This monthly round-up of compliance news includes the following articles
In May 2017, the Consumer Financial Protection Bureau (CFPB) issued a Request for Information (RFI) to solicit information regarding the small business lending market in response to a Dodd-Frank Act provision that will require financial institutions to submit data to the CFPB on credit applications made by women-owned, minority-owned and small businesses. This data is intended to facilitate the enforcement of fair lending-related laws and regulations, while enabling the public, government and creditors to better identify and serve the borrowers’ business and community development needs and opportunities.
Small businesses have long been recognized as a critical driver of economic activity and growth. Historically, there have been concerns about the transparency and availability of lending activities in this market, including to women- and minority-owned businesses, and whether financial institutions are truly servicing the business and community development needs of their communities. This provision has not yet been implemented and is subject to future rule-making by the CFPB. The intent of the RFI is to inform the CFPB of the small business lending market to implement the Dodd-Frank data collection requirements efficiently.
The CFPB requested information in the following five categories:
- Definition of Small Business: The CFPB indicated that it is exploring developing an alternative definition of “small business” to the North American Industry Classification System (NAICS), which both meets the criteria outlined in the Small Business Act and is tailored to the data collection needs of the Dodd-Frank Act. Accordingly, the CFPB asked questions around how financial institutions currently define “small business” for internal and external reporting purposes, and by what factors and thresholds small businesses are defined.
- Data Collection: The Dodd-Frank Act requires financial institutions to report key information about small business applications, including:
- Application number and date
- Type and purpose of the financing
- Amount applied for and approved
- Type of action taken and action taken date
- Census tract of the principal place of business
- Gross annual revenue in the last fiscal year of the applicant preceding the date of the application
- Information about the race, sex, and ethnicity of the business principal owners.
The CFPB seeks information about how institutions collect such information today, including: 1) data standards and technologies used to capture and report these data points; 2) challenges posed by collecting such data (including verification, sources, consistency among systems, etc.); and 3) what additional data points could be collected discretionarily to facilitate a complete picture of small business lending.
- Financial Institutions Engaged in Small Business Lending: The CFPB seeks to understand better the various types of financial institutions (bank and non-bank alike) that provide credit to small businesses to determine how to apply the data collection rules and which classes of financial institutions might be exempted from the requirements.
- Access to Credit and Lending Products Offered to Small Businesses: The CFPB seeks information to understand better the products and services offered by financial institutions to small business applicants as well as the challenges faced by small businesses in accessing credit.
- Data Privacy: The CFPB has acknowledged that the privacy of small business applicants and certain confidentiality interests of creditors are an industry concern, and the agency has requested information regarding how it might balance the protection of small businesses and creditors against the information required to be collected under the Dodd-Frank Act.
Once adopted, the new data collection requirements will serve as the foundation for fair lending examinations and enforcement in the small business lending space, and will likely have major business process ramifications for small business lenders. Financial institutions should evaluate the RFI to gain a better understanding of both their own internal processes and controls and the CFPB request itself, as this will provide management better insight into potential compliance obligations and regulatory risks in the future as well as potential implementation challenges and strategies to address these requirements once they are defined by the CFPB.
The Yates Memorandum, which was issued by the United States Department of Justice (DOJ) in late 2015, outlined the importance of individual accountability in DOJ prosecutions. Since then, personal liability for violations of the Bank Secrecy Act (BSA) and failures of their financial institutions’ compliance programs to manage anti-money laundering (AML) risks has been an increasing worry for financial services executives, in particular compliance officers, as regulators demonstrate a willingness to hold corporate executives personally liable for compliance program failures.
In May 2017, the United States Attorney’s Office of the Southern District of New York and the Financial Crimes Enforcement Network (FinCEN) announced the settlement of civil claims brought against the former chief compliance officer (CCO) of a large, global money services business (MSB), resulting in one of the largest fines ever imposed by FinCEN on an individual. In the settlement of the complaint, the former CCO agreed to pay a civil penalty of $250,000 and be barred from working in a compliance function for any MSB for three years.
