What To Do To Prepare for a CFPB Examination


cfpb-12-28-15.pngThe Consumer Financial Protection Bureau’s exams are an open book text, but does your organization have the book? Obviously, there are subjective elements to every exam. But we do recommend doing your homework.

Read Up on What to Expect
The first document you need is entitled “Debt Collection Examination Procedures,” October 24, 2012, available on the CFPB website. There are a number of different ways to use the manual, but a critical task is to take each requirement in the manual and inventory all the ways your bank can answer: How can we prove that we are meeting this? What tangible evidence exists that we can put in front of an examiner?

The second document is the general CFPB Supervision and Examination Manual, from October 1, 2012. The full text is now over 900 pages long, so we recommend that banks start with the Risk Assessment Template. At a minimum, banks should consider two sections:

  • Risk Assessment Template: We recommend that companies use this as a means of seeing the organization as the CFPB will. Where are the risk areas for potential consumer harm and how are you mitigating those risks?
  • Part II.A. Compliance Management Systems (CMS): This covers the process used to identify regulatory changes, assess their impact on your organization, incorporate the changes into your regular processes and monitor compliance on an on-going basis.

Catch Up on Current Events
It can be challenging to stay abreast of CFPB developments: We recommend that those responsible for managing the examination read up on as much public information as possible about what the CFPB has been doing, including:

  • The CFPB website often has speeches and Congressional testimony from its leadership. This often is a good source of information on what the CFPB is emphasizing and their areas of focus.
  • The CFPB publishes a document two to three times per year entitled “Supervisory Highlights,” which summarizes issues they have seen and actions they have taken during their routine examinations. The actions summarized here and presented anonymously provide insight into common issues at regulated entities.
  • Websites from CFPB watchers: Several law firms maintain very good web sites that track and comment on CFPB related developments.

Get All Hands on Deck
Some organizations see regulatory exams as a legal matter, others as compliance. We recommend mustering all internal resources which can assist, regardless of their normal duties. In addition to legal and compliance, this could include internal audit and operations. It is important that the team that will participate in the examination is involved right from initial planning through final resolution. We have seen situations where upfront planning is handled by a single function, for example the legal department, and the actual examination is given to another department, say compliance. This can lead to a bad handoff, poor communication and other problems.

Clients sometime ask us who should be available to work with the examiners. You want your “go to” people available. This may skip official reporting lines—often times the nominal head of function may not be the most knowledgeable about daily processing or issue resolution. It is in all participants’ interest to efficiently clear any preliminary issues raised during the examination.

Heal Thyself
Do you have the kind of organization where people can raise their hand when they see a problem, or is it the kind where bad news is suppressed? One of the authors of this article worked at a bank where quality metrics where a very large component of operations management’s performance evaluation, so operations management fought every issue that the internal Quality Assurance and Quality Control functions raised. Subsequently, the high quality metrics were overstated and the bank was surprised at the number and severity of issues raised by their regulator. Don’t underestimate the power of an executive sitting down with personnel a few levels below him or her and asking, “What do you think could burn us with the examiners coming in?

Prepare Your People
Many of your organization’s resources participating in an examination are not individuals who routinely reach outside your organization. Few organizations would send a sales person out into the market to represent the company without preparation. However, we have observed an equivalent situation occur with unprepared resources have critical roles for examinations. Make sure that management prepares everyone who will participate.

While On Site
Anyone who has spent time as an auditor has experienced being put in dank, windowless basements. Have your organization treat the examiners like you would an important client that was coming in: have a welcome message in the lobby and have decent space for them. In short, they are human and like all humans are going to respond to any perceived disrespect.

Board Oversight of the Compliance Function: Coaching Fundamentals


football-strategy.jpgDespite all that has been made of Dodd-Frank, the new Consumer Financial Protection Bureau, and the increased focus on consumer compliance throughout the banking industry, we think that the fundamental formula for effective board oversight of the compliance function has not materially changed. We encourage directors to take stock to make sure their bank’s program is adequate. In this season of great contests on the gridiron, we would emphasize that blocking and tackling—and defense generally—remain the keys to success in this area. Be a good coach and make sure that these fundamentals are practiced at your bank.

Bank Regulatory Expectations

We start with the black-letter guidance and then read between the lines based on our experience and judgment. Each of the prudential bank regulators has outlined its expectations for board oversight of the compliance function. Although it’s stated in various ways, the basic recipe for the “compliance management system” is this:

  1. Compliance program documents and reporting
  2. Compliance audit
  3. Board and management oversight

Think of board oversight as “coaching” and the rest as blocking and tackling.  

Compliance Program Documents and Reporting

A successful compliance program has and will continue to be based on an effective internal controls environment—your defense. The most important things a board can do here are to maintain effective policies and to expect excellence out of your management team. Designate a chief compliance officer like you would a starting quarterback.  Every compliance examiner expects to see a body of current written policies and procedures, including a compliance program document, and strong compliance management leadership.

