Where the CFPB’s Faster Payment Vision Falls Short

NACHA-8-24-15.pngOn July 9, 2015, the Consumer Financial Protection Bureau released its “vision” for faster payment systems, consisting of nine “consumer protection principles.”  The principles build on concerns about payment systems raised by CFPB Director Richard Cordray in a speech last year. These well intentioned principles pose a number of practical problems and ignore the inherent interdependence of consumer and commercial benefits as payment systems evolve.

The CFPB’s nine principles stake out a bold policy stance aimed at ensuring that faster payment systems primarily benefit consumers. The principles are:

  • Consumer control over payments;
  • Data and privacy;
  • Fraud and error resolution protections;
  • Transparency;
  • Cost;
  • Access;
  • Funds availability;
  • Security and payment credential value; and
  • Strong accountability mechanisms that effectively curtail system misuse.

Release of these principles follows initiatives by the Federal Reserve System, The Clearing House, and most recently NACHA, through its same-day ACH rule approved in May, to promote the development of faster payment systems.

Practical Concerns with the CFPB’s Faster Payment Systems Principles
The CFPB’s principles undoubtedly deserve consideration, and few industry participants would disagree with them at a high level. Though reasonable in theory, certain goals articulated by the CFPB may prove impractical, counterproductive, or unduly optimistic in practice. Here are four examples:

Data and Privacy
The CFPB generally wants consumers to be “informed of how their data are being transferred through any new payment system, including what data are being transferred, who has access to them, how that data can be used, and potential risks[,]” and wants systems to “allow consumers to specify what data can be transferred and whether third parties can access that data.”

This amount of disclosure and degree of consumer control is unrealistic for routine payment transactions, unnecessary in light of current and evolving security measures and fraud and error resolution protections, and likely to thwart the goal of faster payment processing.

Transparency and Funds Availability
The CFPB expects faster payments systems to provide “real-time access to information about the status of transactions, including confirmations of payment and receipt of funds” and to give consumers “faster guaranteed access to funds” to decrease the risk of overdrafts and non-sufficient funds (NSF) transactions.

Here and throughout its principles, the CFPB expresses its desire for faster payment systems to benefit consumers immediately. Implicit in this goal is a rejection of staged implementation of consumer protections, as in NACHA’s same-day ACH rule where same-day funds availability for consumers follows same-day settlement of debit and credit transactions. Additionally, real-time access to information about transaction status seems costly and unhelpful until consumers can act upon such information in real time.

The CFPB envisions affordable payment systems with fees disclosed to allow consumers to compare costs of different payment options.

The CFPB’s vision of comparative cost disclosures across the ecosystem of available payment options is unrealistic given the existence of competing independent payment systems, multiple payment channels and devices, and varying degrees of intermediation. The total cost to consumers of using different payment systems depends upon many unpredictable variables, making comparative cost disclosures little more than rough, imprecise estimates.

The CFPB expects faster payment systems to be “broadly accessible to consumers,” including “through qualified intermediaries and other non-depositories.”

This principle focuses on unbanked and underbanked consumers. Although broad accessibility should be encouraged, it is difficult to imagine a safe and widely accepted payment system evolving in which banks would not be heavily involved in the origination and receipt of transactions. Indeed, payment systems that have evolved independent of banks—such as virtual currencies—pose substantial consumer protection concerns.

Implications of the CFPB’s Principles
CFPB Director Cordray emphasized that “the primary beneficiaries” of faster payment systems should be consumers and the CFPB’s principles reflect this view. Creating faster payment systems is an enormously complicated industry-driven undertaking, the cost of which is borne by industry participants. As such, faster payment systems must offer tangible benefits to industry participants, not just to consumers, if they are to succeed. The CFPB’s principles would be more effective if they expressly recognized the need to balance consumer and commercial benefits.

Further, the CFPB may intend to use its principles as a chokepoint for policing consumer protection features in evolving payment systems. We hope the CFPB’s adherence to these principles does not become rigid and overzealous or threaten to derail useful payment system improvements before they get off the ground.

In Plain Sight: The Extraordinary Potential of Big Data

big-data-7-30-15.pngThe era of big data has arrived, and few industries are better positioned to benefit from it than banking and financial services.

Thanks to the proliferation of smartphones and the growing use of online social networks, IBM estimates that we create 2.5 quintillion bytes of data every day. In an average minute, Yelp users post 26,380 reviews, Twitter users send 277,000 tweets, Facebook users share 2.5 million pieces of content and Google receives over four million search queries.

Just as importantly, data centers have slashed the cost of storing information, computers have become more powerful than ever and recently developed statistical models now allow decision makers to simultaneously analyze hundreds of variables as opposed to dozens.

But while fintech upstarts like Simple, Square and Betterment are at the forefront of harnessing data to tailor the customer experience in their respective niches, no companies know their customers better than traditional financial service providers. The latter know where their customers shop, when they have babies and their favorite places to go on vacation, to mention only a few of the insights that can be gleaned from proprietary transactional data.

When it comes to big data, in turn, banks have a potent competitive advantage given their ability to couple vast internal data repositories with external information from social networks, Internet usage and the geolocation of smartphone users. In the opinion of Simon Yoo, the founder and managing partner of Green Visor Capital, a venture capital firm focused on the fintech industry, the first company to successfully merge the two could realize “billions of dollars in untapped revenue.”

