Regulator Panel: Would You Sell These Products to Your Mom or Dad?

7-5-13_Naomi.pngThe shifting focus of regulators is indeed a concern for bankers and bank boards these days. The creation of the Consumer Financial Protection Bureau (CFPB) has impacted almost all banks and thrifts, not just the $10-billion-plus financial institutions that are subject to CFPB exams. The CFPB is publishing new rules monthly about topics such as fair lending, mortgage disclosures and even the interest rate banks can charge for residential loans. Plus, regulatory exams that end badly can have serious negative consequences for banks, so it’s a good idea to keep tabs of what regulators are thinking about your bank.

At Bank Director’s Bank Audit Committee Conference in Chicago last month, Deputy Comptroller Bert Otto in the central district in the Office of the Comptroller of the Currency (OCC) joined David Van Vickle, assistant regional director at the Federal Deposit Insurance Corp. (FDIC) and Molly Curl, bank regulatory national advisory partner at Grant Thornton LLP, in a discussion of what regulators are looking for in exams. John Geiringer, a partner at law firm Barack Ferrazzano Kirschbaum & Nagelberg LLP, moderated the discussion.

Otto said strategic risk is one of the things his office is most worried about right now. Banks are focused on improving earnings, but he would like bank boards to look at the risk involved in their strategic plan and any new products or services offered by the bank.

He said regulators are focused on risk: What are the bank’s risks and is the bank leadership identifying them? “The focus of all the regulators going forward, at least at the OCC, is really risk on a forward-looking basis,’’ he said.

Van Vickle agreed that this is a focus for his agency as well. Examiners are asking: What is the bank’s tolerance for risk? What are the key indicators of risk? In terms of mitigating risk, Curl said banks should have a full risk profile with risks rated from highest to lowest, and a plan for how to mitigate those risks. The risk line of defense then involves the compliance department, as well as internal audit, which will review at least annually the internal controls to see if policies and procedures are being followed. A bank can opt for yet another line of defense: an outside firm to review the bank’s risk profile and procedures for mitigating risk.

Banks frequently use outside vendors of various sorts, but they can actually be a source of risk as well. Note recent news about the CFPB crackdown on Minneapolis-based U.S. Bancorp over subprime auto loans to military service members, which were provided to U.S. Bancorp through a vendor. Van Vickle, speaking in general and not about U.S. Bancorp, said:  “We will hold the bank responsible for a lot of what those service providers are saying, if they are approaching customers and making promises and not making appropriate disclosures.”

Compliance risk can also hinder acquisition plans, as it did in M&T Bank Corp.’s purchase of Hudson City Bancorp this year, when regulators delayed the closing date of the sale amid questions about M&T’s compliance with anti-money laundering rules. The Bank Secrecy Act (BSA) and anti-money laundering laws are now more significant in regulatory exams than in years past because a bank’s  compliance track record now impacts its safety and soundness rating, Curl said.

“BSA should be a critical element to any products you roll out,’’ Geiringer said. “It used to be the compliance officer came in at the end, and was Dr. No.” Nowadays, the compliance officer should be involved in the beginning of the process of rolling out new services and products, he said. Consumer compliance is a new focus of regulation, Geiringer said. The Dodd-Frank Act expanded consumer law in the form of UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) to include the term “abusive.” Ask yourself: Would you sell the bank’s products to your mom or dad? Does your bank board set the right tone in reacting to compliance issues? If new regulations are mentioned at a board meeting, do you roll your eyes? How does that impact management if they see board members doing that?

There has been a shift in banking regulation and it’s worth paying attention to. The regulatory panel at the audit conference made that clear. 

No More Balloon-Payment Mortgages? No Problem

5-24-13_Bryan_Cave.pngEditor’s note: On May 29, 2013, the Consumer Financial Protection Bureau amended its new rule to delay implementation of the balloon payment injunction for two years for small lenders with less than $2 billion in assets who make fewer than 500 first-lien mortgages per year. The delay lasts for two years after the implementation date of January, 2014.

Among the many sea changes within the Consumer Financial Protection Bureau’s new mortgage regulations, the rules’ harsh view of the balloon-payment loan is among the most disappointing for community banks. The CFPB clearly does not like these loans and has taken a major swing at them. Beginning in 2014, creditors will be prohibited under the Truth in Lending Act from making covered loans absent a good faith review of the borrower’s repayment ability. The risks of non-compliance with this rule are grave and include a defense in foreclosure that essentially has no statute of limitations. So-called “qualified mortgages” will enjoy a presumption of compliance with this new Ability-to-Repay (ATR) standard, but balloon notes are not generally favored.  Here is a five-step roadmap for coping with these new restrictions.

