What To Do To Prepare for a CFPB Examination


cfpb-12-28-15.pngThe Consumer Financial Protection Bureau’s exams are an open book text, but does your organization have the book? Obviously, there are subjective elements to every exam. But we do recommend doing your homework.

Read Up on What to Expect
The first document you need is entitled “Debt Collection Examination Procedures,” October 24, 2012, available on the CFPB website. There are a number of different ways to use the manual, but a critical task is to take each requirement in the manual and inventory all the ways your bank can answer: How can we prove that we are meeting this? What tangible evidence exists that we can put in front of an examiner?

The second document is the general CFPB Supervision and Examination Manual, from October 1, 2012. The full text is now over 900 pages long, so we recommend that banks start with the Risk Assessment Template. At a minimum, banks should consider two sections:

  • Risk Assessment Template: We recommend that companies use this as a means of seeing the organization as the CFPB will. Where are the risk areas for potential consumer harm and how are you mitigating those risks?
  • Part II.A. Compliance Management Systems (CMS): This covers the process used to identify regulatory changes, assess their impact on your organization, incorporate the changes into your regular processes and monitor compliance on an on-going basis.

Catch Up on Current Events
It can be challenging to stay abreast of CFPB developments: We recommend that those responsible for managing the examination read up on as much public information as possible about what the CFPB has been doing, including:

  • The CFPB website often has speeches and Congressional testimony from its leadership. This often is a good source of information on what the CFPB is emphasizing and their areas of focus.
  • The CFPB publishes a document two to three times per year entitled “Supervisory Highlights,” which summarizes issues they have seen and actions they have taken during their routine examinations. The actions summarized here and presented anonymously provide insight into common issues at regulated entities.
  • Websites from CFPB watchers: Several law firms maintain very good web sites that track and comment on CFPB related developments.

Get All Hands on Deck
Some organizations see regulatory exams as a legal matter, others as compliance. We recommend mustering all internal resources which can assist, regardless of their normal duties. In addition to legal and compliance, this could include internal audit and operations. It is important that the team that will participate in the examination is involved right from initial planning through final resolution. We have seen situations where upfront planning is handled by a single function, for example the legal department, and the actual examination is given to another department, say compliance. This can lead to a bad handoff, poor communication and other problems.

Clients sometime ask us who should be available to work with the examiners. You want your “go to” people available. This may skip official reporting lines—often times the nominal head of function may not be the most knowledgeable about daily processing or issue resolution. It is in all participants’ interest to efficiently clear any preliminary issues raised during the examination.

Heal Thyself
Do you have the kind of organization where people can raise their hand when they see a problem, or is it the kind where bad news is suppressed? One of the authors of this article worked at a bank where quality metrics where a very large component of operations management’s performance evaluation, so operations management fought every issue that the internal Quality Assurance and Quality Control functions raised. Subsequently, the high quality metrics were overstated and the bank was surprised at the number and severity of issues raised by their regulator. Don’t underestimate the power of an executive sitting down with personnel a few levels below him or her and asking, “What do you think could burn us with the examiners coming in?

Prepare Your People
Many of your organization’s resources participating in an examination are not individuals who routinely reach outside your organization. Few organizations would send a sales person out into the market to represent the company without preparation. However, we have observed an equivalent situation occur with unprepared resources have critical roles for examinations. Make sure that management prepares everyone who will participate.

While On Site
Anyone who has spent time as an auditor has experienced being put in dank, windowless basements. Have your organization treat the examiners like you would an important client that was coming in: have a welcome message in the lobby and have decent space for them. In short, they are human and like all humans are going to respond to any perceived disrespect.

Self Exam: Improve the Health of the Bank and its Standing with Regulators


reg-health.jpgDoctors recommend various self exams to catch disease early, so it can be treated before it’s too late. As it turns out, a self examination can be good for the health of a bank as well.  My colleagues and I recommend that our banking clients and friends undertake a regular self examination in order to identify potential internal and external challenges that the bank may face.  As discussed more thoroughly below, these self examinations can also be very helpful when the bank’s doctor (your friendly regulator) comes in for a check-up.