Few financial companies have been as proactive as U.S. Bancorp at embracing this opportunity. Using Adobe Systems Inc.’s cloud computing services, the nation’s fifth-largest commercial bank “integrates data from offline as well as online channels, resulting in a truly global understanding of its customers and how they interact with the bank at multiple touch points,” says an Adobe case study.

By feeding cross-channel data into its customer relationship management platform, U.S. Bancorp is able to supply its call centers with more targeted leads than ever before. The net result, according to Adobe, is that the Minneapolis-based regional lender has doubled the conversion rate from its inbound and outbound call centers thanks to more personalized, targeted experiences compared to traditional lead management programs.

Along similar lines, a leading European bank studied by Capgemini Consulting employed an analogous strategy to increase its conversion rates by “as much as seven times.” It did so by shifting from a lead generation model that relied solely on internal customer data, to one that merged internal and external data and then applied advanced analytics techniques, notes Capgemini’s report “Big Data Alchemy: How Can Big Banks Maximize the Value of Their Customer Data?”

Another European bank discussed in the report generated even more impressive results with a statistical model that gauges whether specific customers will invest in savings products. The pilot branches where the model was tested saw a tenfold increase in sales and a 200 percent boost to their conversion rate relative to a control group. It’s this type of progress that led Zhiwei Jiang, Global Head of Insights and Data at Capgemini, to predict that a “killer app” will emerge within the next 18 months that will change the game for cross-selling financial products.

The promise of big data resides not just in the ability of financial companies to sell additional products, but also in the ability to encourage customers to use existing products and services more. This is particularly true in the context of credit cards.

“In a mature market, such as the U.S., Europe or Canada, where credit is a mature industry, it is naïve for a bank to believe that the way it is going to grow revenue is simply by issuing more credit cards,” notes a 2014 white paper by NGDATA, a self-described big data analytics firm. “The issue for a bank is not to increase the amount of credit cards, but to ask: How do we get the user to use our card?”

The answer to this question is card-linked marketing, an emerging genre of data analytics that empowers banks to provide personalized offers, savings and coupons based on cardholders’ current locations and transactional histories.

The venture capital-backed startup edo Interactive does so by partnering with banks and retailers to provide card users with weekly deals and incentives informed by past spending patterns. Its technology “uses geographical data to identify offers and deals from nearby merchants that become active as soon as the customer swipes their debit or credit card at said merchant,” explains software firm SAP’s head of banking, Falk Rieker.

Founded in 2007, edo has already enrolled over 200 banks in its network, including three of the nation’s top six financial institutions, and boasts a total reach of 200 million cards.

Poland’s mBank offers a similar service through its mDeals mobile app, which couples the main functions of its online banking platform with the company’s rewards program. “What makes this program so innovative is its ability to present customers with only the most relevant offers based on their location and then to automatically redeem discounts at the time of payment,” notes Piercarlo Gera, the global managing director of banking strategy at Accenture.

A third, though still unproven, opportunity that big data seems to offer involves the use of alternative data sources to assess credit risk.

The Consumer Financial Protection Bureau estimates that as many as 45 million Americans, or roughly 20 percent of the country’s adult population, don’t have a credit score and thereby can’t access mainstream sources of credit. The theory, in turn, is that the use of additional data sources could expand the accessibility of reasonably priced credit to a broader population.

One answer is so-called mainstream alternative data, such as utility payments and monthly rent. This is the approach taken by the VantageScore, which purports to combine “better-performing analytics with more granular data from the three national credit reporting companies to generate more predictive and consistent credit scores for more people than ever.”

Another is to incorporate so-called fringe alternative data derived from people’s shopping habits, social media activity and government records, among other things. Multiple fintech companies including ZestFinance, LendUp and Lenddo already apply variations of this approach. ZestFinance Vice President for Communications and Public Affairs Jenny Galitz McTighe says the company has found a close correlation between default rates and the amount of time prospective borrowers spend on a lender’s website prior to and during the loan application process.

“By using hundreds of data points, our approach to underwriting expands the availability of credit to people who otherwise wouldn’t be able to borrow because they don’t have credit histories,” says McTighe, pointing specifically to millennials and recent immigrants to the United States.

While this remains a speculative application of external data by, in certain cases, inexperienced and overconfident risk managers, there is still a growing chorus of support that such uses, once refined, could someday make their way into the traditional underwriting process.

This list of big data’s potential to improve the customer experience and boost sales at financial service providers is by no means exhaustive. “It’s ultimately about demonstrating the art of the possible,” said Wells Fargo’s chief data officer, A. Charles Thomas, noting that big data could one day help the San Francisco-based bank reduce employee turnover, measure the effectiveness of internal working groups and identify more efficient uses of office space.

It’s for these reasons that big data seems here to stay. Whether it will usher in a change akin to the extinction of dinosaurs, as Green Visor’s Yoo suggests, remains to be seen. But even if it doesn’t, there is little doubt that the possibilities offered by the burgeoning field are vast.

Fair Lending Compliance Is Becoming More Complex and More Challenging

5-19-15-Crowe.pngCompliance with fair lending regulations has become dramatically more complex over the past several years. Although the underlying regulations have been in place for decades, monitoring by the Consumer Financial Protection Bureau’s (CFPB) Office of Fair Lending and Equal Opportunity, coupled with vigorous enforcement by the U.S. Department of Justice (DOJ), have increased lenders’ risk factors substantially.

