When The CFPB Is After You: How to Respond to Threatened Enforcement Actions

4-30-14-covington.jpgWhen the Consumer Financial Protection Bureau (CFPB) sends a letter to the board of directors, it is rarely good news. It often means the institution is facing a potential or actual enforcement action. Enforcement actions can unfold quickly. They typically require an institution to respond, at least on certain preliminary matters, within a matter of days.

The board of directors should be involved in the institution’s handling of virtually any threatened enforcement action. The CFPB, like the prudential regulators, holds an institution’s board of directors ultimately responsible for the institution’s conduct. Thus, it is in the board’s interest to provide direction and oversight throughout the enforcement process. Such an approach will help directors fulfill their regulatory obligations and assist in ensuring that the enforcement matter is handled appropriately.

In addressing a CFPB enforcement action, directors should bear in mind five key principles:

  1. Assemble a response team. It is important to develop a comprehensive and strategic approach to responding to the CFPB’s enforcement action. Ideally, an institution already has in place a plan that specifies the individuals responsible for coordinating the institution’s response. The response team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business and outside counsel. The team also may include, depending on the nature of the enforcement action, additional representatives, such as from human resources, information technology, finance or compliance.
  2. Inform the board and determine appropriate board involvement. Once the institution is notified of the contemplated enforcement action, a member of the response team should immediately alert the board’s audit committee chair, and in consultation with the audit committee chair, decide when and how to inform the remainder of the board. Although the entire board should be kept apprised and consulted, as necessary, throughout the enforcement process, the board often designates one or more directors as the primary contacts with management and their outside advisors as the institution develops its response strategy.
  3. Develop a coordinated short-term plan. CFPB enforcement actions often require immediate tactical decisions that can have long-term strategic implications. For example, an institution usually has only 20 days to decide whether to object formally to any provisions in a CFPB civil investigative demand. The institution should consult with legal counsel to weigh the benefits of filing such a petition against the possible risks, including the impact of such a filing on the institution’s interactions with the CFPB and the likelihood that the institution’s legal arguments will succeed.

    The bank also should determine whether any public disclosures are required—such as under the securities laws or customer notification laws—or whether any disclosures should be made to preserve relationships with business partners and customers and, if so, how these disclosures may be made in accordance with restrictions on the disclosure of confidential supervisory information. Such decisions must account for the fact that an enforcement action may create multiple areas of exposure, including follow-on private litigation, reputational harm, and customer relations issues. The board should be briefed on these disclosure obligations and ensure that the various disclosures are handled in a coordinated manner.
  4. Develop a longer-term strategy. While the institution likely will be required to make some decisions immediately, those decisions should be made in the context of the institution’s longer-term strategy. The development of this strategy should take into account such factors as the strength of the institution’s defenses, the magnitude of the institution’s exposure, factors affecting the institution (e.g., a possible acquisition), and whether the institution is likely to reach a better result through a cooperative approach (while still advancing the institution’s defenses) or by assuming a more aggressive stance. In all events, the board should understand what this strategy is and make sure management is informing the board of any major developments.
  5. Adopt long-term reforms. One of the best ways to avoid regulatory scrutiny and enforcement is to adopt lessons learned from past violations. At a minimum, the board should determine whether other areas present similar risks, review the adequacy of internal controls and compliance policies, and assess the frequency and thoroughness of management reports to the board.

An effective response to a CFPB enforcement action requires a coordinated strategic approach that is overseen and monitored by the institution’s board of directors. Bearing in mind these five key principles will help board members lead their institutions successfully through CFPB enforcement actions.

Consumers are Now Center Stage, Bank Attorneys Say

Nearly three years after the creation of the first ever regulatory agency just for consumers of financial products, the Consumer Financial Protection Bureau, or CFPB, has rewritten mortgage rules, targeted debt collectors, auto lenders, big banks and even for-profit colleges. It has been a busy few years. So how has the agency transformed the industry? We asked a panel of bank attorneys.

What has been the impact so far of the CFPB?

Murphy-Patrick.pngI would have to say that the biggest impact, at least from the perspective of community banks, has been the cloud of regulatory uncertainty that the CFPB has cast over those institutions, and the resulting impact on their bottom line. While community banks are not directly regulated by the CFPB, they are still subject to much of the same rulemaking by the agency as are the big money center banks. Even where community banks are specifically exempted from CFPB regulation, those regulations nonetheless tend to serve as standards or competitive baselines for smaller institutions. It is difficult, as a result, to anticipate the infrastructure and resources needed to stay ahead of the regulatory curve. As a result, community banks are forced to beef up their compliance departments, or outsource oversight of those responsibilities, creating disproportionately higher overhead for such banks as compared to larger institutions.

—Patrick S. Murphy, Godfrey Kahn, S.C.