Enlist internal audit

To initiate the self examination, the audit committee of the bank’s board of directors should charge management with preparing a report that outlines the current and projected status of the bank’s key areas of risk.  Ideally, the bank’s internal audit function will take the lead in performing the examination and preparing the related report.  In order to maximize the value of this report, the audit committee should direct management to deliver the report at least 60 days prior to the bank’s next scheduled regulatory exam.  The self examination report, in its most basic form, should cover the areas that are the focus of the bank’s regulators:  CAMELS (capital, asset quality, management, earnings, liquidity and sensitivity to market risk).  The report should also address any key areas of risk identified by the directors.

Analyze your market

In addition to analyzing the typical CAMELS components and other areas of risk, a very important part of the self examination process is a market study.  The report should present facts, trends and projections related to the market area in order to define the opportunities and challenges being faced by the bank’s customers.  While many bank directors have a good feel for market trends, we have found that this data, when presented with specific facts and trends, can inform the board’s discussions of a variety of topics a great deal.  It can also provide the bank with support for dealing with its examiners, who conduct their own market analysis prior to each examination. 

Evaluate the bank

In the report, management should report on the current status of the various risk areas (for example, capital levels and levels of problem assets), comparisons to peers and steps being taken to improve the current status.  While it may be difficult for the officers of the bank to evaluate the bank’s management in the way that the bank’s examiners would, the management portion of the report should address the organizational chart of the bank to ensure that appropriate resources are allocated to each of the bank’s functions.  After reviewing the draft report, the audit committee can evaluate the need for further analysis before presenting the final report to the full board.  This report should give the audit committee, and eventually the full board, good perspective on the condition of the bank and the need for corrective actions.

Use self exam in multiple ways

The final self examination report should be clearly organized and comprehensive, though concise.  The report can be used to color a variety of discussions that the board may have in the normal course of overseeing the bank’s operations.  It can serve as the basis for strategic planning discussions in analyzing the opportunities in the bank’s market and the adequacy of the bank’s earnings.  It can also be a guide to more basic discussions, such as the pricing of deposits, based on the information related to the bank’s liquidity and opportunities for loan growth.  Essentially, the report provides a comprehensive guide to the current and projected health of the bank that the bank’s directors can use for a quick point of reference in making their decisions.

Prepare a presentation for regulators

In addition to business planning purposes, the self examination can be a key tool in preparing for a regulatory examination.  Using the results of the self examination, management should prepare a presentation for the examiners that highlights the bank’s key metrics, areas of progress and actions taken to address areas of concern.  The market analysis portion of the self examination can be a key component of this presentation.  While the bank’s examiners should be generally familiar with the bank’s market, they will not have the specific and direct perspective that the self examination report can provide.  Using this market data, the bank can provide factual, documented support for its projections and for any actions it is taking.  This presentation should be conveyed to the bank’s examiners at the initial meeting related to the exam, at which a representative of the board should be present.  By alerting the bank’s examiners to the focus of the board on the bank’s condition and the steps being taken to improve the bank’s condition, the bank increases the likelihood that the examiners will conclude that the board is performing its duties and that the bank’s internal controls are adequate.

The self examination report can be a very useful tool for bank directors.  At its best, it will provide a roadmap for making key strategic decisions.  In its most basic form, it documents the board’s focus on oversight of the bank.  While producing such a report will use management resources, much of the analysis that should be included in the report can be extracted from management’s ongoing reports to the board.  Producing and discussing the self examination report is a healthy exercise, and the bank’s examiners will agree.

Originally published on January 11, 2012.

Regulator Panel: Would You Sell These Products to Your Mom or Dad?


7-5-13_Naomi.pngThe shifting focus of regulators is indeed a concern for bankers and bank boards these days. The creation of the Consumer Financial Protection Bureau (CFPB) has impacted almost all banks and thrifts, not just the $10-billion-plus financial institutions that are subject to CFPB exams. The CFPB is publishing new rules monthly about topics such as fair lending, mortgage disclosures and even the interest rate banks can charge for residential loans. Plus, regulatory exams that end badly can have serious negative consequences for banks, so it’s a good idea to keep tabs of what regulators are thinking about your bank.