First, assess the damage. Start by determining how many of your existing loans are within the scope of these rules. Be careful to separate true consumer loans from others. It bears emphasizing that commercial-purpose balloons are not covered, in most cases even if they are secured by the borrower’s principal dwelling. On the other hand, there is no general small creditor exemption for covered transactions. And while the rules do not apply to home equity lines of credit, they do apply to closed-end home equity loans so long as they are secured by a dwelling and constitute consumer credit.

Of course, your bank may be among the few small creditors that will qualify to make “rural balloon-payment qualified mortgages.” If so, even these loans will need to have at least 5-year terms. Under the general ATR rule, loans may include a balloon payment, but consumers must be deemed capable of making any balloon payment due within the first 5 years of a loan (or at any time during the loan if it is higher-priced). 

Second, expect ALCO excellence. For creditors, the demise of balloons under these new rules is primarily an interest rate risk (IRR) story. Short-term balloon loans are popular because they are a simple means of managing IRR. The CFPB acknowledged as much but believes only a limited class of rural creditors should be encouraged to continue making such loans, notwithstanding evidence that consumers understand and like them. Thus, your bank’s asset/liability management committee (ALCO) or other IRR management body should be springing into action right now if balloons are a material part of your portfolio. Among other things, the effective date of these new rules—January 10, 2014—should be circled on the ALCO’s calendar; laid over existing internal policies, procedures, and limits; and entered into IRR models and simulations. 

Third, renew or modify certain loans. Depending on what strategies emerge from your ALCO’s deliberation, you may end up trying to renew or modify a certain number of existing mortgages before the new rules take effect. This is because, while existing balloon mortgages are not covered by the new origination rules, their renewal could be. To understand this, fast-forward to 2014:  the CFPB has specifically noted that “any change to an existing loan that is not treated as a refinancing” under the Truth in Lending Act is not subject to its new ATR restrictions. This means that, even in 2014, you might be able to modify certain loans and retain their balloon-payment features.  The viability of this prospect turns on whether, under applicable state law, the existing obligation has been merely amended or, rather, “satisfied and replaced” by a new one. There has long been variability under state law on this issue.     

One thing that is clear under the new rules is that existing balloons will not qualify for the “non-standard mortgage” refinancing exemption from the general ATR requirements. This Dodd-Frank concept exempts creditors from the strict new ATR underwriting requirements when they are refinancing borrowers into conventional mortgages from certain existing loans that pose a risk of “payment shock” (e.g., certain adjustable-rate loans). The CFPB concluded that balloon mortgages do not pose the sort of risk targeted by this exemption and thus will not qualify to be “streamline” refinanced this way. 

Fourth, ramp up to make ARMs. To compete in 2014 and beyond, creditors may need to offer some form of adjustable-rate mortgage (ARM). This obviously presents a challenge if ARMs are new to your organization. Even the CFPB has acknowledged that many creditors would prefer to offer balloons as a means of managing interest rate risk “without having to undertake the compliance burdens involved in administering adjustable rate mortgages over time.” In 2014, these burdens will include not only new underwriting mandates but also a new rate adjustment notice (under the CFPB’s new servicing rules). It will also be important that loan officers understand ARMs well enough to describe them to consumers.   

Fifth, and finally, demand help from your systems vendors. These service providers can not only walk you through add-ons and modules that will help you comply with the new rules, but they can also help train your loan officers and underwriters. While more complicated than balloons, ARM loans are conducive to a variety of systems solutions. These tools should put you well on your way to making a smooth transition away from balloons. 


The CFPB’s sweeping mortgage reforms will have a major impact on product terms and offerings. Given the CFPB’s stated views, don’t expect further regulatory relief for balloon-payment mortgages. With proper planning, however, your institution should be ready to live without them and to distinguish yourself in the crowded mortgage marketplace on efficiency and customer service.