Dailey-Michael.pngOne important impact CFPB has had thus far on the banking industry is the creation of a renewed fervor among the bank regulatory agencies in the area of consumer protection. Since the inception of CFPB after the enactment of Dodd-Frank, those in leadership positions at CFPB have noisily and frequently made it clear that the bureau believes consumers have been, and are currently being, taken advantage of by financial institutions, both bank and non-bank institutions. Given the preeminent position the CFPB holds in the consumer compliance regulatory arena, the other agencies (Office of the Comptroller of the Currency, Federal Deposit Insurance Corp., the Federal Reserve, and the state regulators) understandably are following CFPB’s lead. Some effects on the banking industry of this heightened interest in consumer compliance include increased overhead costs, uneasiness about upcoming regulatory examinations, diversion of senior management attention from revenue generating activities, and degradation of the working relationship between bankers and field examiners.

—Michael G. Dailey, Dinsmore & Shohl LLP

Jonathan-Wegner.jpgIn a word – UDAAP. The CFPB’s “gotcha” approach to exercise of its regulatory enforcement authority over unfair, deceptive, or abusive acts or practices (UDAAP) took many of our clients aback. As they try to develop new products and procedures designed to accommodate changing consumer preferences (for example, in connection with mobile services and prepaid cards), the chilling effect that the enforcement actions have had on those business units has been notable. Some bankers have gone back to the drawing board with current products while others have grown skittish about rolling out new offerings. At a time when the marketplace is demanding innovation, the CFPB’s UDAAP enforcement actions against major financial institutions have caused the mentality among some bankers to shift from “What shall we do next?” to “Are we next?”

—Jonathan Wegner, Baird Holm LLP

ReVeal-John.pngThe CFPB’s biggest impact has not been through any regulations it has enacted, nor has it been through its own enforcement of consumer protection laws. No, its biggest impact has been indirect—by heightening the emphasis on consumer protection and leading to a dramatic increase in civil money penalty (CMP) actions by federal bank regulators for alleged unfair or deceptive acts or practices (UDAP). In 2013, the FDIC imposed CMPs against banks 89 times, 16 of which were for alleged UDAP violations. At 18 percent of all bank CMP actions, this is a near doubling from 2012 and three times the percentage in 2011. Expect these percentages to keep growing. Once bank regulators have identified an industry “problem,” they do not change course until the next flood, financial crash or other newsworthy event redirects their attention. And the CFPB has barely begun its own enforcement actions under the new unfair, deceptive, or abusive acts or practices law.

—John ReVeal, Bryan Cave LLP

Stanford_Cliff.pngIt is always important to remember that the CFPB was established to be immune from regulatory capture by the industry, and the CFPB will be quick to tell you that it’s not about the bank, but about the consumer. For banks, the rule-writing, supervision, data gathering, and enforcement activity of the CFPB has elevated the status of consumer compliance within the hierarchy of concerns of senior management and boards. While issuing a range of new and complex rules, the CFPB has also emphasized third party oversight and principle-driven versus rule-driven compliance (think unfair, deceptive or abuses acts or practices, or UDAAP). Moreover, the CFPB has influenced the prudential supervisors in their oversight of community banks, where consumer compliance is also getting heightened attention.

—Cliff Stanford, Alston & Bird LLP

Regulators Go After Banks for Vendor Management

2-5-14-Bryan-Cave.pngWhile the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators. A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.) Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

(Not the) Same as the Old Boss

While the message from the federal regulators has not varied over the years, recent actions by the various agencies indicate they are more likely to use enforcement as a means of guaranteeing compliance with their vendor management mandates. A detailed discussion of the cases listed below is beyond the scope of this article, but to a large degree each case focused on deceptive sales practices by third-party vendors while marketing a bank product:

  • CFPB: Discover Bank, $14 million civil penalty (September 2012)
  • OCC: American Express Bank, estimated $6 million in restitution (September 2012)
  • CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
  • CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Although neither the FDIC, OCC nor the CFPB provides community banks with an explicit exemption from the vendor management mandates, each set of rules does include a statement similar in content to that expressed in FIL-44-2008: “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.” For community banks that offer only traditional banking services, senior management and the board should use a common sense level of due diligence before, during and after a third-party relationship is commenced.

We Won’t Be Fooled Again

Bank management and boards of directors should not allow recent enforcement actions to deter their use of third-party vendors to provide critical functions. The economics supporting such outsourcing decisions certainly outweigh the risks posed by potential regulatory enforcement action. However, regulators have given notice that a failure to implement and follow vendor management protocols will no longer be tolerated, and boards and management bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.

They are Watching You: How to Handle Complaints

11-8-13-Wolters.pngSince opening its doors in July 2011, the Consumer Financial Protection Bureau (CFPB) has gone the distance to make sure consumers of financial services know they can lodge complaints pertaining to a broad range of financial products and services. The CFPB receives complaints from consumers concerning credit cards, mortgages, bank accounts or services, private student loans, consumer loans, credit reporting, money transfers and debt collection for institutions of all sizes.