At Bank Director’s Bank Audit Committee Conference in Chicago last month, Deputy Comptroller Bert Otto in the central district in the Office of the Comptroller of the Currency (OCC) joined David Van Vickle, assistant regional director at the Federal Deposit Insurance Corp. (FDIC) and Molly Curl, bank regulatory national advisory partner at Grant Thornton LLP, in a discussion of what regulators are looking for in exams. John Geiringer, a partner at law firm Barack Ferrazzano Kirschbaum & Nagelberg LLP, moderated the discussion.

Otto said strategic risk is one of the things his office is most worried about right now. Banks are focused on improving earnings, but he would like bank boards to look at the risk involved in their strategic plan and any new products or services offered by the bank.

He said regulators are focused on risk: What are the bank’s risks and is the bank leadership identifying them? “The focus of all the regulators going forward, at least at the OCC, is really risk on a forward-looking basis,’’ he said.

Van Vickle agreed that this is a focus for his agency as well. Examiners are asking: What is the bank’s tolerance for risk? What are the key indicators of risk? In terms of mitigating risk, Curl said banks should have a full risk profile with risks rated from highest to lowest, and a plan for how to mitigate those risks. The risk line of defense then involves the compliance department, as well as internal audit, which will review at least annually the internal controls to see if policies and procedures are being followed. A bank can opt for yet another line of defense: an outside firm to review the bank’s risk profile and procedures for mitigating risk.

Banks frequently use outside vendors of various sorts, but they can actually be a source of risk as well. Note recent news about the CFPB crackdown on Minneapolis-based U.S. Bancorp over subprime auto loans to military service members, which were provided to U.S. Bancorp through a vendor. Van Vickle, speaking in general and not about U.S. Bancorp, said:  “We will hold the bank responsible for a lot of what those service providers are saying, if they are approaching customers and making promises and not making appropriate disclosures.”

Compliance risk can also hinder acquisition plans, as it did in M&T Bank Corp.’s purchase of Hudson City Bancorp this year, when regulators delayed the closing date of the sale amid questions about M&T’s compliance with anti-money laundering rules. The Bank Secrecy Act (BSA) and anti-money laundering laws are now more significant in regulatory exams than in years past because a bank’s  compliance track record now impacts its safety and soundness rating, Curl said.

“BSA should be a critical element to any products you roll out,’’ Geiringer said. “It used to be the compliance officer came in at the end, and was Dr. No.” Nowadays, the compliance officer should be involved in the beginning of the process of rolling out new services and products, he said. Consumer compliance is a new focus of regulation, Geiringer said. The Dodd-Frank Act expanded consumer law in the form of UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) to include the term “abusive.” Ask yourself: Would you sell the bank’s products to your mom or dad? Does your bank board set the right tone in reacting to compliance issues? If new regulations are mentioned at a board meeting, do you roll your eyes? How does that impact management if they see board members doing that?

There has been a shift in banking regulation and it’s worth paying attention to. The regulatory panel at the audit conference made that clear. 

Directors and the Exam Process: Get Involved Early


life-perserver.jpgMy colleagues and I frequently meet with bank boards that have received very sobering reports from their bank’s examiners.  While the directors’ responses to bad examination reports vary greatly, there is one emotion that is nearly universal: a feeling of helplessness.  As a result, directors almost always express a desire to get involved in the exam process after they receive negative feedback from the examiners, whether through requesting meetings with higher-level regulators, appealing the exam findings, or fighting a proposed enforcement action.  Unfortunately, those actions, particularly if taken after a final examination report is issued, seem to have little positive impact on the examination process and may even prove to be harmful to the bank.

The good news, however, is that there is a way for directors to get involved in the regulatory examination process that can have a meaningful positive impact.  Discussed below is our top recommendation for directors to be involved in the examination process.  We believe early, proactive involvement can positively impact the outcome of a regulatory examination and also enhance the board’s understanding of regulatory criticism.

While most directors’ first contact with examiners is at the examiners’ exit meeting with the board, we suggest director involvement earlier in the examination process.  There should be one or more outside directors present at the examiners’ preliminary exit meeting with management.  During this meeting, the examiners will present their preliminary findings from the examination.  In addition to highlighting the engagement and availability of the bank’s directors, attending this meeting allows the directors to understand the key issues in the examination.  By hearing the examiners deliver their findings first hand, the directors will have a better sense of the seriousness of the issues being identified.  Finally, directors will be able to ask questions of the examiners that might not be easily asked by members of management; e.g., asking for an interpretation of a regulation.