Pay Attention: Final Rules on Loan Originator Compensation

4-19-13_Dinsmore.pngJanuary, 2013, was a watershed month for mortgage standards after the Consumer Financial Protection Bureau released the long-awaited final rules on ability to repay, qualified mortgages, mortgage servicing, and appraisal requirements.  Each of these rules promises to keep compliance gurus busy throughout this year and into 2014.

January also heralded another Dodd-Frank final rule of great interest to senior management, boards of directors, and certainly to the frontline, revenue producing, mortgage loan personnel – the mortgage loan originator compensation requirements.

The new compensation rules are potential bottom line changers both for mortgage loan officers/originators and financial institutions themselves—making it imperative that financial institution management and boards of directors move this topic to the top of their to-do lists.

In the aftermath of the mortgage market meltdown, politicians and pundits, and the federal regulators who answer to them, became increasingly focused on the role that loan officers and originators play in the consumer mortgage loan process.  Prior to the meltdown, training and qualification standards for loan originators varied widely within the industry.  Furthermore, compensation programs evolved to incentivize loan officers and originators to lead consumers into more expensive loans.  With Title XIV of the Dodd-Frank Act and the compensation final rules, the consumer protectors set out to end these practices.

What’s Not OK
The rules on compensation prohibit a loan officer/originator from being compensated based on any “term of the transaction” or any proxy for a term of the transaction.  This is not new; this prohibition has been part of Regulation Z since 2011.  The final rule now defines “term of the transaction” but leaves some uncertainty.

A term of the transaction is “any right or obligation of the parties to the credit transaction.”  What does this mean?  The commentary to the final rule answers that question by including descriptions of items the CFPB believes are “terms of the transaction.”  Those items include (see final rule commentary for full list):

  • interest rate
  • prepayment penalty
  • whether a product or service is purchased (e.g., lender’s title policy)
  • fees or charges requiring a good faith estimate and/or HUD-1 disclosure statement (and future Truth-in-Lending Act/Real Estate Settlement Procedures Act combined disclosure)
  • points, discount points
  • document fees; origination fees

What’s OK
CFPB acknowledges the compensation restrictions could create uncertainty for regulated institutions.  To allay this uncertainty, the final rule commentary provides a list of examples of permissible compensation mechanisms, which includes (see final rule commentary for full list):

  • originator’s overall loan volume
  • loan performance over time
  • whether the customer is existing or new
  • quality/condition of loan files
  • percentage of applications resulting in closed loans

Under the final rules, financial institutions are permitted to continue paying mortgage loan officers/originators bonus compensation.  However, bonuses will be subject to some restrictions.  Bonuses may not be based on the terms of the individual loan officer/originator’s transactions, and bonus compensation cannot exceed 10 percent of the individual loan officer/originator’s total compensation for the relevant period.

Looking Forward: Best Practices
The new compensation rules and the other residential mortgage related rules go into effect in January, 2014. Examination teams, armed with new exam procedures, will be descending on banks to test for compliance.  Below are a few best practice steps bank managers and boards of directors may take to be prepared.

  1. Ensure consumer compliance teams are trained on the new rules.  Modify consumer compliance audit/review procedures to ensure new rules are appropriately tested.
  2. Ensure mortgage lending management teams and loan officers/originators are trained on the new rules.
  3. Review existing loan officer/originator compensation programs, policies and practices to determine level of compliance; adjust programs and practices accordingly.
  4. Review existing employment, service, and management agreements and other documents relating to residential mortgage lending to determine if problematic provisions exist; amend agreements as necessary.
  5. Assign appropriate personnel to monitor release of guidance from CFPB and other federal regulatory agencies; review new examination procedures when available.
  6. Have management report to board of directors, or appropriate committee, on progress toward compliance.

There is Still More
The compensation final rules address several other important topics, including dual compensation, payment of upfront points/fees, loan originator qualifications, and mandatory arbitration provisions.  These topics are important for all participants in the mortgage lending arena, and you are encouraged to review them.

Boards Must Address New Standards for Consumer Products

4-12-13_wolters_kluwer.pngThe unfair, deceptive or abusive acts or practices standard (UDAAP) is one of the most talked about compliance issues today. The Dodd-Frank Act added the word “abusive” to what was forbidden under the law previously, expanding the scope of what constituted an UDAAP violation. All banking regulators are now charged with enforcing a new standard in consumer protection. This renewed focus on UDAAP has created an especially heightened regulatory concern for banks and other financial institutions governed by the Consumer Financial Protection Bureau (CFPB), particularly due to the lack of certainty behind how the term “abusive” will be interpreted. Given the heavy fines issued by the CFPB in 2012 and high profile settlements, directors will want to take inventory of their UDAAP compliance program and evaluate how each product and service is impacting the consumer. Here are a few recommendations.

