The Latest Look at the “New CFPB”

CFPB-5-28-19.pngOn April 17, Consumer Financial Protection Bureau Director Kathleen Kraninger delivered her first policy speech at the Bipartisan Policy Center. She touched rule promulgation, supervision and enforcement, previewing of the tone and direction of the CFPB under her leadership.

Rule Pomulgation
One important concern for banks will be rule promulgation at the agency, or how the bureau proposes, enacts and enforces regulations. In the speech, Kraninger said that the bureau will release proposed rules to implement the Fair Debt Collection Practices Act in the coming weeks.

The promulgation of these rules has been in the CFPB’s pipeline since the Dodd-Frank Act transferred rulemaking authority related to the state exemptions under the Fair Debt Collection Practices Act to the bureau. We saw proposed rulemaking in 2013, followed by various pushes under the tenure of former Director Richard Cordray. Through these pushes in between 2011 and 2017, we learned that the CFPB’s efforts in the Fair Debt Collection Practices Act space were broad and, the industry argued, unduly burdensome on creditors. These efforts included rules to address litigation disclosures, information integrity and associated liability, time-barred debt and, possibly, first-party collector liability.

In contrast, Kraninger focused on how the new rules will provide clear, bright-line limits on the number of calls consumers may receive and how to communicate using newer technology such as email or text messages—issues the industry has sought guidance on. It will be interesting to contrast the proposed actions outlined under Cordray’s tenure to the rules issued under Kraninger.

As Kraninger made clear in her speech, “[b]ecause rules are general standards, they are not best articulated on a case-by-case basis through enforcement actions.” Rather, she said they should be developed through transparent rulemaking that allows stakeholders to submit comments and include “rigorous” economic and market analysis as well as judicial review.

In her speech, Kraninger reiterated that “supervision is the heart of this agency–particularly demonstrated by the percentage of our personnel and resources dedicated to conducting exams.”

Though she shares this sentiment with Cordray, she pointed out that “the bureau is not the only government regulator supervising any given entity” and that it must “ensure that we do not impose unmanageable burdens while performing our duties.”

This may be the clearest demarcation between the two directors. Cordray’s leadership did not seem to consider the “burden” of supervision experienced by a supervised entity; that regime was solely focused on consumer protection.

While the industry has yet to see a substantial shift in the approach to supervision, Kraninger’s remarks hint that we will see some relief as the CFPB considers its approach to exams. The agency could make changes in the prioritization and frequency of exams, the size of the exam teams, the number days spent on-site, the supporting systems and job aids, the time it takes to complete an exam and deliver a report and how the bureau empowers examiners to provide input on the process.

Kraninger also stated that “enforcement is an essential tool Congress gave the bureau,” another echo to Cordray’s leadership. However, she diverged by adding that “purposeful enforcement is about utilizing robust resources most effectively to focus on the right cases to reinforce clear rules of the road.”

Kraninger’s use of the phrase “clear rules of the road” is interesting. Justice Brett Kavanaugh, then on the U.S. Court of Appeals for the District of Columbia Circuit, used similar imagery when he criticized the lack of due process in the CFPB’s “regulation through enforcement” approach with regards to their PHH enforcement action.

“Imagine that a police officer tells a pedestrian that the pedestrian can lawfully cross the street at a certain place. The pedestrian carefully and precisely follows the officer’s direction. After the pedestrian arrives at the other side of the street, however, the officer hands the pedestrian a $1,000 jaywalking ticket. No one would seriously contend that the officer had acted fairly or in a manner consistent with basic due process in that situation,” he wrote in the 2016 decision for PHH Corp. v. CFPB. “Yet that’s precisely this case.”

While only time can tell, it appears that the industry can expect clear guidance and that rules that redefine industry standards will proceed related enforcement efforts.

The more activity from the “New CFPB,” the more observers will be able to gauge how it interacts with institutions. The shift occurring under the agency’s new leadership will most likely impact those companies that push regulatory boundaries. We continue to see a deep review of institutions’ core compliance management systems and associated controls. If your bank is wading into an unsettled regulatory area, you would best served in documenting the decision-making process, including considerations of the existing regulatory framework.

Do You Need an Anti-Money Laundering Dashboard?

1-9-15-Crowe.pngAnti-money laundering (AML) has been a focus of regulatory and enforcement activities for several years, and, with heightened concerns about the financing of terrorist organizations like Islamic State group, AML likely will continue to be the subject of close scrutiny. Merely establishing an AML program is not nearly enough—banks also must verify that their programs are operating effectively and efficiently. AML analytics dashboards can help bank directors and compliance officers do just that, acting as an early warning system when a program isn’t operating at desired levels.

An AML analytics dashboard is rapidly becoming a necessary tool for bank directors and compliance officers to take a proactive stance toward changes to their institutions’ AML risks and AML system and model performance. Banks can use AML analytics dashboards to improve the agility, efficiency and effectiveness of their AML programs and reduce the risk of fines and other government actions. In particular, dashboards can help banks to accomplish the following critical compliance activities.

  1. Monitor for and Raise Alerts About Risk Profile Changes
    A bank’s AML risks change in response to new regulations as well as to changes in customer base, product and service offerings, and money launderer and terrorist group behaviors. With the rapid pace of such changes, it’s no longer sufficient to examine an AML monitoring system annually—bank directors and compliance officers need the ability to view their AML risks on an ongoing basis.

    An AML analytics dashboard provides bank executives up-to-date information on the bank’s current risks in a format that is easy to digest and further analyze. By continually monitoring the firm’s AML risk indicators, executives can proactively alert management when an indicator reflects a significant change to a component of the bank’s risk profile. The dashboard then allows directors and compliance officers to examine the details of the change so they can determine what triggered it and take appropriate action to mitigate any increased AML risks. For example, an AML analytics dashboard can raise an alert if the number of customer wires to or from high-risk countries increases by a predetermined percentage within a certain period of time.