Fair lending forbids discrimination based on “prohibited basis” factors: race, religion, ethnicity, national origin, gender, marital status, age, familial status, disability, receipt of income from public assistance sources, and the applicant’s exercise of rights under the Consumer Credit Protection Act. Problems can arise when lenders fail to monitor risk factors:

  • Underwriting. Lenders need to monitor and document any disparities in underwriting outcomes based on a prohibited basis as well as any inequitable application of exceptions to underwriting policies.
  • Pricing. Statistically significant differences in interest rates, fees, or other characteristics offered to applicants by prohibited basis create pricing risk.
  • Steering. It is illegal to steer members of a prohibited basis class to less favorable—often more costly—loan products. Offering similar if not identical products with different pricing through different business units can have the same effect as steering.
  • Servicing. Once all the loan documents have been signed and the customer is on board, posting of loan payments or waiving of late fees needs to be done equitably across a client base.
  • Redlining. Lenders need to be careful when analyzing where their customers live to avoid unintentionally redlining, which involves drawing red lines on a map around neighborhoods where lenders do not want to do business.

Enforcement Trends
In February 2010, the DOJ established the Fair Lending Unit to focus on potential abuses in the consumer lending sector. Since then, the DOJ has filed or resolved 36 lending matters under the Equal Credit Opportunity Act, the Fair Housing Act, and the Servicemembers Civil Relief Act. Settlements have provided more than $1.2 billion in relief for affected communities and individual borrowers.

Although much of this money came from settlements with major lenders, in 2013 the DOJ reached settlements with four community banks that each had less than $400 million in assets. Many of these settlements—large and small—involved pricing discrimination against minority borrowers.

Proposed HMDA Reporting Requirements
On July 24, 2014, the CFPB issued a proposed rule for the expansion of data that lenders need to report under the Home Mortgage Disclosure Act (HMDA). The CFPB wants to use HMDA data to increase awareness of the housing market and, more broadly, the availability of credit. The most significant changes to the HMDA would include:

  • Mandatory reporting of home equity lines of credit (HELOCs) and reverse mortgages
  • Quarterly reporting for large institutions
  • Changes to reporting thresholds—a 25-loan minimum for depository institutions
  • Inclusion of an additional 37 data fields, some of which involve qualitative factors, expanded borrower data, or items related to qualified-mortgage and ability-to-pay rules

Banks and their boards can begin to prepare for the changes by discussing the following questions:

  • How do we currently collect HMDA data?
  • Can our existing staff collect and record the required data values?
  • What steps are the developers of the mortgage application or underwriting system that we use taking to prepare for the changes?
  • Do individuals responsible for potentially newly covered areas such as HELOCs and reverse mortgages have sufficient experience with the HMDA?
  • Have we conducted data reviews to confirm accurate recording of HMDA data?
  • Are we prepared for the potential implications of the new data disclosures? Regulators, consumer rights organizations, advocacy groups, competitors, and others will be looking at HMDA data.

Raising the Ante on Compliance
Compliance with fair lending regulations requires a greater focus on data integrity and the ability to manage statistical models than in prior years. Lenders that have not yet made the investment in internal and external resources to handle the new, expanded and increasingly sophisticated tasks need to consider steps to remain competitive in a challenging marketplace.

The CFPB: How It Impacts Your Bank

1-16-15-Naomi.pngCreated by the Dodd-Frank Act in 2010, the Consumer Financial Protection Bureau (CFPB) represented a seismic shift in federal regulation of the financial sector, an entirely new federal agency created just to protect consumers dealing with financial products. Coming along in the wake of the financial crisis, the CFPB’s mission was to provide a level of protection for individuals in the marketplace that critics felt was missing. The primary banking regulators, sometimes known as prudential regulators, such as the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, focus on the overall health of the banking industry and the safety and soundness of the financial institutions they regulate. The Dodd-Frank Act moved enforcement of several laws that dealt with consumer protection out of the hands of those agencies and into the hands of the CFPB. Those laws include the Truth in Lending Act, the Truth in Savings Act, the Real Estate Settlement Procedures Act, the Home Mortgage Disclosure Act, the Equal Credit Opportunity Act and the Electronic Fund Transfer Act, among others.

“None of those [laws] are new,” says Jerry Blanchard, a bank attorney at Bryan Cave LLP in Atlanta. “Now, you have somebody applying them in a consistent fashion in banking.”

The CFPB also has the power to enact new regulations to ensure a more transparent and fair marketplace for consumers, and to ensure consumers have timely and understandable information to make responsible decisions about financial transactions. In short, the CFPB is now very much involved in regulating the world in which banks live.

It is also increasingly in the world in which nonbanks live. The CFPB began regulating a whole host of nonbanks that were thought to exist outside of a coherent regulatory system, including payday lenders, mortgage companies, consumer reporting agencies, student loan companies and debt collectors. This could be seen a positive development for banks and thrifts, which often had to compete against players that were not regulated in the same way banks were.