Promote a Culture Shift to Focus on Risk to the Consumer
In this new consumer-centric supervisory context, in addition to evaluating the traditional risk to the institution if a compliance violation occurs, banks must also focus on the inherent risk to the consumer for any given process or product. This is a major shift in how institutions are being asked to examine risk and essentially creates a new risk discipline. Board members can lead the charge by making sure that any adverse impact on the consumer is evaluated right alongside traditional risk disciplines.

Set the Tone
Like all things related to regulatory risk and compliance, the best practice for creating a UDAAP-conscious organization is to establish the tone for compliance at the top. Financial institutions are well advised to review what is being communicated downward through various means, particularly in the form of policies, procedures and training materials. The key to establishing an effective UDAAP compliance program within the framework of your compliance management program is having strong controls. The CFPB prescribes the following four interdependent control components:

  • Board and Management Oversight
  • Formal Compliance Program (i.e., policies and procedures; training; and monitoring corrective action)
  • Response to Consumer Complaints
  • Compliance Audit

Ask the Questions
In applying practical thinking to managing UDAAP compliance risk and considering the high-risk areas, ask your senior management, does our compliance management system:

  • Establish compliance responsibility and accountability for UDAAP compliance at all levels of the organization?
  • Communicate to all employees their responsibility for compliance with UDAAP through training and regular compliance updates?
  • Ensure that UDAAP requirements are incorporated into the everyday business processes, as well as the procedures followed by contractors and third-party service providers?
  • Review operations for compliance with UDAAP requirements?
  • Require corrective action when non-compliance or a potential weakness is identified?

Evaluate Fairness and Transparency throughout the Product Lifecycle
Banks should always strive for fairness and transparency when communicating product features, terms and costs to customers, and apply the same standard in the delivery, support and servicing of all products. Consider the full extent of the product lifecycle when assessing your UDAAP compliance risks. High risk areas to focus on are:

  • Advertising and Solicitations
  • Loan and Account Disclosures
  • Servicing and Collections
  • Third-Party Service Provider Oversight

In all aspects of the product lifecycle, stress absolute transparency and hold each business line and product group accountable for continuously reviewing technical accuracy, alignment to actual practices, and clarity and ease of understanding from the consumer’s point-of-view.  

Manage Consumer Complaints
With the CFPB actively soliciting complaints from consumers and using that data to support their supervisory activities, you need to take a close look at your complaint data management and response processes. Particular attention should be paid to:

  • Your definition of a complaint
  • How complaints are categorized and classified internally
  • How they are routed for analysis of root cause, formal response, and ultimate resolution  

An effective complaint management system must be able to receive and process complaints from all sources, ranging from complaints issued directly to the bank to complaints from external sources such regulators, attorneys, the Better Business Bureau, consumer protection groups, web-based sources and social networking media. Complaints, while often troubling, are an opportunity to detect and address UDAAP issues such as false or misleading statements, inaccuracies in disclosures, and excessive and/or previously undisclosed fees.  Keep in mind that third-party service providers performing services on behalf of your organization should have conforming processes in place to receive complaints that mirror your own complaint handling processes. 

If you have not already taken a hard look at where your organization stands with respect to UDAAP, the time for action is now. 

With the New Focus on the Consumer, the Buck Stops (And Starts) with the Board

stop-start.jpgForward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.

Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer.  This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.

The Role of the CFPB

The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.

There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.

Culture Change

To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs.  This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.

Compliance Management System

Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products.  Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.

Consumer Risk Assessments

The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.

Your systems need to be able to identify risks to both the bank AND to the consumer.  In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.

Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable. 

So how do you achieve a culture of compliance, where all employees are held accountable for risk?

The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.

Debate: How Will the CFPB Impact Banks?

As the Consumer Financial Protection Bureau gets underway, compiling data and taking complaints, there is still a large amount of uncertainty about the impact on banks. Although technically only supervising banks with more than $10 billion in assets, the ripple effect in this industry is what worries smaller banks. We asked legal experts in the field what they thought the most immediate effect would be for banks. Many lawyers believe the CFPB will impact banks in a big way, and may reduce lending and the availability of credit across the board. 

