation providing protections for employees against retaliation from their employers for engaging in protected whistleblowing activity, it empowered the Occupational Safety and Health Administration (OSHA), a regulatory agency of the U.S. Department of Labor (DOL), to adjudicate employees’ retaliation claims. Currently, OSHA’s Whistleblower Protection Program enforces the anti-retaliation provisions of more than 20 federal laws, including the CFPA as discussed below.1

Many entities, including covered persons and service providers under the CFPA,2 require their employees to sign nondisclosure agreements (NDAs) or other types of agreements containing confidentiality requirements. Such agreements may indicate that employees who violate the agreement’s terms may be subject to lawsuits, including the possibility of damages or other costs, as well as other punishment, such as termination. These types of agreements can be entered into for legitimate purposes—for example, to ensure the protection of confidential trade secrets or to safeguard the sensitive personal information of employees or consumers. However, depending on how they are worded and the context in which they are employed, confidentiality agreements hold the potential to frustrate the efforts of government enforcement agencies—including the CFPB—to investigate violations of law. In particular, confidentiality agreements entered into in certain circumstances may impede such efforts when they are so broadly worded as to forbid or otherwise dissuade employees from reporting suspected violations of law to the government or cooperating with a government investigation.

CFPA Section 1057

Section 1057 of the CFPA applies to covered persons. It provides anti-retaliation protections for covered employees3 and their representatives who provide information to the CFPB or any other federal, state, or local law enforcement agency regarding potential violations of laws and rules that are subject to the CFPB’s jurisdiction. Specifically, Section 1057(a) provides that “[n]o covered person or service provider shall terminate or in any other way discriminate against, or cause to be terminated or discriminated against, any covered employee or any authorized representative of covered employees” for: (1) providing or being about to provide information to the employer, the CFPB, or any other state, local, or federal government authority or law enforcement agency relating to a violation of, or any act or omission that the employee reasonably believes to be a violation of, a law subject to the CFPB’s jurisdiction or prescribed by the CFPB; (2) testifying or intending to testify about such a potential violation; (3) objecting to or refusing to participate in any activity, policy, practice, or assigned task that the employee reasonably believes to be such a violation; or (4) filing any lawsuit or instituting any other proceeding under any federal consumer financial law.4

Section 1057(c) provides procedures by which a person who believes they have been discharged or otherwise discriminated against in violation of Section 1057(a) may file a complaint with DOL, and a process by which DOL shall investigate and adjudicate such complaints.5 It further specifies the procedures for appealing DOL’s decisions in federal court. The CFPB also has independent authority to enforce Section 1057.6 Section 1057(d) provides that, outside of limited circumstances, contractual provisions that purport to waive the rights and remedies granted by Section 1057 are unenforceable.7

Accordingly, Section 1057 makes it unlawful for a covered person to discriminate against an employee for whistleblowing with respect to suspected violations of federal consumer financial law. As explained below, discrimination in this sense may include suing or threatening to sue or otherwise taking or threatening to take adverse action against employees for engaging in whistleblowing activity. And, in certain circumstances, requiring employees to sign confidentiality agreements that are so broad as to forbid or otherwise dissuade employees from sharing information about potential law violations with the government or cooperating with a government investigation can amount to a threat to punish.

Analysis

The CFPB is issuing this Circular to remind regulators and the public that covered persons who in certain circumstances require their employees to enter into broad confidentiality agreements that do not clearly permit communications with government enforcement agencies or cooperation with law enforcement investigations risk violating the CFPA’s prohibition on discrimination against whistleblowers and undermining the government’s ability to enforce the law.

As noted above, Section 1057(a) prohibits covered persons from terminating or otherwise discriminating against covered employees for engaging in whistleblowing activity. The term “discriminate against” is broad and encompasses a variety of adverse actions that a covered person may take against covered employees.8 The use of the term in multiple whistleblower protection statutes passed by Congress reflects this understanding.