For fiscal year 2015, the CFPB has a budget of $583 million and 1,796 employees, paid for out of the revenues of the Federal Reserve System. The biggest line item both in terms of employees and dollars spent is supervision and enforcement of financial institutions. For banks above $10 billion in assets, that means regular visits and exams conducted by an agency solely focused on consumer protection, which is a new experience for them. For banks below $10 billion in assets, they are not getting examined by the CFPB except in rare circumstances—that responsibility falls to their prudential regulator—but they are impacted by the rules and regulations promulgated by the CFPB.

For instance, the agency finalized a new set of mortgage servicing rules that went into effect in January 2014 impacting any institution that services a mortgage. The CFPB is very focused on mortgage servicing. “It doesn’t matter what size of bank you are,’’ says Blanchard. “If you do a lot of mortgage servicing, you will be dealing with the CFPB.”

The agency implemented a new ability-to-repay mortgage rule and a qualified mortgage standard in January 2014 that some community banks said would negatively impact customers who don’t fit into the standard check-the-box underwriting model for a 15-year or 30-year mortgage. Banks can still offer mortgages outside of the qualified mortgage standard, but they have to keep those mortgages on their books. There also has been concern that offering mortgages outside of the qualified standard might expose the bank to more liability from lawsuits in the future. New rules have also impacted the way banks can pay bonuses to their loan officers. Violations of any of the rules promulgated by the CFPB can have dire consequences. Banks that already have been hit with fines in the millions of dollars or lawsuits include: U.S. Bank, Ally Bank, SunTrust Banks and American Express Centurion Bank.

One area where banks are finding themselves in the hot water in particular has to do with their use of outside vendors. “Banks are looking for more revenues,’’ Blanchard says. “The third party vendors show up saying, ‘We have ways to add a lot more money for you. We can sell these products for you.’” The CFPB, however, is holding banks responsible for the actions of their vendors, including the sale of credit card add-on products that consumers say they didn’t actually order. Some of those products might include identity theft protection or insurance. The bottom line for banks is they need to review and monitor vendors carefully to make sure they are complying with the bank’s and regulators’ expectations regarding consumers.

Some industry observers believe that the CFPB’s focus on consumers has impacted other banking regulators as well, making for tougher enforcement exams pertaining to consumer issues from the FDIC and the OCC. Prudential regulators such as the FDIC have been hitting banks with enforcement actions relating to consumer protection. One area to pay particular attention to in terms of consumer law is unfair or deceptive acts or practices (UDAP). The Federal Trade Commission previously enforced laws regarding UDAP, but Dodd-Frank gave enforcement authority to the CFPB in relation to financial institutions. The law has been expanded to include the term “abusive.” That sounds like a change for attorneys to argue about, but the significance for bank boards is that prudential regulators such as the FDIC are now hitting banks of all sizes with fines and enforcement actions regarding violations under this standard.

For banks that are not examined by the CFPB, the agency’s impact has hit them in a number of other ways. The agency houses a database of consumer complaints available online, so anyone can see, for example, how many complaints a particular bank received and for what general category of complaint, i.e. mortgages, debt collection, etc. The flow of consumer complaints to the agency has been increasing. During fiscal year 2014, it received 240,600 complaints. The agency lists each complaint once a company confirms a commercial relationship with that customer, and notes the company’s response and whether the consumer disputed that response. The CFPB itself can review those complaints and decide whether to investigate further and look for patterns for further investigations.

Attorneys have begun advising banks to keep a database of all complaints against the bank, including those delivered from customers directly to the bank. Banks should track complaints to their proper resolution, as well as look for patterns, to make sure the bank knows of any problems before the CFPB does. Each complaint needs to be taken seriously because you don’t know which one will get the attention of regulators, Blanchard says. Is a complaint alleging a violation of law or regulation? Or is it a matter that could be criminal? Some complaints could be very serious, and it’s important for the board to know the bank has a process in place to vet them and escalate them appropriately.

Understanding the CFPB and its impact on banking is important for any bank board these days. The CFPB has enhanced the level of scrutiny regarding treatment of consumers in the financial marketplace, and its actions and regulations are bound to impact your bank.

When The CFPB Is After You: How to Respond to Threatened Enforcement Actions

4-30-14-covington.jpgWhen the Consumer Financial Protection Bureau (CFPB) sends a letter to the board of directors, it is rarely good news. It often means the institution is facing a potential or actual enforcement action. Enforcement actions can unfold quickly. They typically require an institution to respond, at least on certain preliminary matters, within a matter of days.

The board of directors should be involved in the institution’s handling of virtually any threatened enforcement action. The CFPB, like the prudential regulators, holds an institution’s board of directors ultimately responsible for the institution’s conduct. Thus, it is in the board’s interest to provide direction and oversight throughout the enforcement process. Such an approach will help directors fulfill their regulatory obligations and assist in ensuring that the enforcement matter is handled appropriately.