What is the most immediate effect that the Consumer Financial Protection Bureau will have on banks?

geiringer.jpgThe most immediate effect that the CFPB will have for banks over the $10 billion threshold is that their compliance examinations will now be conducted by an agency whose mission is based solely on consumer protection.  For banks under the $10-billion asset threshold, the primary potential impact is that the CFPB will promulgate consumer protection regulations for these smaller banks, even though it will not generally examine them.  This may create a disconnect in the CFPB’s understanding of smaller institutions and exacerbate the current one-size-fits-all compliance approach about which community banks have expressed concern.  In addition, all banks should be prepared to respond to postings on the CFPB’s website, which prominently invites the public to “submit a complaint” about their financial institutions.

—John Geiringer, Barack Ferrazzano Kirschbaum & Nagelberg LLP

charles_washburn.jpgBanks and other insured depository institutions with total assets of more than $10 billion and their affiliates are serving as guinea pigs as the CFPB develops its examination staff, standards and procedures. Banks that have gone or are currently going through CFPB compliance examinations have reported that the experience is very challenging. Accordingly, large banks need to double check the effectiveness of their compliance function before the CFPB comes calling.

—Chuck Washburn, Manatt, Phelps & Phillips, LLP

John-Gorman.jpgThe cost and compliance burden [of the new CFPB] will put a damper on consumer lending, but it will be more pronounced with respect to banks with assets in excess of $10 billion.  It is already happening.  Almost by necessity, the CFPB is taking or will take a one-size-fits-all approach to regulation, such that the problems associated with the worst and least regulated entities are presumed to be the industry norm, and all participants’ conduct will have to comport with a regulatory reaction that is based on the lowest common denominator.  When the CFPB issues rulemaking, the bank regulators, who will police the conduct of the under-$10-billion banks, will not want to be viewed as lax enforcers.  The cost and risk of lending will increase for all banks.  That will result is less lending.

– John Gorman, Luse Gorman Pomerenk & Schick, PC 

Mark-Chorazak.jpgWith uncertainty over how the Bureau’s approach to supervision and enforcement and its priorities will evolve during the next several years, an important task for banks, regardless of asset size, has been to establish good working relationships with Bureau staff. For larger banks with assets over $10 billion, such relationship building is critical in light of the Bureau’s exclusive examination authority and primary enforcement authority for compliance with federal consumer financial laws. However, smaller banks with assets of less than $10 billion also have an incentive to build a solid reputation with Bureau staff. Although it has no examination and enforcement authority over smaller banks, the Bureau may participate in examinations conducted by the prudential banking regulators (“on a sampling basis”), refer enforcement actions and require reports from these institutions.

—Mark Chorazak, Simpson Thacher & Bartlett LLP

Peter-Weinstock.jpgRegardless of whether the Consumer Financial Protection Bureau (“CFPB”) has supervisory authority over a financial institution or not, its presence, seemingly atop the regulatory pantheon, will mean increased costs on financial institutions and reduced availability of credit.  It is too early to say how the CFPB will maintain a balance between regulation and cost of compliance, on one hand, and availability of reasonably priced credit, on the other hand.  Recent indications do not look good for financial institutions or credit availability.  A classic example is the CFPB’s statements regarding unfair, deceptive, abusive acts and practices (UDAAP).  The CFPB has indicated that a financial institution needs to evaluate whether a proposed customer, such as an elderly customer, understands all of a product’s terms.  The consequences for financial institutions that are out of compliance with issues such as UDAAP are quite severe.  Financial institutions will err on the side of not making certain loans, rather than expose themselves to losses.

– Peter Weinstock, Hunton & Williams, LLP

John-ReVeal.jpgBanks with more than $10 billion in assets also are already undergoing CFPB compliance examinations.  Even those banks that believed they were fully prepared have been surprised by the scope and duration of these examinations.  The pre-examination information requests alone often exceed in scope what bankers would face in an entire examination cycle that included all aspects of compliance and safety and soundness. Banks with less than $10 billion [in assets] are not subject to the direct compliance examination authority of the CFPB, but will still incur significant costs.  First, the CFPB has the primary responsibility for developing and implementing new consumer protection regulations.  These costs will come in the future, but banks of all sizes will need to contend with these new regulations. 

—John ReVeal, Bryan Cave