In this case, the CCO served as the head of its fraud and AML compliance departments, and was alleged to have failed to terminate known high-risk agents, file timely suspicious activity reports (SARs) and conduct effective due diligence, among other things. In November 2012, the MSB entered into a deferred prosecution agreement with the DOJ for failing to maintain an effective AML program, in violation of the BSA. In December 2014, FinCEN initiated its action against the CCO related to these same violations, announcing the assessment of a $1 million civil money penalty and a complaint filed to enforce the penalty, which the CCO subsequently contested. In January 2016, in a first-of-its-kind ruling, a United States District Court ruled that the BSA permits FinCEN to bring suit against individuals for willfully violating the BSA, paving the way for the recent settlement.
While the threat of personal liability may motivate financial services corporate executives and compliance officers to strengthen their respective compliance functions, some argue that the fear of penalty may also deter competent talent from taking critical leadership positions, prompting attrition of existing leadership to maintain adequate compliance programs. More than ever before, corporate executives and compliance officers need to beable to rely on strongly-designed and effective compliance controls. This particular case establishes legal precedent that may give compliance professionals pause for thought. To guard against personal liability exposure, corporate executives and compliance officers should take steps to ensure that appropriate governance and oversight mechanisms have been established clearly throughout their financial institutions, including: clearly- documented accountabilities, robust oversight functions and mechanisms, a supportive tone-at-the top that promotes a culture of compliance, and appropriate issue resolution and incident response processes that are informed, substantiated and well-documented.
In March 2017, the CFPB published a special edition of its periodic Supervisory Highlights describing its supervisory activities related to consumer reporting. Consumer reporting (often referred to as “credit reporting”) refers to consumer information provided by data furnishers (in particular, financial institutions) on their financial performance, along with other characteristics defined in the Fair Credit Reporting Act (FCRA). Consumer report information (often referred to as a “credit report”) is aggregated by consumer reporting agencies (CRAs) and is then used widely by companies to determine a consumer’s eligibility for credit, insurance, employment, etc.
The CFPB notes that consumer reporting plays a critical role in the financial lives of consumers yet is not always recognized as such by consumers given its behind-the-scenes nature. Under the Dodd-Frank Act, the CFPB was provided rule-writing and enforcement authority related to the FCRA and also supervisory authority over both the furnishers of consumer report information as well as large CRAs.
In its report, the CFPB describes its vision of a consumer reporting system that is underpinned by data integrity, accuracy and completeness, which efficiently and effectively resolves consumer inquiries and disputes. It summarizes its key activities related to both CRAs and data furnishers categorically as follows:
- Data Accuracy: The CFPB has focused on improving the accuracy of consumer report information maintained by CRAs. The CFPB notes that CRAs should take steps to improve accuracy throughout the “consumer report data accuracy lifecycle,” including: 1) improving data governance policies and procedures and creating formal data governance programs; 2) establishing robust quality control programs to assess the accuracy and integrity of consumer reports and provide oversight of third-party public records providers; and 3) vetting data furnishers and monitoring of furnished data and consumer disputes.
- Dispute Handling Processes and Resolutions: A consumer’s ability to dispute inaccurate or incomplete information is critical for promoting confidence in the consumer reporting system, the CFPB maintains. Notable areas of the CFPB’s supervisory focus include: 1) ensuring that reasonable reinvestigations of disputes are conducted and consider all relevant information available and submitted by consumers in their disputes; 2) providing timely notices to data furnishers that a dispute has been received; and 3) improving notices provided to consumers to indicate clearly the results of the reinvestigation.
- Improving Data Accuracy from Furnishers: In its reviews of data furnishers, the CFPB has identified problems with the quality of many data furnishers’ compliance management practices, data governance programs, quality control, third- party oversight and consumer dispute investigation processes. The CFPB notes that data furnishers must establish and maintain consumer reporting, data governance and quality control programs, to ensure the accuracy and integrity of information furnished about consumers to CRAs, and to respond timely and completely to disputes received from consumers.
The CFPB makes clear that consumer reporting is a high-priority supervisory focus. The agency has concerns that data furnishers in particular have not dedicated the resources necessary to ensure the appropriate implementation of data accuracy and integrity programs. It will continue to focus on improving the accuracy of consumer reporting information through its supervision activities of data furnishers as well as the CRAs. Consumer reporting processes, which are long considered to be one-and-done technology implementations or the responsibilities of third-party service providers, warrant a fresh look by management.
