With the New Focus on the Consumer, the Buck Stops (And Starts) with the Board


stop-start.jpgForward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.

Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer.  This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.

The Role of the CFPB

The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.

There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.

Culture Change

To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs.  This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.

Compliance Management System

Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products.  Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.

Consumer Risk Assessments

The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.

Your systems need to be able to identify risks to both the bank AND to the consumer.  In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.

Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable. 

So how do you achieve a culture of compliance, where all employees are held accountable for risk?

The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.

Debate: How Will the CFPB Impact Banks?


As the Consumer Financial Protection Bureau gets underway, compiling data and taking complaints, there is still a large amount of uncertainty about the impact on banks. Although technically only supervising banks with more than $10 billion in assets, the ripple effect in this industry is what worries smaller banks. We asked legal experts in the field what they thought the most immediate effect would be for banks. Many lawyers believe the CFPB will impact banks in a big way, and may reduce lending and the availability of credit across the board. 

What is the most immediate effect that the Consumer Financial Protection Bureau will have on banks?

geiringer.jpgThe most immediate effect that the CFPB will have for banks over the $10 billion threshold is that their compliance examinations will now be conducted by an agency whose mission is based solely on consumer protection.  For banks under the $10-billion asset threshold, the primary potential impact is that the CFPB will promulgate consumer protection regulations for these smaller banks, even though it will not generally examine them.  This may create a disconnect in the CFPB’s understanding of smaller institutions and exacerbate the current one-size-fits-all compliance approach about which community banks have expressed concern.  In addition, all banks should be prepared to respond to postings on the CFPB’s website, which prominently invites the public to “submit a complaint” about their financial institutions.

—John Geiringer, Barack Ferrazzano Kirschbaum & Nagelberg LLP

charles_washburn.jpgBanks and other insured depository institutions with total assets of more than $10 billion and their affiliates are serving as guinea pigs as the CFPB develops its examination staff, standards and procedures. Banks that have gone or are currently going through CFPB compliance examinations have reported that the experience is very challenging. Accordingly, large banks need to double check the effectiveness of their compliance function before the CFPB comes calling.

—Chuck Washburn, Manatt, Phelps & Phillips, LLP

John-Gorman.jpgThe cost and compliance burden [of the new CFPB] will put a damper on consumer lending, but it will be more pronounced with respect to banks with assets in excess of $10 billion.  It is already happening.  Almost by necessity, the CFPB is taking or will take a one-size-fits-all approach to regulation, such that the problems associated with the worst and least regulated entities are presumed to be the industry norm, and all participants’ conduct will have to comport with a regulatory reaction that is based on the lowest common denominator.  When the CFPB issues rulemaking, the bank regulators, who will police the conduct of the under-$10-billion banks, will not want to be viewed as lax enforcers.  The cost and risk of lending will increase for all banks.  That will result is less lending.

– John Gorman, Luse Gorman Pomerenk & Schick, PC 

Mark-Chorazak.jpgWith uncertainty over how the Bureau’s approach to supervision and enforcement and its priorities will evolve during the next several years, an important task for banks, regardless of asset size, has been to establish good working relationships with Bureau staff. For larger banks with assets over $10 billion, such relationship building is critical in light of the Bureau’s exclusive examination authority and primary enforcement authority for compliance with federal consumer financial laws. However, smaller banks with assets of less than $10 billion also have an incentive to build a solid reputation with Bureau staff. Although it has no examination and enforcement authority over smaller banks, the Bureau may participate in examinations conducted by the prudential banking regulators (“on a sampling basis”), refer enforcement actions and require reports from these institutions.

—Mark Chorazak, Simpson Thacher & Bartlett LLP

Peter-Weinstock.jpgRegardless of whether the Consumer Financial Protection Bureau (“CFPB”) has supervisory authority over a financial institution or not, its presence, seemingly atop the regulatory pantheon, will mean increased costs on financial institutions and reduced availability of credit.  It is too early to say how the CFPB will maintain a balance between regulation and cost of compliance, on one hand, and availability of reasonably priced credit, on the other hand.  Recent indications do not look good for financial institutions or credit availability.  A classic example is the CFPB’s statements regarding unfair, deceptive, abusive acts and practices (UDAAP).  The CFPB has indicated that a financial institution needs to evaluate whether a proposed customer, such as an elderly customer, understands all of a product’s terms.  The consequences for financial institutions that are out of compliance with issues such as UDAAP are quite severe.  Financial institutions will err on the side of not making certain loans, rather than expose themselves to losses.

– Peter Weinstock, Hunton & Williams, LLP

John-ReVeal.jpgBanks with more than $10 billion in assets also are already undergoing CFPB compliance examinations.  Even those banks that believed they were fully prepared have been surprised by the scope and duration of these examinations.  The pre-examination information requests alone often exceed in scope what bankers would face in an entire examination cycle that included all aspects of compliance and safety and soundness. Banks with less than $10 billion [in assets] are not subject to the direct compliance examination authority of the CFPB, but will still incur significant costs.  First, the CFPB has the primary responsibility for developing and implementing new consumer protection regulations.  These costs will come in the future, but banks of all sizes will need to contend with these new regulations. 

—John ReVeal, Bryan Cave