For example, Section 23 of the Commodity Exchange Act (CEA), which Congress passed as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA, of which the CFPA is a part), created a whistleblower awards program and protection for whistleblowers.9 Section 23, which is administered by the Commodity Futures Trading Commission (CFTC), states “[n]o employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower” in providing information to the CFTC.10 Likewise, Congress created a whistleblower awards program and related protections when it passed Section 21F of the Securities Exchange Act of 1934, also part of the DFA. Section 21F, which is administered by the Securities and Exchange Commission (SEC), identically provides that “[n]o employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner discriminate against, a whistleblower in the terms and conditions of employment because of any lawful act done by the whistleblower” in providing information to the SEC.11 Congress thus made clear that the term “discriminate against” encompasses a variety of adverse actions—including threatening employees—listed in these statutes, in addition to other actions that employers may take to prevent or dissuade employees from whistleblowing or to punish them for whistleblowing.12

In addition to enforcing the anti-retaliation provision of Section 21F, the SEC promulgated Rule 21F-17, which provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.”13 As the SEC explained in its proposal, “the Congressional purpose underlying Section 21F of the Exchange Act is to encourage whistleblowers to report potential violations of the securities laws by providing financial incentives, prohibiting employment-related retaliation, and providing various confidentiality guarantees. Efforts to impede a whistleblower’s direct communications with Commission staff about a potential securities law violation, however, would appear to conflict with this purpose.”14 The SEC since has pursued enforcement actions against companies that it alleged violated Rule 21F-17 by requiring their employees or clients to sign confidentiality agreements that would impede the ability of such individuals to share freely information about suspected wrongdoing with the SEC.15

The SEC is not alone in observing that employer confidentiality agreements may undermine the rights of whistleblowers and impede government enforcement efforts. In 2017, the CFTC promulgated a rule that similarly bars impeding an individual from communicating with CFTC staff, including by enforcing or threatening to enforce confidentiality agreements.16 The CFTC explained when it proposed the rule that it was doing so to complement the prohibition on employer retaliation against whistleblowers found in CEA section 23(h)(1)(A) and to achieve consistency with the SEC’s whistleblower rules.17 In June 2024, the CFTC issued a settlement order with Trafigura Trading LLC that addressed, among other issues, the company’s NDAs with employees that impeded their ability to communicate voluntarily with the CFTC.18 And last year, the Federal Trade Commission’s (FTC’s) Bureau of Competition issued guidance explaining that certain types of contractual provisions, including confidentiality agreements, NDAs, and notice-of-agency-contact provisions, are “contrary to public policy and therefore void and unenforceable insofar as they purport to (1) prevent, limit, or otherwise hinder a contract party from speaking freely with the FTC; or (2) require a contract party to disclose anything to an investigation target about the FTC’s outreach or communications.”19

The same dynamic is true for the CFPB. Confidentiality agreements that limit the ability of employees to communicate with government enforcement agencies or speak freely with investigators undermine the CFPB’s ability to enforce the law. Among the functions that Congress laid out for the CFPB is “taking appropriate enforcement action to address violations of Federal consumer financial law.”20 Subtitle E of the CFPA specifies the CFPB’s enforcement powers, including the authority to conduct investigations of potential violations of law.21 In addition to other actions, the CFPB may issue demands for written or oral testimony in pursuing such investigations.22 If, due to a confidentiality agreement, an employee perceives that they could suffer adverse consequences for cooperating in such circumstances, then the CFPB’s ability to carry out its statutory functions to protect consumers is compromised.

Consistent with these observations, covered persons that require employees in certain circumstances to sign broadly worded confidentiality agreements risk violating Section 1057 of the CFPA. Confidentiality agreements sometimes specify that the employer may file a lawsuit or reserves the right to take adverse employment action upon the employee’s violation of the agreement. Depending on the circumstances, an employee may interpret such conditions as threats to retaliate for engaging in whistleblowing activity. The risk of a violation of Section 1057 is heightened when covered persons impose such agreements in situations that are particularly likely to lead a reasonable employee to perceive the required entry into the agreement as a threat, such as in the context of an internal investigation or other scenario involving potential violations of law—for example, after the uncovering of suspected or confirmed wrongdoing, or in the aftermath of a potentially embarrassing episode for a company. When an employee participates in an investigation or otherwise is made aware of possible wrongdoing and simultaneously is required to sign such an agreement, there is a heightened risk that the employee reasonably would view the requirement to sign as a threat by the employer to take adverse action if the employee were to engage in whistleblowing activity. Indeed, the employee reasonably may not fathom any other reason for why they are being made to sign the agreement beyond that the employer is threatening to sue or otherwise punish the employee for engaging in whistleblowing. In line with the analysis above, such threats may constitute discrimination within the meaning of Section 1057 and thus be prohibited, regardless of whether or not the employer acts upon them or a court actually would enforce a confidentiality agreement with respect to whistleblowing.23