Financial institutions should evaluate whether they have properly implemented policies, procedures, quality control and change management mechanisms, and ensure that employee training and management reporting meets the minimum regulatory expectations as well as the unique risks of the institution.
In May 2017, the Office of the Comptroller of the Currency (OCC) issued a bulletin updating its policies and procedures relating to its handling of violations of laws and regulations. This action was taken in response to a December 2013 independent review of the OCC’s supervision of large and mid-size institutions conducted by then-current or former personnel from several international supervisory agencies and the International Monetary Fund. Pursuant to the review, it was recommended that the OCC analyze the effectiveness of its processes relating to matters requiring attention (MRA) in its supervisory examination process. MRAs are defined by the OCC as examination findings that deviate from sound governance, internal control and risk management principles, pose adverse risks to the financial institution’s condition, or are the result of substantive non-compliance with laws and regulations, supervisory guidance and similar issues.
The OCC made updates to its MRA process in October 2014, and subsequently determined to also update how it handles violations of laws and regulations. With the updates set out in the bulletin, the OCC seeks to: 1) enhance the communication, tracking, and resolution of violations, 2) analyze the volume and trends related to violations to evaluate risks, and 3) use consistent terminology and monitoring within a supervised financial institution. The updates set out consistent guidelines for the agency on terminology, formatting, follow-up, analysis, documentation standards, and reporting for violations of law and regulations.
The requirements of the OCC’s processes to communicate violations of laws and regulations include:
- Communication: The OCC will communicate all substantive violations of laws or regulations in its reports of examination (ROE) or supervisory letters, including any self-identified violations. Non-substantive violations may be communicated outside of the ROE or supervisory letter at the examiner’s discretion.
- Consistent Formatting and Categorization: The OCC will report violations in a consistent format to include:
- The appropriate legal citation and description
- A summary of relevant statutory or regulatory requirements
- Supporting facts and root cause(s) related to the violation
- Required action(s) to correct the noted violation
- Commitments made by the financial institution’s board or management to correct the violation.
When communicated to the financial institution, violations of law will be categorized as one or more of the following:
- New – for violations the OCC has not communicated in the previous five-year period that are the same or similar
- Self-identified– for violations that the financial institution has self-disclosed to the OCC prior to or during an examination
- Repeat– for violations the OCC has communicated in writing in the previous five-year period that are the same or similar.
The OCC will communicate clearly how violations relate to ratings and MRAs, the financial institution’s CAMELS ratings (or similar), and the institution’s risk appetite and profile. Approaches include:
- Corrective Actions: The OCC expects the board and management of a financial institution to correct timely all violations noted, substantive or otherwise. The OCC notes that any non-substantive violations not corrected timely will be considered as substantive violations in the subsequent ROE or supervisory letter.
- Follow-up: In its follow-up review of the violations and corrective actions implemented by the financial institution, the OCC will label and communicate to the board and management whether the violation is past due, pending validation or closed, as follows:
- Past due – if the financial institution has not executed the corrective or timely actions, or if during the validation the OCC determines the corrective actions to be ineffective or not sustainable
- Pending validation – if the institution has executed corrective action but sufficient time has not passed for the OCC to assess the effectiveness or sustainability of the corrective actions
- Closed– if the OCC has verified that the corrective actions were effective and sustainable, or if a change in the institution’s circumstances has corrected the violation, or if a violation is uncorrectable. Closed violations will be communicated as such in the subsequent ROE or supervisory letter, or separate written list of violations as appropriate.
Financial institutions should familiarize themselves with the OCC’s updated policies and procedures and evaluate how any outstanding violations in any ROEs, supervisory letters, or similar reporting is likely to be impacted and categorized under this new process. Additionally, leveraging any analyses conducted internally at the time the OCC issued the new MRA guidance, financial institutions might use this time to evaluate how any examination findings are addressed currently (including responsibilities, tracking mechanisms, credible challenge, and reporting to management and the board) to validate the sufficiency of existing processes.