  2. Monitor AML System Performance
    Banks typically have multiple systems for AML monitoring and compliance, including transaction monitoring systems, customer due diligence and risk scoring systems, and sanctions screening systems. These systems sometimes fail due to technical issues or human errors. In addition, these systems must be periodically tuned and optimized to maintain their effectiveness.

    An AML analytics dashboard can monitor the health and performance indicators of these systems and alert bank directors and compliance managers when potential issues are identified. For example, a spike in suspicious activity alerts produced by a transaction monitoring system could indicate a system issue or an increase in money laundering activity. An AML analytics dashboard also can monitor and send notification about issues related to use of the system and compliance workflows—for example, if suspicious activity reports are not being filed in a timely fashion.

  3. Perform “What-If” Analyses for Changes to Systems, Programs, and Models
    When performing an optimization exercise on an AML system, or implementing a new system or monitoring rule, bank directors and compliance officers must know the cost implications in advance. An AML analytics dashboard allows management to examine the implications of implementing specific system configuration changes and to perform “what-if” analyses. This is particularly valuable when conducting model tuning exercises. For example, compliance managers can evaluate in real time the staffing impact of setting a threshold for an AML monitoring rule to a particular value as compared with an alternative value.
  4. Demonstrate AML Compliance and System Effectiveness
    AML monitoring systems and models must be validated and audited on a regular basis. Regulators will conduct periodic examinations to confirm that the AML systems have been properly configured and optimized to execute the bank’s AML processes. An AML analytics dashboard can be used as part of a conversation with auditors and regulators to demonstrate how the bank’s AML models, systems, and processes are performing in real time. It also can be used to demonstrate effective oversight of the bank’s AML models.

Act Now
Implementing an AML analytics dashboard can prove time-consuming, so banks without a dashboard should start gathering the requirements now so they can reap the benefits as soon as possible. Regulators likely will begin to expect banks to have these systems in place in the relatively near future, and bank directors who want to stay ahead of the curve will make implementation a priority.

When The CFPB Is After You: How to Respond to Threatened Enforcement Actions

4-30-14-covington.jpgWhen the Consumer Financial Protection Bureau (CFPB) sends a letter to the board of directors, it is rarely good news. It often means the institution is facing a potential or actual enforcement action. Enforcement actions can unfold quickly. They typically require an institution to respond, at least on certain preliminary matters, within a matter of days.

The board of directors should be involved in the institution’s handling of virtually any threatened enforcement action. The CFPB, like the prudential regulators, holds an institution’s board of directors ultimately responsible for the institution’s conduct. Thus, it is in the board’s interest to provide direction and oversight throughout the enforcement process. Such an approach will help directors fulfill their regulatory obligations and assist in ensuring that the enforcement matter is handled appropriately.

In addressing a CFPB enforcement action, directors should bear in mind five key principles:

  1. Assemble a response team. It is important to develop a comprehensive and strategic approach to responding to the CFPB’s enforcement action. Ideally, an institution already has in place a plan that specifies the individuals responsible for coordinating the institution’s response. The response team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business and outside counsel. The team also may include, depending on the nature of the enforcement action, additional representatives, such as from human resources, information technology, finance or compliance.
  2. Inform the board and determine appropriate board involvement. Once the institution is notified of the contemplated enforcement action, a member of the response team should immediately alert the board’s audit committee chair, and in consultation with the audit committee chair, decide when and how to inform the remainder of the board. Although the entire board should be kept apprised and consulted, as necessary, throughout the enforcement process, the board often designates one or more directors as the primary contacts with management and their outside advisors as the institution develops its response strategy.
  3. Develop a coordinated short-term plan. CFPB enforcement actions often require immediate tactical decisions that can have long-term strategic implications. For example, an institution usually has only 20 days to decide whether to object formally to any provisions in a CFPB civil investigative demand. The institution should consult with legal counsel to weigh the benefits of filing such a petition against the possible risks, including the impact of such a filing on the institution’s interactions with the CFPB and the likelihood that the institution’s legal arguments will succeed.

    The bank also should determine whether any public disclosures are required—such as under the securities laws or customer notification laws—or whether any disclosures should be made to preserve relationships with business partners and customers and, if so, how these disclosures may be made in accordance with restrictions on the disclosure of confidential supervisory information. Such decisions must account for the fact that an enforcement action may create multiple areas of exposure, including follow-on private litigation, reputational harm, and customer relations issues. The board should be briefed on these disclosure obligations and ensure that the various disclosures are handled in a coordinated manner.
  4. Develop a longer-term strategy. While the institution likely will be required to make some decisions immediately, those decisions should be made in the context of the institution’s longer-term strategy. The development of this strategy should take into account such factors as the strength of the institution’s defenses, the magnitude of the institution’s exposure, factors affecting the institution (e.g., a possible acquisition), and whether the institution is likely to reach a better result through a cooperative approach (while still advancing the institution’s defenses) or by assuming a more aggressive stance. In all events, the board should understand what this strategy is and make sure management is informing the board of any major developments.
  5. Adopt long-term reforms. One of the best ways to avoid regulatory scrutiny and enforcement is to adopt lessons learned from past violations. At a minimum, the board should determine whether other areas present similar risks, review the adequacy of internal controls and compliance policies, and assess the frequency and thoroughness of management reports to the board.

An effective response to a CFPB enforcement action requires a coordinated strategic approach that is overseen and monitored by the institution’s board of directors. Bearing in mind these five key principles will help board members lead their institutions successfully through CFPB enforcement actions.