For example, in 2015, the SEC found that Houston-based global technology and engineering firm KBR Inc. violated Rule 21F-17 by requiring witnesses in certain internal investigations to sign confidentiality agreements containing language warning they could face discipline, including possible termination, if they discussed the matters with outside parties without the prior approval of the company’s legal department.24 The SEC’s order stated that, although there were no apparent instances in which the company specifically prevented employees from communicating with the SEC about securities law violations, the company’s blanket prohibition against witnesses discussing the substance of their interviews without prior approval under penalty of disciplinary action had a chilling effect that undermined the purpose of Section 21F and Rule 21F-17, which is to encourage whistleblowers to report illegal conduct to the SEC. The company agreed as part of the settlement to amend its confidentiality statement to add language making clear that employees are free to report possible violations to the SEC and other federal agencies without KBR approval or fear of retaliation.

Confidentiality agreements that risk leading to violations of whistleblower protection statutes—including Section 1057 of the CFPA—can be formulated in different ways. Certainly, employers can draft them in an express manner that purports to forbid the sharing of information with outside parties with no acknowledgment of and exception for the exercise of whistleblower rights. The risk of a reasonable employee interpreting their required entry into such an agreement in circumstances involving potential wrongdoing as a threat against reporting information to the government is relatively high. But other confidentiality agreements that undermine whistleblower protections may reasonably be perceived by employees as threats against them for exercising their rights in such circumstances. For example, an agreement that forbids sharing information with third parties “to the extent permitted by law” may technically permit whistleblowing. However, an employee, who may not know that the law forbids restrictions on whistleblowing but understands that the consequence of violating the agreement is suffering adverse employment action, may reasonably interpret the agreement to bar providing information to a law enforcement agency or voluntarily cooperating in a government investigation depending on the circumstances in which the employer asks the employee to enter into the agreement. An employee reasonably may feel threatened by such language in certain circumstances, such as those described above, and decline to report suspected violations of law to the government.25 An employer can significantly reduce the risk of this kind of perception—and thus of violating Section 1057—by ensuring that its agreements expressly permit employees to communicate freely with government enforcement agencies and to cooperate in government investigations.

As explained above, suing or threatening to sue or otherwise punish employees for engaging in whistleblowing activity may constitute discrimination against whistleblowers. Accordingly, when covered persons require employees to sign broadly worded confidentiality agreements that do not clearly permit communicating with government enforcement agencies or cooperating with law enforcement, especially when circumstances bear indicia of potential or suspected wrongdoing, they may be threatening to take adverse action against those employees for reporting suspected violations of federal consumer financial law to the CFPB or other regulators. Thus, covered persons who impose these types of agreements on their employees risk violating the prohibition on discrimination against whistleblowers contained in Section 1057 of the CFPA.

About Consumer Financial Protection Circulars

Consumer Financial Protection Circulars are issued to all parties with authority to enforce federal consumer financial law. The Consumer Financial Protection Bureau (CFPB) is the principal federal regulator responsible for administering federal consumer financial law, see 12 U.S.C. 5511, including the Consumer Financial Protection Act’s prohibition on unfair, deceptive, and abusive acts or practices, 12 U.S.C. 5536(a)(1)(B), and 18 other “enumerated consumer laws,” 12 U.S.C. 5481(12). However, these laws are also enforced by state attorneys general and state regulators, 12 U.S.C. 5552, and prudential regulators including the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the National Credit Union Administration. See, e.g., 12 U.S.C. 5516(d), 5581(c)(2) (exclusive enforcement authority for banks and credit unions with $10 billion or less in assets). Some federal consumer financial laws are also enforceable by other federal agencies, including the Department of Justice and the Federal Trade Commission, the Farm Credit Administration, the Department of Transportation, and the Department of Agriculture. In addition, some of these laws provide for private enforcement.

Consumer Financial Protection Circulars are intended to promote consistency in approach across the various enforcement agencies and parties, pursuant to the CFPB’s statutory objective to ensure federal consumer financial law is enforced consistently. 12 U.S.C. 5511(b)(4). Consumer Financial Protection Circulars are also intended to provide transparency to partner agencies regarding the CFPB’s intended approach when cooperating in enforcement actions. See, e.g., 12 U.S.C. 5552(b) (consultation with CFPB by state attorneys general and regulators); 12 U.S.C. 5562(a) (joint investigatory work between CFPB and other agencies).