Regardless of the size of your institution, it is prudent to have a formal, fully functional process for receiving, escalating, analyzing and responding to consumer complaints. Meeting the expectations of regulators where consumer complaints are concerned not only shows the bureau your bank is responsive, but also serves as a way to champion the consumer experience and stand out from the crowd.

Complaint Handling from the Examiner’s Point of View

Regulatory Expectation: Consumer complaints and inquiries, regardless of where submitted, are appropriately recorded and categorized.

Depending on the overall size and complexity of your organization, this can be a serious challenge to structure and organize. Keep in mind the following as you determine what controls to build into the complaint intake and tracking workflow:

  1. What’s a complaint?
    Has your institution clearly defined what constitutes a complaint? Well managed and carefully analyzed complaint data provides the opportunity to make key revisions and/or enhancements to products and services, and demonstrate to your customers that you are listening.
  2. Complaint submission
    Consumers seeking to file a complaint should be allowed to do so through mail, email, or phone. Your organization will need to ensure that the infrastructure is in place to fully support all channels for complaint intake. All complaints, regardless of origin or point of submission, including verbal complaints, must be registered and assigned ownership and accountability for response and timely resolution.

As you address these considerations, apply the same thought process to third-party service providers that directly interact with your customers or support your company’s products and services.

Crossing Your T’s and Dotting Your I’s

Examiners will request and review records of recent consumer complaints against your institution from the prudential regulator, from state regulators, from state attorneys general offices or licensing and registration agencies, and from private or other industry sources. It will be essential that your policies and procedures for receiving, escalating and resolving consumer complaints and inquiries from all sources and points of submission are fully defined and clearly documented.

Regulatory Expectation: Complaints and inquiries, whether regarding the entity or its service providers, are addressed and resolved promptly.

In order to not only meet, but also exceed expectations for timely response to complaints, the process you establish for complaint intake should time stamp the complaint and establish an estimated timeline for response, as appropriate. This recognizes, however, that complaints differ in severity and required course of action for response and resolution. As such, policies and procedures addressing timeliness of response should factor for these differences.

Search and Scan

Regulatory Expectation: Complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, or other regulatory compliance issues, are appropriately escalated.

Proactively scan your complaint database to identify complaints alleging deception, unfair treatment, unlawful discrimination, or other significant consumer injury. The list you build should be as comprehensive as possible. This will require dedicated task assignment and accountability for maintaining an effective surveillance process.

Complaints alleging discrimination or presenting an elevated legal risk must be escalated to specifically identified departments or individuals within your organization to ensure proper analysis and handling. If your institution maintains multiple customer support centers, enforce a uniform set of complaint escalation practices.

If It’s Broken, Fix It

Regulatory Expectation: Complaint data and individual cases drive adjustments to business practices and result in retrospective corrective action, as appropriate.

Of great interest to regulators is how actively your institution will monitor complaints to identify issues and trends that may require changes in products, procedures and/or training. Examiners will seek to review whether internal evaluations of consumer contacts are shared through regular reports to the board and senior management, and whether such information is used in modifying policies, procedures, training and monitoring.

With effective complaint handling processes firmly in place, you are then in a good position to ultimately drive change should it be determined that a weakness or defect in a product, procedure, system or employee training has been identified. You want to be able to demonstrate that appropriate corrective action resulted, based on efforts to understand the root cause of the issue leading to the complaint.

The Bottom Line

Based on the nature and/or number of complaints received, complaint-driven data is going to be one of the first points of review by regulators. The information could signal weaknesses in your institution’s compliance management system (CMS). Regulators will look for how proactively you manage complaints and demonstrate direct learning from an analysis of your complaint data. It also goes a long way in improving your relationship with your customers, perhaps the most important relationship you have.

What is the Worst Aspect of Dodd-Frank?

The Dodd-Frank Act is the most substantial piece of financial legislation since the Great Depression, and also one of the least popular among bankers. But not everyone agrees what part of Dodd-Frank should be thrown out the window or changed. Is it the Volcker Rule? The Durbin amendment? How about the Consumer Financial Protection Bureau? Bank Director asked a group of attorneys to answer that question.

If you could change one thing in the Dodd-Frank Act, what would it be?

Smith_Phillip.pngI would not have established the Consumer Financial Protection Bureau (CFPB). It was not community financial institutions that initiated unfair, deceptive or abusive consumer practices, yet the trickle-down effect on smaller banks from enforcement endeavors against larger organizations will have a negative impact. Instead of punishing banks that did not cause the crisis with a brand new investigative arm of the government, what about focusing on the true troublemakers?

