Regulator Warns About Sales and Production Incentives
In November 2016, the Consumer Financial Protection Bureau (CFPB) issued a bulletin regarding detecting and preventing consumer harm from sales and production incentives. In its bulletin, the CFPB stresses the importance of proper oversight of employee incentives that may otherwise pose potential harm to consumers if not designed appropriately or monitored properly. The bulletin follows in the wake of a recent, high-profile enforcement action against a U.S. national bank regarding harmful sales practices. The CFPB and other regulatory authorities alleged that the bank’s retail employees fraudulently opened millions of deposits and credit card accounts for customers without their knowledge or consent over a multi-year period. As the CFPB notes in the bulletin, however, similar concerns may exist and have been identified through its supervision and enforcement activities over the years in other areas, most prominently in credit card add-on products and overdraft opt-in programs.
In the bulletin, the CFPB provides specific examples of incentive compensation programs that could pose risks to consumers, including:
- Sales goals that may encourage employees, either directly or indirectly, to open accounts or enroll consumers in services without their knowledge or consent.
- Sales benchmarks that may encourage employees or service providers to market a product deceptively to consumers who may not benefit from or even qualify for it.
- Paying compensation based on the terms or conditions of transactions, which may encourage employees or service providers to overcharge consumers, place customers in less favorable products than they qualify for, or sell customers more credit or services than they had requested or needed.
- Paying more compensation for some types of products or services than for others, which could lead employees or service providers to steer consumers toward products or services that are not in their interests.
- Setting unrealistic quotas to sign consumers up for financial services, which may incentivize employees to achieve this result without actual consent or by means of deception.
The CFPB expects financial institutions to implement effective controls and risk management oversight of their incentive compensation programs, including oversight of both employees and service providers covered by these programs. The CFPB specifically warns that institutions should establish the most robust controls where incentives relate to products or services that are “less likely to benefit consumers or that have a higher potential to lead to consumer harm, reward outcomes that do not necessarily align with consumer interests, or implicate a significant proportion of employee compensation.” To that end, the CFPB reminds institutions to establish strong compliance management systems that detect and prevent violations of federal consumer financial laws and unfair, deceptive or abusive acts or practices (UDAAP). These include:
- Board of directors and management oversight, including an evaluation of the outcomes of the incentive compensation programs offered as compared to what they were intended to achieve, and to empower compliance organizations to evaluate both the intended and unintended consequences of these programs.
- Clear policies and procedures related to incentive compensation. This includes ensuring that employee metrics are defined, transparent and reasonably attainable, as well as establishing clear risk management controls, mechanisms to avoid potential conflicts of interest, and fair and independent processes to investigate reported issues.
- Comprehensive employee training regarding incentive compensation programs and standards for ethical behavior.
- Monitoring of key metrics and outliers related to the incentive compensation programs, and prompt implementation of corrective actions to address any identified weaknesses.
- Collection and analysis of consumer complaints.
- Scheduling and execution of independent compliance audits related to incentive compensation programs.
The CFPB recognizes in the bulletin that incentive programs are a common business practice for various industries that, when properly implemented and monitored, can provide benefits to all stakeholders, including consumers. Considering the guidance and recent regulatory developments, financial institutions should inventory and assess incentive compensation programs currently (or intended to be) employed, evaluate the way in which their risk management programs and compliance management systems provide proper oversight of these programs, and take any steps to implement additional controls to provide better and more timely oversight of these programs as necessary.
New York Fed President Stresses Importance of Culture and Ethics
At the Reforming Culture and Behavior in the Financial Services Industry conference held by the Federal Reserve Bank of New York in October 2016, the bank’s president and chief executive officer, William Dudley, shared his thoughts on how cultural and ethical problems continue to trouble today’s financial services industry. In his remarks, he contended that the loss of public trust in the industry can be attributed to patterns of professional misbehavior that have continued since the financial crisis. These patterns, he stated, can compromise the important roles the industry plays in the larger economy and consequently lead to a reallocation of resources that can hinder greater economic growth and financial stability.