In addressing a CFPB enforcement action, directors should bear in mind five key principles:

  1. Assemble a response team. It is important to develop a comprehensive and strategic approach to responding to the CFPB’s enforcement action. Ideally, an institution already has in place a plan that specifies the individuals responsible for coordinating the institution’s response. The response team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business and outside counsel. The team also may include, depending on the nature of the enforcement action, additional representatives, such as from human resources, information technology, finance or compliance.
  2. Inform the board and determine appropriate board involvement. Once the institution is notified of the contemplated enforcement action, a member of the response team should immediately alert the board’s audit committee chair, and in consultation with the audit committee chair, decide when and how to inform the remainder of the board. Although the entire board should be kept apprised and consulted, as necessary, throughout the enforcement process, the board often designates one or more directors as the primary contacts with management and their outside advisors as the institution develops its response strategy.
  3. Develop a coordinated short-term plan. CFPB enforcement actions often require immediate tactical decisions that can have long-term strategic implications. For example, an institution usually has only 20 days to decide whether to object formally to any provisions in a CFPB civil investigative demand. The institution should consult with legal counsel to weigh the benefits of filing such a petition against the possible risks, including the impact of such a filing on the institution’s interactions with the CFPB and the likelihood that the institution’s legal arguments will succeed.

    The bank also should determine whether any public disclosures are required—such as under the securities laws or customer notification laws—or whether any disclosures should be made to preserve relationships with business partners and customers and, if so, how these disclosures may be made in accordance with restrictions on the disclosure of confidential supervisory information. Such decisions must account for the fact that an enforcement action may create multiple areas of exposure, including follow-on private litigation, reputational harm, and customer relations issues. The board should be briefed on these disclosure obligations and ensure that the various disclosures are handled in a coordinated manner.
  4. Develop a longer-term strategy. While the institution likely will be required to make some decisions immediately, those decisions should be made in the context of the institution’s longer-term strategy. The development of this strategy should take into account such factors as the strength of the institution’s defenses, the magnitude of the institution’s exposure, factors affecting the institution (e.g., a possible acquisition), and whether the institution is likely to reach a better result through a cooperative approach (while still advancing the institution’s defenses) or by assuming a more aggressive stance. In all events, the board should understand what this strategy is and make sure management is informing the board of any major developments.
  5. Adopt long-term reforms. One of the best ways to avoid regulatory scrutiny and enforcement is to adopt lessons learned from past violations. At a minimum, the board should determine whether other areas present similar risks, review the adequacy of internal controls and compliance policies, and assess the frequency and thoroughness of management reports to the board.

An effective response to a CFPB enforcement action requires a coordinated strategic approach that is overseen and monitored by the institution’s board of directors. Bearing in mind these five key principles will help board members lead their institutions successfully through CFPB enforcement actions.

Consumers are Now Center Stage, Bank Attorneys Say

Nearly three years after the creation of the first ever regulatory agency just for consumers of financial products, the Consumer Financial Protection Bureau, or CFPB, has rewritten mortgage rules, targeted debt collectors, auto lenders, big banks and even for-profit colleges. It has been a busy few years. So how has the agency transformed the industry? We asked a panel of bank attorneys.

What has been the impact so far of the CFPB?

Murphy-Patrick.pngI would have to say that the biggest impact, at least from the perspective of community banks, has been the cloud of regulatory uncertainty that the CFPB has cast over those institutions, and the resulting impact on their bottom line. While community banks are not directly regulated by the CFPB, they are still subject to much of the same rulemaking by the agency as are the big money center banks. Even where community banks are specifically exempted from CFPB regulation, those regulations nonetheless tend to serve as standards or competitive baselines for smaller institutions. It is difficult, as a result, to anticipate the infrastructure and resources needed to stay ahead of the regulatory curve. As a result, community banks are forced to beef up their compliance departments, or outsource oversight of those responsibilities, creating disproportionately higher overhead for such banks as compared to larger institutions.

—Patrick S. Murphy, Godfrey Kahn, S.C.

Dailey-Michael.pngOne important impact CFPB has had thus far on the banking industry is the creation of a renewed fervor among the bank regulatory agencies in the area of consumer protection. Since the inception of CFPB after the enactment of Dodd-Frank, those in leadership positions at CFPB have noisily and frequently made it clear that the bureau believes consumers have been, and are currently being, taken advantage of by financial institutions, both bank and non-bank institutions. Given the preeminent position the CFPB holds in the consumer compliance regulatory arena, the other agencies (Office of the Comptroller of the Currency, Federal Deposit Insurance Corp., the Federal Reserve, and the state regulators) understandably are following CFPB’s lead. Some effects on the banking industry of this heightened interest in consumer compliance include increased overhead costs, uneasiness about upcoming regulatory examinations, diversion of senior management attention from revenue generating activities, and degradation of the working relationship between bankers and field examiners.

—Michael G. Dailey, Dinsmore & Shohl LLP

Jonathan-Wegner.jpgIn a word – UDAAP. The CFPB’s “gotcha” approach to exercise of its regulatory enforcement authority over unfair, deceptive, or abusive acts or practices (UDAAP) took many of our clients aback. As they try to develop new products and procedures designed to accommodate changing consumer preferences (for example, in connection with mobile services and prepaid cards), the chilling effect that the enforcement actions have had on those business units has been notable. Some bankers have gone back to the drawing board with current products while others have grown skittish about rolling out new offerings. At a time when the marketplace is demanding innovation, the CFPB’s UDAAP enforcement actions against major financial institutions have caused the mentality among some bankers to shift from “What shall we do next?” to “Are we next?”