— Philip K. Smith, Gerrish McCreary Smith, PC

Lynyak-Joe.pngTitle XIV of the Dodd-Frank Act has required the CFPB to substantially rewrite the substantive and procedural rules governing the U.S. residential mortgage system, including application, underwriting and servicing of home mortgage loans. As part of that statutory mandate, severe limitations were placed on the origination of mortgages, including the creation of so-called qualified mortgages and rules on loan originator compensation. To enforce those limitations, penalties were expanded for originators, servicers and assignees of mortgages—without a statute of limitations. The optimum change would be to modify these mortgage rules in a manner that would facilitate the availability of credit by lenders by providing greater flexibility in the types of loans permitted, as well as limiting the liability for originators and assignees for violations. Failure to do so may inhibit the availability of credit to the home mortgage segment.

— Joe Lynyak, Pillsbury Winthrop Shaw Pittman LLP

fisher_keith.pngThe Dodd-Frank Act pretends to eliminate so-called too big to fail while actually enshrining it (using different words) in federal statutory law. Worse, the Act expands the scope of potential bailouts to include nonbank financial companies. Title I of Dodd-Frank, which creates the Financial Stability Oversight Council, greatly multiplies the degree of moral hazard and creates structural incentives for institutions not currently large enough to be considered Systemically Important Financial Institutions (SIFIs) to expand so as to aspire to join that exclusive club. From a public policy viewpoint, this is simply awful. Adding yet another unwieldy federal bureaucracy—the Financial Stability Oversight Council—to the mix is also fundamentally misguided. Outright repeal of Title I would be a vast improvement. Secondly, while the creation of a federal agency devoted to consumer financial protection may have been inevitable, having a large bureaucracy with a broad and diffuse legislative mandate and virtually unlimited funding seems misguided. At a minimum, the CFPB should be made subject to congressional oversight and the appropriations process.

— Keith Fisher, Ballard Spahr LLP

Mark-Nuccio.jpgThat’s an easy one—the Volcker Rule! Hugely reactionary and draconian, the post-Depression idea that banks should be kept almost entirely out of proprietary trading and private fund investment is epic silliness. Since Gramm-Leach Bliley, plenty of organizations handled their freedoms in these areas well. Instead, why not ban mortgage lending? There has to be a better way to address the perceived risks of the banned Volcker Rule activities. The risk to the economy created by the law (as well as the risk of further boggling the implementation of it) outweighs any possible benefit. Adopted more than three years ago and still waiting for final regulations (or better yet re-proposed regulations)—there’s a reason for that kind of delay—it’s a bad law!

— Mark Nuccio, Ropes & Gray LLP

Gregory-Lyons.jpgI would add a provision that expressly permits the agencies to tailor the law, either by regulation or on an individual institution basis, to ensure the rules to which an institution will be subject are appropriate for that institution. Dodd-Frank is a very broad, sweeping law, and that necessarily will result in it having unintended consequences for some institutions. For example, should insurance companies and other nonbank-centric financial services firms that either are designated as non-bank SIFIs or that retain a reasonably small bank presence be subject to the same capital rules as bank-centric institutions?

— Gregory Lyons, Debevoise and Plimpton LLP

Regulatory Punch List of Top Priorities for Bank Directors

8-26-13-Wolters.pngIn today’s banking world, exams are tougher, the supervisory focus is on fairness to consumers, data is heavily scrutinized and consequences for failing to mitigate risks are more severe than ever. It is incumbent upon bank directors to stay in front of high risk areas and make sure their institutions can survive and thrive in this challenging environment. I put together my punch list of some of the top challenges I see facing the industry to provide guidance on where you will want to focus.

Get Serious about Complaint Management
The Consumer Financial Protection Bureau (CFPB) continues to amass an unprecedented public database of complaints against specific financial institutions. The CFPB’s complaint system is informing many of their decisions about whom to examine and how to regulate. In the face of this, banks should strive to improve their own internal complaint systems. You don’t want those complaints going to the bureau. You want them coming to the bank so you can solve them.

Be Extra Vigilant When Choosing and Managing Vendors
Regulators are looking more closely at the way banks choose and manage their vendors and are holding banks responsible for the faults of their vendors. In fact, recent enforcement actions from the CFPB resulted in a combined $101.5 million in fines plus $435 million in restitution for the financial firms based on flaws in the way the banks monitored their vendors. Additionally, the CFPB issued a bulletin in April 2012, with the message that banks are responsible for any faults of the vendors they work with.

Don’t Let the Ease of Social Media Make Things Difficult
In the social channel, which demands quick responses, an outsider may see what he perceives to be a run-of-the-mill consumer complaint and hastily respond in a way that causes more trouble. Be sure to monitor social media activity continually in real time.

Don’t Wait for Clarity from Regulators—Monitor, Test and Correct Fair Lending Issues Now
The recent OCC order that hit a bank for discriminating against white males may have taken some bankers off guard, and moved several to demand more clarity from regulators. But in this enforcement heavy environment, the best option is for banks to heavily monitor, test and correct, when necessary, all of their credit products now.