As is often said, policies establish “what” and procedures say “how.”  It is probably not effective or appropriate for your average director to be involved in articulating how compliance gets done.  On the other hand, policies should be reviewed at least annually, and the board should ensure that its committees—typically risk or audit—receive and digest reporting sufficient to describe the state of the compliance function. Are we staffed to keep up with changes in law? Is our training sufficient? What complaints do we generally receive? Do we need new or additional software or equipment? Perhaps most importantly, and the subject of our next discussion point, does evidence demonstrate that the program is working?

Compliance Audit

The regulators describe compliance audit as the means of testing the effectiveness of your compliance program. A related function is self-monitoring. The difference is generally in the level of independence and frequency of reviews. A robust compliance program will include regular self-reviews. Annual testing, either by your internal audit department or by a third party, is a required step, but it cannot take the place of ongoing review through internal monitoring and testing and a formal risk assessment process.  

This conclusion has at least two justifications:  first, self-monitoring (either by business units or compliance staff) generates real-time data useful to board and management oversight and is most likely to result in swift corrective action. Second, regulators typically “draft” behind compliance audit findings—that is, they make preliminary conclusions about the state of your program based on these reviews. While a genuine, independent and comprehensive compliance audit is an important aspect of a good system, it is preferable to go into these audits with confidence that your program is clean.

The Role of the Coach

While the compliance atmosphere has undoubtedly changed, a board that emphasizes the fundamentals—like a good coach—should succeed on every front. Take an active interest in your compliance management program and make sure it has what is necessary to get the job done.  

Part III: Remediation – Compliance Lessons from the Construction Industry


tools.jpgFinding A Problem Is One Thing, Fixing It Is Another

Not long ago, I visited an institution we’ll call “Flub Financial.” Flub’s compliance team was knowledgeable and experienced. Their well-executed audit program employed savvy auditors whose comprehensive coverage allowed Flub to easily detect problems. So why did Flub find itself in a multi-million dollar enforcement action? The reason:  Flub kept applying the same practices that had created the problems in the first place.

Management did little to correct the underlying issues. Worse, Flub’s directors exercised even less oversight because they assumed management took care of problems after the board was informed of deficiencies. Simply put, Flub failed to apply our third lesson from the construction industry: Maintenance and repairs are essential to preserving value.

Just as contractors are responsible for a well-built house, directors are accountable for ensuring the compliance program’s sound foundation, and overseeing its ability to detect deficiencies. Moreover, directors must ensure corrective actions are taken when weaknesses occur. Similar to preserving a house, an institution’s success depends on whether corrective actions are taken immediately.

Examiners, much like building inspectors, want to see things working properly. Has prompt action been taken to correct weaknesses noted in routine monitoring as well as during examinations? Do records show how problems were addressed with evidence of corrections made? Good answers to these questions are crucial, because without a proven methodology,   deficiencies may turn into large cracks.

There are three main aspects to successfully implementing corrective action:

1. Specifying and assigning corrective steps,

2. Confirming the correction occurred, and

3.  Following-up at appropriate intervals to ensure the correction’s effectiveness.

Specifying the Steps

To identify and assign corrective steps, the board must determine who, what and how. Who will ensure correction happens? What oversight and work steps are needed and what is the deadline for the correction? How will the assignee apprise the board of their results and how will the board monitor whether the correction worked, or if problems still persist?

It’s essential for the board to assign correction actions to executives, who have the necessary accountability and proper authority, rather than to a department. For example, listing the lending department as responsible leaves it unclear as to who is accountable for doing the work and confirming it was completed. Avoid this mistake by listing specific job titles or individuals. The institution must be able to recreate the chain of events so the board can validate the process, and examiners can confirm that proper repairs were made.

Confirming the Correction

The responsible party should report to the board when the correction is complete. The board should have a regular and predictable interval for these reports with standard formatting. It’s a best practice to require that managers provide evidence of the correction—in other words—trust, but verify. The implementing manager should conduct preliminary validation of the correction, and demonstrate through actions and evidence that the problem is fixed. This action assures directors that management has resolved the issue, not just given it the appropriate lip service.

Follow-up Reviews

Follow-up reviews should be conducted by compliance personnel, after corrective measures are implemented, at the proper timing. Reviews shouldn’t happen too soon because the board won’t be able to tell if the fix stuck. Often, a corrective measure validated within days after its application will seem to work beautifully. This is either because it worked, or because the change is fresh in the minds of staff and they haven’t had time to backslide into old ways.

A minimum interval of 90 days before verifying corrections allows enough time to gather trend and analytical information, and to see whether corrections withstood the test of time. Beware, however, of waiting too long. Problems may persist if the fix wasn’t properly applied at the outset. Imagine waiting a year before reviewing your fix, only to find that the wrong corrective actions were taken.

To recap, avoid these red flags of poor corrective action:

  • Failure to set specific correction standards
  • Failure to designate a single party ultimately responsible
  • Failure to confirm issues are resolved
  • Failure to keep records so when examiners ask how and why certain things were done, the action can be reconstructed and proved

Bottom line, it is simply not enough to have strong policies and procedures, even with a strong audit program that detects weaknesses. It’s crucial to have an equally strong protocol for swift and precise corrective actions. Just like preventive maintenance protects your home, a strong compliance program protects your institution’s value for the long term.