Consumer Financial Protection Circulars are general statements of policy under the Administrative Procedure Act. 5 U.S.C. 553(b). They provide background information about applicable law, articulate considerations relevant to the Bureau's exercise of its authorities, and, in the interest of maintaining consistency, advise other parties with authority to enforce federal consumer financial law. They do not restrict the Bureau’s exercise of its authorities, impose any legal requirements on external parties, or create or confer any rights on external parties that could be enforceable in any administrative or civil proceeding. The CFPB Director is instructing CFPB staff as described herein, and the CFPB will then make final decisions on individual matters based on an assessment of the factual record, applicable law, and factors relevant to prosecutorial discretion.­

Footnotes

  1. See Occupational Safety and Health Administration: Whistleblower Protection, https://www.whistleblowers.gov/about-us .

  2. Covered persons and service providers must comply with the whistleblower protection requirements of the CFPA. 12 U.S.C. §§ 5481(6), (26); 12 U.S.C. § 5567. For simplicity, the remainder of this Circular refers to covered persons and service providers as “covered persons.”

  3. A “covered employee” is defined as “any individual performing tasks related to the offering or provision of a consumer financial product or service.” 12 U.S.C. § 5567(b).

  4. 12 U.S.C. § 5567(a).

  5. 12 U.S.C. § 5567(c).

  6. 12 U.S.C. §§ 5563(a)(1), 5564(a).

  7. 12 U.S.C. § 5567(d). This provision applies to pre-dispute arbitration agreements, which it states are not valid or enforceable to the extent they require arbitration of disputes arising under Section 1057. 12 U.S.C. § 5567(d)(2).

  8. At its essence, to “discriminate” means “to make a distinction” or “to make a difference in treatment or favor on a basis other than individual merit.” “Discriminate,” Merriam-Webster.com, https://www.merriam-webster.com/dictionary/discriminate (last visited July 17, 2024); see also Murray v. UBS Securities, LLC, 601 U.S. 23, 34 (2024) (explaining meaning of “discriminate” under analogous anti-retaliation provision in the Sarbanes-Oxley Act, 18 U.S.C. § 1514A, and holding that while the employee had to prove his protected activity was a contributing factor in the unfavorable personnel action, he did not also have to prove his employer acted with retaliatory intent).

  9. 7 U.S.C. § 26. See Commodity Futures Trading Commission: Whistleblower Protections, https://www.whistleblower.gov/protections .

  10. 7 U.S.C. § 26(h)(1)(A) (emphasis added).

  11. 15 U.S.C. § 78u-6(h)(1)(A) (emphasis added).

  12. In addition to these examples, the Financial Institutions Anti-Fraud Enforcement Act of 1990 (FIAFEA) allows whistleblowers to bring claims related to suspected violations of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA)—passed in the wake of the savings and loan crisis—by submitting confidential declarations setting forth facts about alleged fraud. 12 U.S.C. § 4201 et seq. As enacted, in addition to providing for discretionary monetary awards from the Attorney General, the FIAFEA granted certain protections to whistleblowers against employer retaliation for lawfully reporting such information to the government. 12 U.S.C. § 4212 (providing that such declarants shall enjoy the protections afforded under 18 U.S.C. § 3059A(e)). Specifically, it provided that a person who “is discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms or conditions of employment by an employer because of lawful acts done by the person … in furtherance of a prosecution under [applicable provisions] may, in a civil action, obtain all relief necessary to make the person whole.” 18 U.S.C. § 3059A(e)(1), repealed by Pub. L. No. 107-273, 116 Stat. 1781 (Nov. 2, 2002) (emphasis added). Congress repealed 18 U.S.C. § 3059A in 2002 as it considered it to be one of several “redundant authorizations of payments for rewards.” Pub. L. No. 107-273, 116 Stat. 1781 (Nov. 2, 2002). Functionally equivalent award and anti-retaliation provisions apply to employees of insured depository institutions and credit unions pursuant to the Federal Deposit Insurance Corporation Act and Federal Credit Union Act, although those provisions do not contain the same list of examples of forms of employer discrimination that appeared in the FIAFEA. See 12 U.S.C. §§ 1831j & 1831k; 12 U.S.C. §§ 1790b & 1790c. These provisions predated the FIAFEA, however, and the fact that Congress labeled the FIAFEA protections “redundant” supports the notion that it viewed the less descriptive anti-discrimination provisions in these acts as encompassing the broad definition of discrimination articulated in the FIAFEA.