Solidify a Regulatory Reform Process
In our Regulatory & Risk Management Indicator survey in June, we asked bankers which regulatory concerns keep them up at night, and 46 percent said regulatory reform—referring to new rules stemming from the Dodd-Frank Act and the CFPB. Make sure your bank can address three primary questions relating to compliance programs:

  1. What are the laws and regulations you are subject to across all the jurisdictions in which you operate?
  2. Are you confident you are complying with all of these laws and regulations?
  3. Can you prove it to third parties (e.g., board members, investors, regulators and other stakeholders)?

Leverage Technology to Adjust to Onslaught of New Rules
Once upon a time, when a bank had an enforcement action of a significant deficiency, the first thing senior management used to say was: Where is our chief compliance officer? How did this happen? Now the question is going to be: Where is our chief technology officer? Why didn’t technology come up with the means to implement these changes in a more effective, efficient and compliant way? If technology and compliance aren’t talking to each other, they need to get together.

When it Comes to Auto Lending, Be in the Driver’s Seat
The CFPB is cracking down on interest rate markups that automobile dealers add to the cost of car loans. If they’re done in a discriminatory manner, then the bank is responsible. The CFPB recently released a bulletin that said lenders must enhance their oversight of auto dealers with which they do business after a recent investigation revealed disparities in interest rates charged to minority borrowers versus non-minorities. The bigger-picture problem for banks is that the regulatory scrutiny requires them to monitor the loans being made by all of the auto dealers they work with. That’s sometimes more than 1,000 dealers. The CFPB is hoping that lenders will voluntarily place compensation restrictions on dealers.

Watch out for UDAAP
The Dodd-Frank Act adds an “A” (which stands for abusive) to UDAP—turning the Federal Trade Commission’s provisions into “unfair, deceptive or abusive acts or practices.” A lot of it depends on the consumer’s ability to understand what is being presented to them. The gap between what is presented to customers and how they perceive what they get as well as its value is where the danger appears to lie. From the moment that a deposit or mortgage product or service is developed and the process begins, compliance folks have to have a seat at the table. I recommend that banks perform some testing to be sure the information being conveyed is perceived by the consumer the way it was meant to be. If there is a complaint, and that complaint goes to the bureau, the lender is going to have to be prepared to defend his ability to provide a product that was not unfair, that was not deceptive and certainly was not abusive.

Gear up for New Mortgage Rules
Several new mortgage rules are on their way from the CFPB. Among the new rules is the QM, or qualified mortgage (ability-to-pay) rule, a provision related to high-cost mortgages, a rule impacting loan officer compensation, new servicing standards, an escrow rule about impounding accounts and tax insurance, an appraisal disclosure rule and another appraisal guideline related to high-cost mortgage. Even now that the QM rule is final and going into effect in January, the industry still has to focus on the qualified residential mortgage (risk-retention rule) and its impact on mortgage lending and the secondary market. For much of the industry, setting up systems to comply with QM is a big concern. Also, we still must find out how all these different rules conflict with each other. It will certainly be a challenge.

Regulator Panel: Would You Sell These Products to Your Mom or Dad?

7-5-13_Naomi.pngThe shifting focus of regulators is indeed a concern for bankers and bank boards these days. The creation of the Consumer Financial Protection Bureau (CFPB) has impacted almost all banks and thrifts, not just the $10-billion-plus financial institutions that are subject to CFPB exams. The CFPB is publishing new rules monthly about topics such as fair lending, mortgage disclosures and even the interest rate banks can charge for residential loans. Plus, regulatory exams that end badly can have serious negative consequences for banks, so it’s a good idea to keep tabs of what regulators are thinking about your bank.

At Bank Director’s Bank Audit Committee Conference in Chicago last month, Deputy Comptroller Bert Otto in the central district in the Office of the Comptroller of the Currency (OCC) joined David Van Vickle, assistant regional director at the Federal Deposit Insurance Corp. (FDIC) and Molly Curl, bank regulatory national advisory partner at Grant Thornton LLP, in a discussion of what regulators are looking for in exams. John Geiringer, a partner at law firm Barack Ferrazzano Kirschbaum & Nagelberg LLP, moderated the discussion.

Otto said strategic risk is one of the things his office is most worried about right now. Banks are focused on improving earnings, but he would like bank boards to look at the risk involved in their strategic plan and any new products or services offered by the bank.

He said regulators are focused on risk: What are the bank’s risks and is the bank leadership identifying them? “The focus of all the regulators going forward, at least at the OCC, is really risk on a forward-looking basis,’’ he said.

Van Vickle agreed that this is a focus for his agency as well. Examiners are asking: What is the bank’s tolerance for risk? What are the key indicators of risk? In terms of mitigating risk, Curl said banks should have a full risk profile with risks rated from highest to lowest, and a plan for how to mitigate those risks. The risk line of defense then involves the compliance department, as well as internal audit, which will review at least annually the internal controls to see if policies and procedures are being followed. A bank can opt for yet another line of defense: an outside firm to review the bank’s risk profile and procedures for mitigating risk.