Part II: The Inspection Process – Compliance Lessons from the Construction Industry


quality-guarantee.jpgIn the first article of this series I compared the optimal compliance program to a well-built house. You may recall that the construction of a house and a sound compliance program share three key elements: the blueprint, foundation and framework. In this installment, we’ll talk about two more elements that compliance and construction have in common: inspections and maintenance. For the staff involved, this work can be painful to endure, but altogether necessary.

Just like a home inspection, a banking inspection ensures the safety and soundness of the structure. An overlooked mistake can spell a failed inspection, or worse, a structural collapse—and perhaps liability. Even after a passed inspection, periodic maintenance is required. Prompt detection, and swift and thorough remediation of the problem areas, can halt concerns before they worsen, thereby protecting your institution.

So how do you know whether your institution is ready to pass inspection? How do you determine whether you’re conducting the proper periodic maintenance check-ups and routines to keep your compliance programs as effective as possible? The answer is simple: By exercising proper oversight of these programs at the board level. This oversight is carried out by reviewing the right reports with the right content at the right times. 

Boards of directors must ensure that they gather solid intelligence to carry out their fiduciary duties and make informed decisions. One way to do this is to demand high quality reports at predictable intervals. Reports that are flawed or delivered too infrequently may conceal weaknesses that should be addressed. Reports should occur at three basic intervals:  monthly, quarterly, and annually.

Monthly Report

Monthly reports should focus on tactical execution, delivering performance data and metrics. These reports, typically delivered by the compliance team, should cover frontline activity and demonstrate whether the day-to-day work of compliance is being done on time and accurately. Monthly reporting should shine a bright light where weaknesses may exist, and should state the measures being taken to remedy the deficiencies. 

Quarterly Report

Quarterly reports should focus on trends and analytics that demonstrate whether risk exposures are increasing or decreasing. The quarterly report gives insight into how the compliance program is functioning over time. This report should contain information about regulatory trends, upcoming or changing rules and should consider the environmental and operating conditions that could affect the institution’s progress and performance.

These reports should also summarize the results of compliance monitoring activities that occurred during the quarter and which activities are planned in the quarter ahead. This data allows directors to conclude what, if any, internal events or changes will influence the institution. In general, these reports show the up-to-the-minute state of preparedness for exams and audits.

Annual Report

Finally, annual activities such as audits or reviews generate reports on the program’s effectiveness. This annual look-back reflects how well the institution kept its risk exposures to acceptable levels. These types of reports often opine on the overall capabilities of the executive team and compliance management group in carrying out their responsibilities. These reports take an independent look at the program to gauge its effectiveness, efficiency and performance over a historical period.  

Indicators of Poor Reporting

Good intentions can nonetheless produce bad results if the content of reports is inadequate.  When reviewing your institution’s reports, keep in mind these signs of flawed reporting:

  • Reports that are too long or too detailed. Key points cannot be extracted when the volume of information presented obscures the meaning. 
  • Reports that state only facts but provide no evaluative statements. The board needs to understand whether the data being presented is positive or negative.
  • Reports that fail to identify the root causes of weaknesses. Failure to identify the root cause delays implementing corrections. 
  • Reports that identify the root causes of deficiencies, but do not suggest appropriate corrective action. Solutions should be offered in reports. 
  • Reports that only emphasize weaknesses and ignore strengths. Focusing only on the negatives may inappropriately exaggerate the scope or materiality of an identified problem. 
  • Reports that do not reflect the materiality or severity of an issue. Treating every issue uniformly is a sign that perspective may be lacking.

Financial institution boards have a tough assignment: Overseeing the construction of a stable structure that can withstand not only regulatory scrutiny, but the storms of changing economic and regulatory conditions. Maintaining this structure after it’s built is equally daunting. It requires vigilance toward the review and interpretation of quality data, and applying that information to managing risks in an ever-changing climate. Proper reporting ensures proper maintenance of the compliance program, and a well-maintained program that can be clearly articulated to examiners is the key to passing future inspections. 

But, what if, during the inspection process, you realize that something has gone wrong? In the next article of this series I will go over the corrective steps and actions the board should take to repair the compliance program. 

With the New Focus on the Consumer, the Buck Stops (And Starts) with the Board


stop-start.jpgForward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.

Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer.  This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.

The Role of the CFPB

The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.

There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.

Culture Change

To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs.  This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.

Compliance Management System

Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products.  Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.

Consumer Risk Assessments

The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.

Your systems need to be able to identify risks to both the bank AND to the consumer.  In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.

Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable. 

So how do you achieve a culture of compliance, where all employees are held accountable for risk?

The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.

The Internal Auditor’s Role in Regulatory Compliance


risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.

1.    QUALITY CONTROL

The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.

2.       COMPLIANCE AUDIT

The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.