—Jonathan Wegner, Baird Holm LLP

ReVeal-John.pngThe CFPB’s biggest impact has not been through any regulations it has enacted, nor has it been through its own enforcement of consumer protection laws. No, its biggest impact has been indirect—by heightening the emphasis on consumer protection and leading to a dramatic increase in civil money penalty (CMP) actions by federal bank regulators for alleged unfair or deceptive acts or practices (UDAP). In 2013, the FDIC imposed CMPs against banks 89 times, 16 of which were for alleged UDAP violations. At 18 percent of all bank CMP actions, this is a near doubling from 2012 and three times the percentage in 2011. Expect these percentages to keep growing. Once bank regulators have identified an industry “problem,” they do not change course until the next flood, financial crash or other newsworthy event redirects their attention. And the CFPB has barely begun its own enforcement actions under the new unfair, deceptive, or abusive acts or practices law.

—John ReVeal, Bryan Cave LLP

Stanford_Cliff.pngIt is always important to remember that the CFPB was established to be immune from regulatory capture by the industry, and the CFPB will be quick to tell you that it’s not about the bank, but about the consumer. For banks, the rule-writing, supervision, data gathering, and enforcement activity of the CFPB has elevated the status of consumer compliance within the hierarchy of concerns of senior management and boards. While issuing a range of new and complex rules, the CFPB has also emphasized third party oversight and principle-driven versus rule-driven compliance (think unfair, deceptive or abuses acts or practices, or UDAAP). Moreover, the CFPB has influenced the prudential supervisors in their oversight of community banks, where consumer compliance is also getting heightened attention.

—Cliff Stanford, Alston & Bird LLP

Regulators Go After Banks for Vendor Management

2-5-14-Bryan-Cave.pngWhile the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators. A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.) Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

(Not the) Same as the Old Boss

While the message from the federal regulators has not varied over the years, recent actions by the various agencies indicate they are more likely to use enforcement as a means of guaranteeing compliance with their vendor management mandates. A detailed discussion of the cases listed below is beyond the scope of this article, but to a large degree each case focused on deceptive sales practices by third-party vendors while marketing a bank product:

  • CFPB: Discover Bank, $14 million civil penalty (September 2012)
  • OCC: American Express Bank, estimated $6 million in restitution (September 2012)
  • CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
  • CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)

Although neither the FDIC, OCC nor the CFPB provides community banks with an explicit exemption from the vendor management mandates, each set of rules does include a statement similar in content to that expressed in FIL-44-2008: “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.” For community banks that offer only traditional banking services, senior management and the board should use a common sense level of due diligence before, during and after a third-party relationship is commenced.

We Won’t Be Fooled Again

Bank management and boards of directors should not allow recent enforcement actions to deter their use of third-party vendors to provide critical functions. The economics supporting such outsourcing decisions certainly outweigh the risks posed by potential regulatory enforcement action. However, regulators have given notice that a failure to implement and follow vendor management protocols will no longer be tolerated, and boards and management bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.

They are Watching You: How to Handle Complaints

11-8-13-Wolters.pngSince opening its doors in July 2011, the Consumer Financial Protection Bureau (CFPB) has gone the distance to make sure consumers of financial services know they can lodge complaints pertaining to a broad range of financial products and services. The CFPB receives complaints from consumers concerning credit cards, mortgages, bank accounts or services, private student loans, consumer loans, credit reporting, money transfers and debt collection for institutions of all sizes.

Regardless of the size of your institution, it is prudent to have a formal, fully functional process for receiving, escalating, analyzing and responding to consumer complaints. Meeting the expectations of regulators where consumer complaints are concerned not only shows the bureau your bank is responsive, but also serves as a way to champion the consumer experience and stand out from the crowd.

Complaint Handling from the Examiner’s Point of View

Regulatory Expectation: Consumer complaints and inquiries, regardless of where submitted, are appropriately recorded and categorized.

Depending on the overall size and complexity of your organization, this can be a serious challenge to structure and organize. Keep in mind the following as you determine what controls to build into the complaint intake and tracking workflow:

  1. What’s a complaint?
    Has your institution clearly defined what constitutes a complaint? Well managed and carefully analyzed complaint data provides the opportunity to make key revisions and/or enhancements to products and services, and demonstrate to your customers that you are listening.
  2. Complaint submission
    Consumers seeking to file a complaint should be allowed to do so through mail, email, or phone. Your organization will need to ensure that the infrastructure is in place to fully support all channels for complaint intake. All complaints, regardless of origin or point of submission, including verbal complaints, must be registered and assigned ownership and accountability for response and timely resolution.

As you address these considerations, apply the same thought process to third-party service providers that directly interact with your customers or support your company’s products and services.

Crossing Your T’s and Dotting Your I’s

Examiners will request and review records of recent consumer complaints against your institution from the prudential regulator, from state regulators, from state attorneys general offices or licensing and registration agencies, and from private or other industry sources. It will be essential that your policies and procedures for receiving, escalating and resolving consumer complaints and inquiries from all sources and points of submission are fully defined and clearly documented.

Regulatory Expectation: Complaints and inquiries, whether regarding the entity or its service providers, are addressed and resolved promptly.

In order to not only meet, but also exceed expectations for timely response to complaints, the process you establish for complaint intake should time stamp the complaint and establish an estimated timeline for response, as appropriate. This recognizes, however, that complaints differ in severity and required course of action for response and resolution. As such, policies and procedures addressing timeliness of response should factor for these differences.