Banks frequently use outside vendors of various sorts, but they can actually be a source of risk as well. Note recent news about the CFPB crackdown on Minneapolis-based U.S. Bancorp over subprime auto loans to military service members, which were provided to U.S. Bancorp through a vendor. Van Vickle, speaking in general and not about U.S. Bancorp, said:  “We will hold the bank responsible for a lot of what those service providers are saying, if they are approaching customers and making promises and not making appropriate disclosures.”

Compliance risk can also hinder acquisition plans, as it did in M&T Bank Corp.’s purchase of Hudson City Bancorp this year, when regulators delayed the closing date of the sale amid questions about M&T’s compliance with anti-money laundering rules. The Bank Secrecy Act (BSA) and anti-money laundering laws are now more significant in regulatory exams than in years past because a bank’s  compliance track record now impacts its safety and soundness rating, Curl said.

“BSA should be a critical element to any products you roll out,’’ Geiringer said. “It used to be the compliance officer came in at the end, and was Dr. No.” Nowadays, the compliance officer should be involved in the beginning of the process of rolling out new services and products, he said. Consumer compliance is a new focus of regulation, Geiringer said. The Dodd-Frank Act expanded consumer law in the form of UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) to include the term “abusive.” Ask yourself: Would you sell the bank’s products to your mom or dad? Does your bank board set the right tone in reacting to compliance issues? If new regulations are mentioned at a board meeting, do you roll your eyes? How does that impact management if they see board members doing that?

There has been a shift in banking regulation and it’s worth paying attention to. The regulatory panel at the audit conference made that clear. 

No More Balloon-Payment Mortgages? No Problem

5-24-13_Bryan_Cave.pngEditor’s note: On May 29, 2013, the Consumer Financial Protection Bureau amended its new rule to delay implementation of the balloon payment injunction for two years for small lenders with less than $2 billion in assets who make fewer than 500 first-lien mortgages per year. The delay lasts for two years after the implementation date of January, 2014.

Among the many sea changes within the Consumer Financial Protection Bureau’s new mortgage regulations, the rules’ harsh view of the balloon-payment loan is among the most disappointing for community banks. The CFPB clearly does not like these loans and has taken a major swing at them. Beginning in 2014, creditors will be prohibited under the Truth in Lending Act from making covered loans absent a good faith review of the borrower’s repayment ability. The risks of non-compliance with this rule are grave and include a defense in foreclosure that essentially has no statute of limitations. So-called “qualified mortgages” will enjoy a presumption of compliance with this new Ability-to-Repay (ATR) standard, but balloon notes are not generally favored.  Here is a five-step roadmap for coping with these new restrictions.

First, assess the damage. Start by determining how many of your existing loans are within the scope of these rules. Be careful to separate true consumer loans from others. It bears emphasizing that commercial-purpose balloons are not covered, in most cases even if they are secured by the borrower’s principal dwelling. On the other hand, there is no general small creditor exemption for covered transactions. And while the rules do not apply to home equity lines of credit, they do apply to closed-end home equity loans so long as they are secured by a dwelling and constitute consumer credit.

Of course, your bank may be among the few small creditors that will qualify to make “rural balloon-payment qualified mortgages.” If so, even these loans will need to have at least 5-year terms. Under the general ATR rule, loans may include a balloon payment, but consumers must be deemed capable of making any balloon payment due within the first 5 years of a loan (or at any time during the loan if it is higher-priced). 

Second, expect ALCO excellence. For creditors, the demise of balloons under these new rules is primarily an interest rate risk (IRR) story. Short-term balloon loans are popular because they are a simple means of managing IRR. The CFPB acknowledged as much but believes only a limited class of rural creditors should be encouraged to continue making such loans, notwithstanding evidence that consumers understand and like them. Thus, your bank’s asset/liability management committee (ALCO) or other IRR management body should be springing into action right now if balloons are a material part of your portfolio. Among other things, the effective date of these new rules—January 10, 2014—should be circled on the ALCO’s calendar; laid over existing internal policies, procedures, and limits; and entered into IRR models and simulations. 

Third, renew or modify certain loans. Depending on what strategies emerge from your ALCO’s deliberation, you may end up trying to renew or modify a certain number of existing mortgages before the new rules take effect. This is because, while existing balloon mortgages are not covered by the new origination rules, their renewal could be. To understand this, fast-forward to 2014:  the CFPB has specifically noted that “any change to an existing loan that is not treated as a refinancing” under the Truth in Lending Act is not subject to its new ATR restrictions. This means that, even in 2014, you might be able to modify certain loans and retain their balloon-payment features.  The viability of this prospect turns on whether, under applicable state law, the existing obligation has been merely amended or, rather, “satisfied and replaced” by a new one. There has long been variability under state law on this issue.     

