Historically, consumer compliance management has been supervised by the federal banking, thrift and credit union agencies, the Federal Trade Commission, and various state agencies for state-chartered banks and non-bank financial companies. As a result of the financial crisis, however, Congress determined that this framework may not have protected consumers adequately from predatory lending and other unfair, deceptive or abusive acts or practices (UDAAP) related to financial products and services.
With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA), Congress created the Consumer Financial Protection Bureau (CFPB) and granted it the authority to supervise large banks, thrifts and credit unions (those over $10 billion in assets); non-bank institutions of all sizes that offer residential mortgages, private education loans and payday loans; and nonbank “larger participants” in certain financial markets, such as credit reporting and debt collection. Since July 2011, the CFPB has been conducting exams of depository institutions as well as select non-banks and proposing rules to supervise larger participants.
As a result, financial institutions (banks and non-banks alike) must ready themselves for enhanced scrutiny of their consumer products, services and practices, and take steps to establish reasonable compliance risk management programs to respond to increasing regulatory requirements, expectations and supervisory oversight.
Challenges and Opportunities
Most financial institutions experience numerous challenges in implementing consumer compliance management programs:
- Groundhog Day – The CFPB inherited many, but not all, existing consumer protection laws and regulations. A good example is in the fair lending space. The CFPB is responsible for ensuring compliance with the Equal Credit Opportunity Act, but the Fair Housing Act remains the responsibility of prudential regulators. As such, many firms will face consumer compliance exams from both the CFPB and their prudential regulators, who are likely to have different perspectives, priorities and expectations. Although the DFA directs the agencies to coordinate their exam efforts, it is unclear how effectively this will work in practice.
- Exam experience – CFPB examination teams consist of a mix of seasoned and less-experienced examiners, as well as CFPB attorneys, many of whom have not supervised financial institutions previously. Each institution will be required to educate examiners about its structure, products and services, and practices; however, given the heightened legal risks associated with the exam team composition, institutions should exercise prudence in how they share information and ensure the quality of this information.
- Compliance and technology – Checklist-driven compliance programs are becoming obsolete. Technology is evolving to the point where operational compliance can be controlled systematically, enabling efficient implementation of new and existing requirements, a higher degree of consistency, and targeted, exception-based monitoring.
- Vendor risks – Organizations with a significant number of customer-facing vendors are particularly at risk for compliance concerns and CFPB scrutiny. The Bureau is likely to consider contractual protections to be insufficient on their own for moderate- to highrisk vendors, and will expect more robust vendor management efforts.
- Safe harbors are not enough – Firms focused only on technical compliance, or who are consistently at the aggressive end of “gray” compliance areas, are likely to struggle under the CFPB’s focus on prohibiting UDAAP.
Our Point of View
Financial institutions should be proactive in evaluating and strengthening their consumer compliance management programs in light of the guidance provided by and the examination procedures utilized by both their prudential regulators and the CFPB. Key steps should include the following:
- Define the scope of the compliance program, assign roles and responsibilities appropriately for compliance within the organization, and align the compliance vision, mission and goals with that of the institution.
- Develop enterprisewide compliance standards and provide training to drive consistency among compliance processes throughout the organization.
- Utilize a robust compliance risk assessment process to inventory and identify the applicability of, risks associated with, and mitigating controls related to laws, regulations and regulatory guidance.
- Manage compliance through technology, including controls to generate uniform disclosures, establish activity limits and conduct exception-based monitoring.
- Establish processes to track regulatory issues arising from business activities and consumer complaints, evaluate the root cause(s) of these issues (particularly related to UDAAP) and formulate timely corrective actions.
- Provide meaningful, timely reporting to key stakeholders, management and the board regarding compliance activities, new laws, regulations and industry trends, as well as compliance breakdowns and corrective action plans.
- Evaluate vendor activities regularly for compliance with applicable laws, regulations, and contractual standards and measurements.
How We Help Companies Succeed
Our Risk and Compliance professionals can help your organization meet the challenges of developing and maintaining an effective consumer compliance management program. Our experience includes:
- Evaluating, designing and implementing compliance governance programs, including benchmarking programs against industry peers
- Developing consumer compliance-related policies, procedures and training
- Developing and executing consumer compliance monitoring and testing programs
- Conducting independent reviews or internal audits of consumer compliance programs, including evaluating compliance with individual consumer compliance laws, regulations and regulatory guidance
A large regional bank sought an evaluation of its consumer compliance program. We assessed how effectively the bank’s compliance function:
- Identified new and existing legal and regulatory requirements, assessed risk, and established riskbased monitoring, auditing and training programs.
- Supported new business initiatives within consumer and commercial banking, wealth management, brokerage, and investment advisory operations.
- Provided information to inform management and the board on compliance responsibilities, potential compliance issues and trends, and critical needs to address regulatory requirements and expectations.
We identified gaps and provided tactical and strategic recommendations on how to improve the program.