By attending this preliminary exit meeting, directors are also able to ensure that the bank’s board has a timely understanding of the issues presented by the examiners.  Members of the bank’s executive management team have a natural tendency to relay examination criticisms to the board through their own point of view.  Management may fear adverse action by the board as a result of regulatory criticisms or may feel so strongly about their point of view that they tend to “water down” the comments of the examiners.  By having outside directors attend the meeting, those directors can deliver an independent report of the regulatory criticisms to the board.

In addition, by identifying key regulatory issues, and particularly disagreements, bank directors have the greatest likelihood for influencing the examination process.  It is at this time, after preliminary findings are made but before a final examination report is delivered to the bank, that a bank and its directors should present additional information and viewpoints that might alter the findings in the final examination report.  We have found that examiners are willing to review additional information at this juncture and, where appropriate, the examiners will alter their conclusions in response to such information.  Ideally, such information is presented prior to the examiners’ exit meeting with the full board.  Our experience tells us that this approach is much more effective and timely than a formal appeal of final examination findings. 

By inserting themselves into the regulatory examination process, we believe directors can have a positive influence on the regulatory examination process.  While we would not recommend having the full board involved in functions that are typically left to management, having an independent point of view involved early in the examination process can be very helpful.  Not only can directors display their involvement in the oversight of the bank’s operations, they can also help with strategy for dealing with regulatory issues at a time when conclusions have not yet been formed.  Finally, directors can better understand regulatory feedback and can track management’s progress toward addressing regulatory concerns.

A Conversation with a Regulator: What Bank Directors Need to Know


bert-otto.jpgBert Otto has been deputy controller for the central district of the Office of the Comptroller of the Currency since 1997. He is responsible for oversight of 545 community banks and federal savings associations and manages a staff of 480 employees in Chicago. He has worked for the OCC since 1973 and has supervised examiners in Peoria, Illinois; Boston; Washington, D.C.; and Syracuse, New York.

What do directors need to know about the regulatory exam and when should they get involved?

The first thing they need to understand is the areas that will be reviewed. It’s kind of the game plan for the examination process for the year. The directors will get a clear understanding of the safety and soundness areas, if it’s CRA (Community Reinvestment Act), if it’s fair lending, they learn what areas will be reviewed.

A lot of times, we will ask the directors how they want to be involved in the exam process. A lot of times, we will meet with these directors at their businesses, to make it a little bit informal for them. They can talk about management and we can talk about our assessment of management, too. A lot of directors have taken us up on that.

A lot of times the directors will really share a lot about the community, the bank itself, what their feelings are about management, about the bank’s business model. It’s a good opportunity for them to pick our brains, too, as to what the current issues are. They can do that at a board meeting, too, but a lot of times we will offer to have our examiners come out and talk to them informally.

Another way to get involved is to sit in on a loan discussion. The loan discussion is such a key area of an exam, especially in community banks, that they will get a good understanding of what that’s all about, plus they can get a sense of how much the loan officers know, how they can respond to questions from the examiners and the knowledge they have about their borrowers.

What should bank directors do during the exam?

My suggestion is for a lot of the outside directors to stay plugged into the exam process. They typically run for a couple of weeks. The audit chairman clearly needs to know what is happening with the exam process. There is nothing wrong with a couple of audit committee members meeting with examiners, not every day, but at the end of the week, to stay plugged into what the issues are.

What common mistakes do you see bank directors making?

A lot of times they will jump too quickly to change the institution’s’ business model or strategic plan. A lot of time we tell these directors: “Don’t just do what your competitors are doing.” We saw a lot of that during the last downturn, where commercial real estate in 2004, ’05 and ’06 was really growing, so everybody jumped in it, and jumped in it in big ways.

You need to have a well-conceived business model.  You can tweak it some, but some of these institutions have been around for 100 or 150 years, and they’ve done some things right.

A lot of time we see directors not ask enough detail and probing questions of management. At the board meetings, they need to ask questions of management and hold management accountable. They need to have enough time prior to board meetings to review board packages. We see that a lot where directors get two- or three-inch thick packages and they don’t have enough time to review. They need concise summaries that show trends.