One thing that is clear under the new rules is that existing balloons will not qualify for the “non-standard mortgage” refinancing exemption from the general ATR requirements. This Dodd-Frank concept exempts creditors from the strict new ATR underwriting requirements when they are refinancing borrowers into conventional mortgages from certain existing loans that pose a risk of “payment shock” (e.g., certain adjustable-rate loans). The CFPB concluded that balloon mortgages do not pose the sort of risk targeted by this exemption and thus will not qualify to be “streamline” refinanced this way. 

Fourth, ramp up to make ARMs. To compete in 2014 and beyond, creditors may need to offer some form of adjustable-rate mortgage (ARM). This obviously presents a challenge if ARMs are new to your organization. Even the CFPB has acknowledged that many creditors would prefer to offer balloons as a means of managing interest rate risk “without having to undertake the compliance burdens involved in administering adjustable rate mortgages over time.” In 2014, these burdens will include not only new underwriting mandates but also a new rate adjustment notice (under the CFPB’s new servicing rules). It will also be important that loan officers understand ARMs well enough to describe them to consumers.   

Fifth, and finally, demand help from your systems vendors. These service providers can not only walk you through add-ons and modules that will help you comply with the new rules, but they can also help train your loan officers and underwriters. While more complicated than balloons, ARM loans are conducive to a variety of systems solutions. These tools should put you well on your way to making a smooth transition away from balloons. 


The CFPB’s sweeping mortgage reforms will have a major impact on product terms and offerings. Given the CFPB’s stated views, don’t expect further regulatory relief for balloon-payment mortgages. With proper planning, however, your institution should be ready to live without them and to distinguish yourself in the crowded mortgage marketplace on efficiency and customer service.

Pay Attention: Final Rules on Loan Originator Compensation

4-19-13_Dinsmore.pngJanuary, 2013, was a watershed month for mortgage standards after the Consumer Financial Protection Bureau released the long-awaited final rules on ability to repay, qualified mortgages, mortgage servicing, and appraisal requirements.  Each of these rules promises to keep compliance gurus busy throughout this year and into 2014.

January also heralded another Dodd-Frank final rule of great interest to senior management, boards of directors, and certainly to the frontline, revenue producing, mortgage loan personnel – the mortgage loan originator compensation requirements.

The new compensation rules are potential bottom line changers both for mortgage loan officers/originators and financial institutions themselves—making it imperative that financial institution management and boards of directors move this topic to the top of their to-do lists.

In the aftermath of the mortgage market meltdown, politicians and pundits, and the federal regulators who answer to them, became increasingly focused on the role that loan officers and originators play in the consumer mortgage loan process.  Prior to the meltdown, training and qualification standards for loan originators varied widely within the industry.  Furthermore, compensation programs evolved to incentivize loan officers and originators to lead consumers into more expensive loans.  With Title XIV of the Dodd-Frank Act and the compensation final rules, the consumer protectors set out to end these practices.

What’s Not OK
The rules on compensation prohibit a loan officer/originator from being compensated based on any “term of the transaction” or any proxy for a term of the transaction.  This is not new; this prohibition has been part of Regulation Z since 2011.  The final rule now defines “term of the transaction” but leaves some uncertainty.

A term of the transaction is “any right or obligation of the parties to the credit transaction.”  What does this mean?  The commentary to the final rule answers that question by including descriptions of items the CFPB believes are “terms of the transaction.”  Those items include (see final rule commentary for full list):

  • interest rate
  • prepayment penalty
  • whether a product or service is purchased (e.g., lender’s title policy)
  • fees or charges requiring a good faith estimate and/or HUD-1 disclosure statement (and future Truth-in-Lending Act/Real Estate Settlement Procedures Act combined disclosure)
  • points, discount points
  • document fees; origination fees

What’s OK
CFPB acknowledges the compensation restrictions could create uncertainty for regulated institutions.  To allay this uncertainty, the final rule commentary provides a list of examples of permissible compensation mechanisms, which includes (see final rule commentary for full list):

  • originator’s overall loan volume
  • loan performance over time
  • whether the customer is existing or new
  • quality/condition of loan files
  • percentage of applications resulting in closed loans

Under the final rules, financial institutions are permitted to continue paying mortgage loan officers/originators bonus compensation.  However, bonuses will be subject to some restrictions.  Bonuses may not be based on the terms of the individual loan officer/originator’s transactions, and bonus compensation cannot exceed 10 percent of the individual loan officer/originator’s total compensation for the relevant period.

Looking Forward: Best Practices
The new compensation rules and the other residential mortgage related rules go into effect in January, 2014. Examination teams, armed with new exam procedures, will be descending on banks to test for compliance.  Below are a few best practice steps bank managers and boards of directors may take to be prepared.