Search and Scan

Regulatory Expectation: Complaints that raise legal issues involving potential consumer harm from unfair treatment or discrimination, or other regulatory compliance issues, are appropriately escalated.

Proactively scan your complaint database to identify complaints alleging deception, unfair treatment, unlawful discrimination, or other significant consumer injury. The list you build should be as comprehensive as possible. This will require dedicated task assignment and accountability for maintaining an effective surveillance process.

Complaints alleging discrimination or presenting an elevated legal risk must be escalated to specifically identified departments or individuals within your organization to ensure proper analysis and handling. If your institution maintains multiple customer support centers, enforce a uniform set of complaint escalation practices.

If It’s Broken, Fix It

Regulatory Expectation: Complaint data and individual cases drive adjustments to business practices and result in retrospective corrective action, as appropriate.

Of great interest to regulators is how actively your institution will monitor complaints to identify issues and trends that may require changes in products, procedures and/or training. Examiners will seek to review whether internal evaluations of consumer contacts are shared through regular reports to the board and senior management, and whether such information is used in modifying policies, procedures, training and monitoring.

With effective complaint handling processes firmly in place, you are then in a good position to ultimately drive change should it be determined that a weakness or defect in a product, procedure, system or employee training has been identified. You want to be able to demonstrate that appropriate corrective action resulted, based on efforts to understand the root cause of the issue leading to the complaint.

The Bottom Line

Based on the nature and/or number of complaints received, complaint-driven data is going to be one of the first points of review by regulators. The information could signal weaknesses in your institution’s compliance management system (CMS). Regulators will look for how proactively you manage complaints and demonstrate direct learning from an analysis of your complaint data. It also goes a long way in improving your relationship with your customers, perhaps the most important relationship you have.

What is the Worst Aspect of Dodd-Frank?

The Dodd-Frank Act is the most substantial piece of financial legislation since the Great Depression, and also one of the least popular among bankers. But not everyone agrees what part of Dodd-Frank should be thrown out the window or changed. Is it the Volcker Rule? The Durbin amendment? How about the Consumer Financial Protection Bureau? Bank Director asked a group of attorneys to answer that question.

If you could change one thing in the Dodd-Frank Act, what would it be?

Smith_Phillip.pngI would not have established the Consumer Financial Protection Bureau (CFPB). It was not community financial institutions that initiated unfair, deceptive or abusive consumer practices, yet the trickle-down effect on smaller banks from enforcement endeavors against larger organizations will have a negative impact. Instead of punishing banks that did not cause the crisis with a brand new investigative arm of the government, what about focusing on the true troublemakers?

— Philip K. Smith, Gerrish McCreary Smith, PC

Lynyak-Joe.pngTitle XIV of the Dodd-Frank Act has required the CFPB to substantially rewrite the substantive and procedural rules governing the U.S. residential mortgage system, including application, underwriting and servicing of home mortgage loans. As part of that statutory mandate, severe limitations were placed on the origination of mortgages, including the creation of so-called qualified mortgages and rules on loan originator compensation. To enforce those limitations, penalties were expanded for originators, servicers and assignees of mortgages—without a statute of limitations. The optimum change would be to modify these mortgage rules in a manner that would facilitate the availability of credit by lenders by providing greater flexibility in the types of loans permitted, as well as limiting the liability for originators and assignees for violations. Failure to do so may inhibit the availability of credit to the home mortgage segment.

— Joe Lynyak, Pillsbury Winthrop Shaw Pittman LLP

fisher_keith.pngThe Dodd-Frank Act pretends to eliminate so-called too big to fail while actually enshrining it (using different words) in federal statutory law. Worse, the Act expands the scope of potential bailouts to include nonbank financial companies. Title I of Dodd-Frank, which creates the Financial Stability Oversight Council, greatly multiplies the degree of moral hazard and creates structural incentives for institutions not currently large enough to be considered Systemically Important Financial Institutions (SIFIs) to expand so as to aspire to join that exclusive club. From a public policy viewpoint, this is simply awful. Adding yet another unwieldy federal bureaucracy—the Financial Stability Oversight Council—to the mix is also fundamentally misguided. Outright repeal of Title I would be a vast improvement. Secondly, while the creation of a federal agency devoted to consumer financial protection may have been inevitable, having a large bureaucracy with a broad and diffuse legislative mandate and virtually unlimited funding seems misguided. At a minimum, the CFPB should be made subject to congressional oversight and the appropriations process.

— Keith Fisher, Ballard Spahr LLP

Mark-Nuccio.jpgThat’s an easy one—the Volcker Rule! Hugely reactionary and draconian, the post-Depression idea that banks should be kept almost entirely out of proprietary trading and private fund investment is epic silliness. Since Gramm-Leach Bliley, plenty of organizations handled their freedoms in these areas well. Instead, why not ban mortgage lending? There has to be a better way to address the perceived risks of the banned Volcker Rule activities. The risk to the economy created by the law (as well as the risk of further boggling the implementation of it) outweighs any possible benefit. Adopted more than three years ago and still waiting for final regulations (or better yet re-proposed regulations)—there’s a reason for that kind of delay—it’s a bad law!