In our more problem banks, we have seen directors who are overly trusting of management. They put management in and they have a good working relationship. But not making sure they hold management accountable gets them into trouble.

How much time does the board need to review board packages?

The average board needs two or three days to review a board package, for your average community bank. You just can’t get it to them a day ahead of the board meeting or the day of the meeting and expect them to have a good understanding and ask good questions.

What kind of relationship should banks and their regulators have?

We need to have a good relationship so the bank and management understand why we’re there, and our knowledge for what’s going on in the industry, so we can provide them with some guidance. They might need clarification on guidance from Washington. We want management to pick up the phone and call if there is something that is not clear. I would rather not wait until the exam has already started because some action may have been taken that needs to be unwound. Each party needs to understand each other.

Communication is important because information needs to be shared. During the exam, we are going to be touching management quarterly with questions such as: How are your earnings?  How is your capital position? Have you had any changes in management or other changes we need to know about? That helps us put together a supervisory strategy for when we come in. We want a good relationship with management because we will call them at least quarterly and we will be coming in yearly. If there is guidance coming out from Washington that they are not clear on, they need to call their portfolio manager, an individual from the OCC, who should be able to explain what that guidance is or what our expectations are.

How long do exams take and how often are they done?

It depends on the size and condition of the institution. If a smaller institution is (CAMELS) rated 1 or 2 (a good score on regulatory scale), it could happen every 18 months. Larger institutions could be every 12 months. Problem banks, with CAMELS ratings of 3 to 5, you could see us every six months.

How should you handle a disagreement with your regulator?

If it’s a (CAMELS) rating or a classified loan disagreement, the first point of contact should be the assistant deputy comptroller of the local field office. The next step would be coming to me, the OCC deputy controller, or the ombudsman. The ombudsman reports directly to the comptroller. We hope all our disagreements are worked out on a local level, but if they can’t, that’s the process. All of our conclusions should be supported by facts.  If we say we have an unsafe and unsound business practice, because the bank is extending loans without satisfactory credit information, those are hard to disagree with. We need to base all our conclusions on facts.

How often would a conclusion from a regulator be reversed after a disagreement?

Ninety-nine percent of the disagreements get worked out at the local level; very seldom do we get some at my level or the ombudsman. They get some, but they are more often related to CRA issues or fair lending issues. We haven’t had a lot related to CAMELS ratings. Most of this is a give and take. If there is an unsafe and unsound banking practice, or if there is a violation of law, those tend to not be overturned. There might be a case where there are some new facts that come in on a loan classification, where during an exam the examiner may have looked at a loan as substandard. We may get new information later on where that decision gets overturned, but I don’t have numbers on how many decisions get overturned.

How do you think Dodd-Frank will impact community banks, even though they were exempted from many of the provisions?

There will be some impact. Clearly the challenges facing community banks, just the volume of compliance activities they need to be focused on, it does concern us. Where is the tipping point, causing community banks to exit the business?  It depends on how the regulations are going to be written, the Consumer Financial Protection Bureau obviously has the pen, but clearly it’s going to affect all banks.

In terms of unfair, deceptive or abusive practices and in general all regulations, the larger institutions have a lot more resources to understand these rules than smaller banks do.

For example?

Community banks are going to be impacted by Dodd-Frank’s directive that federal agencies modify regulations to remove references to credit ratings for determining creditworthiness. You wouldn’t think that impacts community banks, but it does.

The institutions use credit rating agencies for ratings for permissible investment securities. Dodd-Frank has done away with that, so institutions of all sizes are going to have to do independent analysis, a lot more than what they’ve done in the past, in investment securities.

Are regulators or Congress trying to cut down on the number of community banks in this country?

We don’t want to cut down on community banks; they provide a lot of services to their communities. There are challenges. Interest margins have been cut quite a bit. They are struggling with high concentrations of commercial real estate. Community banks are struggling. I think what’s going to happen, is some banks do very well, and some aren’t going to do very well. That’s why it’s so important to have a strong business model and to stick to what you do well. Some banks become niche players, and there are some risks associated with that, but you get good at something. Quite honestly, with the stresses of the compliance costs from Dodd-Frank, there may be banks that exit the business. We’re not pushing that and Congress isn’t pushing that, but there is some inevitability here: Where is that tipping point for a community bank?