  1. Ensure consumer compliance teams are trained on the new rules.  Modify consumer compliance audit/review procedures to ensure new rules are appropriately tested.
  2. Ensure mortgage lending management teams and loan officers/originators are trained on the new rules.
  3. Review existing loan officer/originator compensation programs, policies and practices to determine level of compliance; adjust programs and practices accordingly.
  4. Review existing employment, service, and management agreements and other documents relating to residential mortgage lending to determine if problematic provisions exist; amend agreements as necessary.
  5. Assign appropriate personnel to monitor release of guidance from CFPB and other federal regulatory agencies; review new examination procedures when available.
  6. Have management report to board of directors, or appropriate committee, on progress toward compliance.

There is Still More
The compensation final rules address several other important topics, including dual compensation, payment of upfront points/fees, loan originator qualifications, and mandatory arbitration provisions.  These topics are important for all participants in the mortgage lending arena, and you are encouraged to review them.

Boards Must Address New Standards for Consumer Products

4-12-13_wolters_kluwer.pngThe unfair, deceptive or abusive acts or practices standard (UDAAP) is one of the most talked about compliance issues today. The Dodd-Frank Act added the word “abusive” to what was forbidden under the law previously, expanding the scope of what constituted an UDAAP violation. All banking regulators are now charged with enforcing a new standard in consumer protection. This renewed focus on UDAAP has created an especially heightened regulatory concern for banks and other financial institutions governed by the Consumer Financial Protection Bureau (CFPB), particularly due to the lack of certainty behind how the term “abusive” will be interpreted. Given the heavy fines issued by the CFPB in 2012 and high profile settlements, directors will want to take inventory of their UDAAP compliance program and evaluate how each product and service is impacting the consumer. Here are a few recommendations.

Promote a Culture Shift to Focus on Risk to the Consumer
In this new consumer-centric supervisory context, in addition to evaluating the traditional risk to the institution if a compliance violation occurs, banks must also focus on the inherent risk to the consumer for any given process or product. This is a major shift in how institutions are being asked to examine risk and essentially creates a new risk discipline. Board members can lead the charge by making sure that any adverse impact on the consumer is evaluated right alongside traditional risk disciplines.

Set the Tone
Like all things related to regulatory risk and compliance, the best practice for creating a UDAAP-conscious organization is to establish the tone for compliance at the top. Financial institutions are well advised to review what is being communicated downward through various means, particularly in the form of policies, procedures and training materials. The key to establishing an effective UDAAP compliance program within the framework of your compliance management program is having strong controls. The CFPB prescribes the following four interdependent control components:

  • Board and Management Oversight
  • Formal Compliance Program (i.e., policies and procedures; training; and monitoring corrective action)
  • Response to Consumer Complaints
  • Compliance Audit

Ask the Questions
In applying practical thinking to managing UDAAP compliance risk and considering the high-risk areas, ask your senior management, does our compliance management system:

  • Establish compliance responsibility and accountability for UDAAP compliance at all levels of the organization?
  • Communicate to all employees their responsibility for compliance with UDAAP through training and regular compliance updates?
  • Ensure that UDAAP requirements are incorporated into the everyday business processes, as well as the procedures followed by contractors and third-party service providers?
  • Review operations for compliance with UDAAP requirements?
  • Require corrective action when non-compliance or a potential weakness is identified?

Evaluate Fairness and Transparency throughout the Product Lifecycle
Banks should always strive for fairness and transparency when communicating product features, terms and costs to customers, and apply the same standard in the delivery, support and servicing of all products. Consider the full extent of the product lifecycle when assessing your UDAAP compliance risks. High risk areas to focus on are:

  • Advertising and Solicitations
  • Loan and Account Disclosures
  • Servicing and Collections
  • Third-Party Service Provider Oversight

In all aspects of the product lifecycle, stress absolute transparency and hold each business line and product group accountable for continuously reviewing technical accuracy, alignment to actual practices, and clarity and ease of understanding from the consumer’s point-of-view.  

Manage Consumer Complaints
With the CFPB actively soliciting complaints from consumers and using that data to support their supervisory activities, you need to take a close look at your complaint data management and response processes. Particular attention should be paid to:

  • Your definition of a complaint
  • How complaints are categorized and classified internally
  • How they are routed for analysis of root cause, formal response, and ultimate resolution  

An effective complaint management system must be able to receive and process complaints from all sources, ranging from complaints issued directly to the bank to complaints from external sources such regulators, attorneys, the Better Business Bureau, consumer protection groups, web-based sources and social networking media. Complaints, while often troubling, are an opportunity to detect and address UDAAP issues such as false or misleading statements, inaccuracies in disclosures, and excessive and/or previously undisclosed fees.  Keep in mind that third-party service providers performing services on behalf of your organization should have conforming processes in place to receive complaints that mirror your own complaint handling processes. 

If you have not already taken a hard look at where your organization stands with respect to UDAAP, the time for action is now.