— Mark Nuccio, Ropes & Gray LLP

Gregory-Lyons.jpgI would add a provision that expressly permits the agencies to tailor the law, either by regulation or on an individual institution basis, to ensure the rules to which an institution will be subject are appropriate for that institution. Dodd-Frank is a very broad, sweeping law, and that necessarily will result in it having unintended consequences for some institutions. For example, should insurance companies and other nonbank-centric financial services firms that either are designated as non-bank SIFIs or that retain a reasonably small bank presence be subject to the same capital rules as bank-centric institutions?

— Gregory Lyons, Debevoise and Plimpton LLP

Regulatory Punch List of Top Priorities for Bank Directors

8-26-13-Wolters.pngIn today’s banking world, exams are tougher, the supervisory focus is on fairness to consumers, data is heavily scrutinized and consequences for failing to mitigate risks are more severe than ever. It is incumbent upon bank directors to stay in front of high risk areas and make sure their institutions can survive and thrive in this challenging environment. I put together my punch list of some of the top challenges I see facing the industry to provide guidance on where you will want to focus.

Get Serious about Complaint Management
The Consumer Financial Protection Bureau (CFPB) continues to amass an unprecedented public database of complaints against specific financial institutions. The CFPB’s complaint system is informing many of their decisions about whom to examine and how to regulate. In the face of this, banks should strive to improve their own internal complaint systems. You don’t want those complaints going to the bureau. You want them coming to the bank so you can solve them.

Be Extra Vigilant When Choosing and Managing Vendors
Regulators are looking more closely at the way banks choose and manage their vendors and are holding banks responsible for the faults of their vendors. In fact, recent enforcement actions from the CFPB resulted in a combined $101.5 million in fines plus $435 million in restitution for the financial firms based on flaws in the way the banks monitored their vendors. Additionally, the CFPB issued a bulletin in April 2012, with the message that banks are responsible for any faults of the vendors they work with.

Don’t Let the Ease of Social Media Make Things Difficult
In the social channel, which demands quick responses, an outsider may see what he perceives to be a run-of-the-mill consumer complaint and hastily respond in a way that causes more trouble. Be sure to monitor social media activity continually in real time.

Don’t Wait for Clarity from Regulators—Monitor, Test and Correct Fair Lending Issues Now
The recent OCC order that hit a bank for discriminating against white males may have taken some bankers off guard, and moved several to demand more clarity from regulators. But in this enforcement heavy environment, the best option is for banks to heavily monitor, test and correct, when necessary, all of their credit products now.

Solidify a Regulatory Reform Process
In our Regulatory & Risk Management Indicator survey in June, we asked bankers which regulatory concerns keep them up at night, and 46 percent said regulatory reform—referring to new rules stemming from the Dodd-Frank Act and the CFPB. Make sure your bank can address three primary questions relating to compliance programs:

  1. What are the laws and regulations you are subject to across all the jurisdictions in which you operate?
  2. Are you confident you are complying with all of these laws and regulations?
  3. Can you prove it to third parties (e.g., board members, investors, regulators and other stakeholders)?

Leverage Technology to Adjust to Onslaught of New Rules
Once upon a time, when a bank had an enforcement action of a significant deficiency, the first thing senior management used to say was: Where is our chief compliance officer? How did this happen? Now the question is going to be: Where is our chief technology officer? Why didn’t technology come up with the means to implement these changes in a more effective, efficient and compliant way? If technology and compliance aren’t talking to each other, they need to get together.

When it Comes to Auto Lending, Be in the Driver’s Seat
The CFPB is cracking down on interest rate markups that automobile dealers add to the cost of car loans. If they’re done in a discriminatory manner, then the bank is responsible. The CFPB recently released a bulletin that said lenders must enhance their oversight of auto dealers with which they do business after a recent investigation revealed disparities in interest rates charged to minority borrowers versus non-minorities. The bigger-picture problem for banks is that the regulatory scrutiny requires them to monitor the loans being made by all of the auto dealers they work with. That’s sometimes more than 1,000 dealers. The CFPB is hoping that lenders will voluntarily place compensation restrictions on dealers.

Watch out for UDAAP
The Dodd-Frank Act adds an “A” (which stands for abusive) to UDAP—turning the Federal Trade Commission’s provisions into “unfair, deceptive or abusive acts or practices.” A lot of it depends on the consumer’s ability to understand what is being presented to them. The gap between what is presented to customers and how they perceive what they get as well as its value is where the danger appears to lie. From the moment that a deposit or mortgage product or service is developed and the process begins, compliance folks have to have a seat at the table. I recommend that banks perform some testing to be sure the information being conveyed is perceived by the consumer the way it was meant to be. If there is a complaint, and that complaint goes to the bureau, the lender is going to have to be prepared to defend his ability to provide a product that was not unfair, that was not deceptive and certainly was not abusive.

Gear up for New Mortgage Rules
Several new mortgage rules are on their way from the CFPB. Among the new rules is the QM, or qualified mortgage (ability-to-pay) rule, a provision related to high-cost mortgages, a rule impacting loan officer compensation, new servicing standards, an escrow rule about impounding accounts and tax insurance, an appraisal disclosure rule and another appraisal guideline related to high-cost mortgage. Even now that the QM rule is final and going into effect in January, the industry still has to focus on the qualified residential mortgage (risk-retention rule) and its impact on mortgage lending and the secondary market. For much of the industry, setting up systems to comply with QM is a big concern. Also, we still must find out how all these different rules conflict with each other. It will certainly be a challenge.