To achieve cultural reform, Dudley maintained, definitive actions to redesign incentive structures and establish clear accountability, rather than continued promulgation of principled messages at a high level on such matters, would be the most effective mechanisms. Banking institutions, he stated, should ensure that individuals realize that cases of misconduct and lapses of ethical judgment have real consequences. To accomplish this, he suggests the following:
- Compensation structures should be designed in a way that incentivize ethical conduct and discourage fraudulent behavior detrimental to the well-being of customers and the long-term interests of the institution
- Risk management personnel should have sufficient authority to challenge first-line revenue generators, and employees should feel supported and encouraged to self-identify potential issues as part of a larger effort to promote self-policing.
In his remarks, he called for new laws or regulations to assist in these reforms and proposed two solutions: the implementation of a database of banker misconduct to track the hiring and firing of financial professionals across the industry who cross ethical boundaries, and the adoption of an annual, industrywide culture survey administered by an independent third party to benchmark progress on culture and behavior, with results to be shared with regulatory supervisors.
At the heart of Dudley’s remarks is the notion that responsibility for reforming culture ultimately lies with the banking and financial services industry and that there needs to be a coherent, comprehensive effort by institutions to correct cultural and ethical weaknesses. Indeed, the industry has experienced multiple highly publicized events that have damaged its overall reputation and contributed to an erosion of public trust. Given certain recent events, financial institutions should expect renewed regulatory scrutiny of risk culture, especially how institutions prevent, detect and address potential instances of unethical conduct.
Financial institutions should take steps to validate that sufficient mechanisms are in place to address and measure these risks as part of a broader effort to develop, strengthen and maintain cultures defined by ethical conduct and accountability. As further emphasis is placed on risk culture across the industry, financial institutions should continually reassess how well established and cascaded their risk cultures are and reinforce the importance of adherence to these principles to all levels of the organization.
Email Fraud Schemes
Even as institutions take steps to enhance cybersecurity, criminals continue to become more sophisticated and engage in new schemes to dupe financial services firms. In September 2016, the Financial Crimes Enforcement Network (FinCEN), in coordination with the Federal Bureau of Investigation and the U.S. Secret Service, issued an advisory to help financial institutions identify and prevent the growing number of email compromise fraud schemes. The advisory includes a list of relevant red flags and detailed scenarios related to email fraud schemes and highlights the growing trend of cyber-enabled criminal activity. According to FinCEN, since 2013 there have been about 22,000 reported cases of email compromise fraud involving $3.1 billion in losses.
FinCEN defines email fraud schemes as those in which criminals compromise email accounts to send fraudulent wire-transfer instructions to financial institutions with the goal of misappropriating funds. The FinCEN advisory addresses two types of email fraud schemes:
- Business email compromise (BEC), which targets a financial institution’s commercial customers
- Email account compromise (EAC), which targets a victim’s personal accounts.
Unlike account-takeover activity, where criminals access victims’ accounts and can then directly execute transactions without submitting instructions, BEC and EAC involve impersonating victims and submitting instructions for financial institutions to execute transactions. BEC schemes often involve criminals seeking to access the email accounts of company executives or other employees unlawfully in order to submit fraudulent transaction instructions directly, or misleading a company employee to submit fraudulent transaction instructions by impersonating a supplier or a company executive.
EAC schemes, which differ from BEC schemes in that they target individuals instead of businesses, often involve criminals compromising the email account of a business that conducts large transactions, or its customers, to submit fraudulent payment instructions. The most likely targets of EAC schemes include financial institutions, lending entities, real estate companies and law firms.
To help guard against these email fraud schemes, FinCEN advises that financial institutions:
- Take a multifaceted transaction-verification approach. This approach can include, for example, verifying potentially suspicious activity by utilizing multiple means of communication and authorization methods prior to executing transactions.
- Provide all pertinent and available information, including cyber-related information, in the suspicious activity report (SAR) form and narrative. FinCEN specifies including wire-transfer details, dates and amounts of suspicious activity, beneficiary and sender identifying information, and correspondent and intermediary financial institutions’ information. Further, the advisory suggests including scheming details such as relevant email and internet protocol (IP) addresses and descriptions and timing of suspicious email communications.
- Utilize the statutory safe harbors under Section 314(b) of the USA PATRIOT Act available to financial institutions to share cyber-related information securely.
FinCEN’s advisory, together with other recent regulatory developments focusing on cybersecurity, is one of many signals to the financial services industry that regulators view cybersecurity as a priority. Financial institutions should update their transaction monitoring and investigation policies, procedures and trainings to incorporate red flags related to detecting BEC and EAC schemes. Further, investigation and SAR protocols and procedures should be enhanced to ensure that email fraud scheming and wire-transfer details related to both successful and unsuccessful attempts are captured.