  13. 17 CFR 240.21F-17(a).

  14. 75 FR 70488, 70510 (Nov. 17, 2010). See also 76 FR 34300, 34351-52 (June 13, 2011) (final rule preamble reiterating congressional purpose).

  15. See, e.g., Press Release, SEC, SEC: Companies Cannot Stifle Whistleblowers in Confidentiality Agreements (Apr. 1, 2015), https://www.sec.gov/news/press-release/2015-54 (describing administrative settlement in enforcement action wherein SEC alleged that KBR Inc.’s practice requiring employees to sign confidentiality agreements in internal investigations created a “chilling effect” to discourage whistleblowing in violation of Rule 21F-17); Press Release, SEC, Company Paying Penalty for Violating Key Whistleblower Protection Rule (Aug. 10, 2016), https://www.sec.gov/news/press-release/2016-157 (describing SEC’s issuance of cease-and-desist order and imposition of remedial sanctions against publicly traded company BlueLinx Holdings, Inc. for including language in its employee severance agreements that required departing employees to notify the company’s legal department prior to disclosing any financial or business information to any third parties); Press Release, SEC, J.P. Morgan to Pay $18 Million for Violating Whistleblower Protection Rule (Jan. 16, 2024), https://www.sec.gov/news/press-release/2024-7 (announcing settled charges against J.P. Morgan Securities LLC for violations of Rule 21F-17(a) stemming from the company’s regularly asking retail clients to sign confidential release agreements that allowed them to respond to SEC inquiries but did not permit them to voluntarily contact the SEC).

  16. 17 CFR 165.19(b).

  17. 81 FR 55951, 55955 (Aug. 30, 2016).

  18. In re Trafigura Trading LLC, CFTC No. 24-08, 2024 WL 3225331 (June 17, 2024), available at https://www.cftc.gov/media/10791/enftrafiguratradingorder061724/download .

  19. Bureau of Competition, FTC, Re: Contracts That Impede Bureau of Competition Investigations (June 15, 2023), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Formal-Analysis.pdf .

  20. 12 U.S.C. § 5511(c)(4).

  21. See 12 U.S.C. § 5562.

  22. See 12 U.S.C. § 5562(c)(1).

  23. As noted above, Section 1057(d) of the CFPA renders unenforceable “any agreement, policy, form, or condition of employment” that purports to waive the rights and remedies provided for in Section 1057. 12 U.S.C. § 5567(d)(1). And, the CFPB has explained that including unenforceable terms in a consumer contract may constitute a deceptive act or practice in violation of the CFPA’s prohibition on unfair, deceptive, or abusive acts or practices. See CFPB, Consumer Financial Protection Circular 2024-03: Unlawful and unenforceable contract terms and conditions (June 4, 2024), https://www.consumerfinance.gov/compliance/circulars/consumer-financial-protection-circular-2024-03/. Similarly, requiring employees to enter into overly broad confidentiality agreements that restrict or waive the employees’ whistleblower rights could constitute a deceptive act or practice in appropriate circumstances. Although the CFPB typically has found deceptive acts or practices with respect to misrepresentations made to a consumer, deceptive acts or practices targeting other parties – such as a covered person’s employees – may also violate the CFPA if the deception is in connection with the offering or provision of consumer financial products or services. See 12 U.S.C. §§ 5531, 5536.

  24. Supra n.15.

  25. In a recently filed complaint, DOL explained how confidentiality provisions in employment agreements that require employees not to share the terms of the agreement except with the employee’s immediate family or attorney or “as required by law” could cause employees to “reasonably believe that they cannot disclose the terms of the agreements to [DOL] absent a subpoena or court order,” and that these provisions, along with broad non-disparagement and non-disclosure provisions coupled with the threat of termination and monetary damages, dissuade employees from speaking freely with DOL investigators in violation of Section 15(a)(3) of the Fair Labor Standards Act, 29 U.S.C. § 215(a)(3). Complaint, ¶¶ 95-106, 129-38, 160-65, Su v. Smoothstack, Inc., No. 1:24-cv-04789 (E.D.N.Y. July 10, 2024), available at https://www.dol.gov/sites/dolgov/files/OPA/newsreleases/2024/07/SmoothstackInc-Complaint-24-1337-NAT.pdf .