Basel 239 Risk Data Aggregation and Reporting Beyond 2016
The Basel Committee on Banking Supervision (BCBS) issued BCBS 239 in January 2013, detailing its expectations regarding risk data aggregation and reporting (RDAR) practices for global systemically important banks (GSIBs). These banks were required to be compliant by Jan. 1, 2016; however, according to a study by the Global Association of Risk Professionals (GARP), half of GSIBs as of February 2016 have not yet declared compliance with these principles. These findings are particularly troubling because GSIBs have initiated their 2017 Comprehensive Capital Analysis and Review (CCAR), a stress-testing regulatory requirement heavily dependent on quality risk data aggregation and reporting.
“Risk data aggregation” refers to a bank’s ability to consolidate various sources of risk data, such as loan default or derivative exposure across various business units. “Risk reporting” refers to a bank’s ability to report such data to its senior management as well as its regulators while evidencing completeness and accuracy.
The 14 principles outlined in BCBS 239 require senior management of a bank to better monitor and manage risks, improve the speed and quality of risk information, and provide high-quality risk data for strategic business use as well as for regulators during both normal business conditions and during crisis and stressed conditions.
BCBS 239 is regarded as an enabler for other strategic initiatives. GSIBs must demonstrate compliant solutions for data management, data governance and alignment between risk, finance and the business. If not, they will be forced to change the way they model and value risk. To this end, GSIBs must demonstrate sustained alignment to the principles beyond 2016. The current challenges for GSIBs to implement BCBS 239 appear to relate to two of the 14 principles outlined by the BCBS, Overall Governance and Infrastructure. These two principles serve as the underlying foundation for the overall implementation of the remaining BCBS 239 principles.
First, the overall governance principle requires senior management to review and approve the bank’s risk data aggregation and risk reporting framework, as well as ensure that risk groups are adequately staffed. Additionally, handoffs, data analysis and attestations need to be clearly documented in order to establish a transparent and repeatable risk data aggregation process. Institutions are challenged to maintain a high standard of validation of their risk data aggregation procedures, including detailed and well-defined documentation of these procedures. Institutions are further challenged to determine the risk data aggregation capabilities of firms targeted for acquisition. The impact of an acquisition on an institution’s RDAR capabilities must explicitly be considered as part of board discussions on the acquisition.
Second, the infrastructure principle refers to the data and information technology architecture which supports its RDAR capabilities. Fundamentally tied with the quality of data is the information technology infrastructure where it is housed and managed, along with the overall knowledge of the core definitions for the data. Per BCBS 239, GSIBs must establish sound processes related to these principles to ensure the quality of risk reporting used for both business and regulatory objectives. Institutions are challenged to consider IT infrastructure and how they can deliver upon the demands of providing common data taxonomies, data quality, and a flexible reporting environment. Additionally, institutions must have clearly defined roles and responsibilities within the organizations so as to establish firm-wide and data ownership and stewardship functions manage the quality of the data used in risk reporting.
As the banking industry initiates the 2017 CCAR cycle, newly required CFO attestations on the quality of reported data will require banks to consider the progress of their implementation of BCBS 239 principles and future alignment of these principles with business strategy and regulatory required submissions such as CCAR. The attestations require CFOs to attest that the data being provided as part of the CCAR submission has been reported in good faith, that the CFO is responsible for internal controls over data reporting and that the internal controls over the quality of data are effective and to report any material weaknesses in internal controls over the submitted data. They can and should be mitigated through effective implementation by GSIBs of BCBS 239 generally, with a particular focus on the overall governance and infrastructure principles.
Finalizing the implementation of the BCBS 239 principles and aligning these efforts with existing CCAR processes will allow GSIBs to better capture risk for both operating and regulatory capital objectives. End-to-end data management, as defined by the BCBS 239 principles, provides needed quality assurance over CCAR modeling inputs and the resulting projection data used by the Federal Reserve to determine a bank’s capital adequacy.
As the 2017 CCAR cycle begins, GSIBs should consider how BCBS 239 principles align with CCAR processes and how they can address gaps related to data quality, data handoff, data source validation and reconciliation of risk data with accounting data.
It is important to note that this newsletter is provided for general information purposes only and is not intended to serve as legal analysis or advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.